Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Lotus Blossom
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Lotus Blossom
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Lotus Blossom

Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)
ID: G0030
Associated Groups: DRAGONFISH, Thrip, RADIUM, Raspberry Typhoon, Spring Dragon, Bilbug
Version: 4.0
Created: 31 May 2017
Last Modified: 23 Apr 2025

Associated Group Descriptions
Name Description
DRAGONFISH (Citation: Accenture Dragonfish Jan 2018)
Thrip (Citation: Cisco LotusBlossom 2025)
RADIUM (Citation: Microsoft Threat Actor Naming July 2023)
Raspberry Typhoon (Citation: Microsoft Threat Actor Naming July 2023)
Spring Dragon (Citation: Spring Dragon Jun 2015)(Citation: Accenture Dragonfish Jan 2018)
Bilbug (Citation: Symantec Bilbug 2022)

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Lotus Blossom has used commands such as `net` to profile local system users.(Citation: Cisco LotusBlossom 2025)
.002 Account Discovery: Domain Account

Lotus Blossom has used `net` commands and tools such as AdFind to profile domain accounts associated with victim machines and make Active Directory queries.(Citation: Cisco LotusBlossom 2025)(Citation: Symantec Bilbug 2022)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Lotus Blossom has used WinRAR for compressing data in RAR format.(Citation: Cisco LotusBlossom 2025)(Citation: Symantec Bilbug 2022)
.003 Archive Collected Data: Archive via Custom Method

Lotus Blossom has used custom tools to compress and archive data on victim systems.(Citation: Cisco LotusBlossom 2025)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Lotus Blossom has configured tools such as Sagerunex to run as Windows services.(Citation: Cisco LotusBlossom 2025)
Enterprise T1074 .001 Data Staged: Local Data Staging

Lotus Blossom has locally staged compressed and archived data for follow-on exfiltration.(Citation: Cisco LotusBlossom 2025)
Enterprise T1588 .002 Obtain Capabilities: Tool

Lotus Blossom has used publicly-available tools such as a Python-based cookie stealer for Chrome browsers, Impacket, and the Venom proxy tool.(Citation: Cisco LotusBlossom 2025)
Enterprise T1090 .001 Proxy: Internal Proxy

Lotus Blossom has used publicly available tools such as the Venom proxy tool to proxy traffic out of victim environments.(Citation: Cisco LotusBlossom 2025)
.003 Proxy: Multi-hop Proxy

Lotus Blossom has used tools such as the publicly available HTran tool for proxying traffic in victim environments.(Citation: Cisco LotusBlossom 2025)

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.(Citation: Cisco LotusBlossom 2025)

Software
ID Name References Techniques
S0160 certutil (Citation: Symantec Bilbug 2022) (Citation: TechNet Certutil) Archive via Utility, Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0082 Emissary (Citation: Emissary Trojan Feb 2016) (Citation: Lotus Blossom Dec 2015) Registry Run Keys / Startup Folder, Encrypted/Encoded File, Dynamic-link Library Injection, Rundll32, System Network Configuration Discovery, Windows Command Shell, System Information Discovery, Symmetric Cryptography, Web Protocols, Ingress Tool Transfer, Group Policy Discovery, Local Groups, System Service Discovery, Binary Padding, Windows Service
S0357 Impacket (Citation: Cisco LotusBlossom 2025) (Citation: Impacket Tools) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, Lateral Tool Transfer, LSA Secrets
S1211 Hannotog (Citation: Symantec Bilbug 2022) Non-Standard Port, Service Stop, Disable or Modify System Firewall, Automated Exfiltration, Windows Service, Windows Command Shell, Ingress Tool Transfer
S0081 Elise (Citation: Accenture Dragonfish Jan 2018) (Citation: BKDR_ESILE) (Citation: Lotus Blossom Jun 2015) (Citation: Page) (Citation: Spring Dragon Jun 2015) Match Legitimate Resource Name or Location, Ingress Tool Transfer, System Information Discovery, Symmetric Cryptography, System Service Discovery, Windows Service, System Network Configuration Discovery, Rundll32, Process Discovery, Encrypted/Encoded File, Timestomp, File and Directory Discovery, Local Data Staging, File Deletion, Web Protocols, Standard Encoding, Local Account, Registry Run Keys / Startup Folder, Dynamic-link Library Injection
S1210 Sagerunex (Citation: Cisco LotusBlossom 2025) (Citation: Symantec Bilbug 2022) Proxy, Exfiltration Over C2 Channel, System Network Configuration Discovery, Web Protocols, Encrypted/Encoded File, Native API, Dynamic-link Library Injection, Process Discovery, Software Packing, One-Way Communication, Deobfuscate/Decode Files or Information, System Information Discovery, Access Token Manipulation, Asymmetric Cryptography, Local Data Staging, Execution Guardrails, Archive via Utility, Bidirectional Communication
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Bilbug 2022) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S0097 Ping (Citation: Symantec Bilbug 2022) (Citation: TechNet Ping) Remote System Discovery
S0552 AdFind (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Symantec Bilbug 2022) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account

References

  1. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
  2. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.
  3. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  4. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  5. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  6. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
  7. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  8. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.