Sagerunex
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Sagerunex communicates via HTTPS, at times using a hard-coded User Agent of `Mozilla/5.0 (compatible; MSIE 7.0; Win32)`.(Citation: Symantec Bilbug 2022) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Sagerunex has archived collected materials in RAR format.(Citation: Cisco LotusBlossom 2025) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Sagerunex gathers host information and stages it locally as a RAR file prior to exfiltration.(Citation: Cisco LotusBlossom 2025) Sagerunex stores logged data in an encrypted file located at `%TEMP%/TS_FB56.tmp` during execution.(Citation: Symantec Bilbug 2022) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Sagerunex uses HTTPS for command and control communication.(Citation: Symantec Bilbug 2022) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Sagerunex has used VMProtect to pack and obscure itself.(Citation: Cisco LotusBlossom 2025) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Sagerunex can be passed a reference to an XOR-encrypted configuration file at runtime.(Citation: Symantec Bilbug 2022) |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Sagerunex is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.(Citation: Cisco LotusBlossom 2025) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Sagerunex has used virtual private servers (VPS) for command and control traffic as well as third-party cloud services in more recent variants.(Citation: Cisco LotusBlossom 2025) |
.003 | Web Service: One-Way Communication |
Sagerunex has used web services such as Twitter for command and control purposes.(Citation: Cisco LotusBlossom 2025) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0030 | Lotus Blossom |
(Citation: Cisco LotusBlossom 2025) (Citation: Symantec Bilbug 2022) |
References
- Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
- Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.