Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Sagerunex

Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants existing since at least 2016. Variations of Sagerunex leverage non-traditional command and control mechanisms such as various web services.(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)
ID: S1210
Type: MALWARE
Platforms: Windows
Created: 15 Mar 2025
Last Modified: 16 Mar 2025

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sagerunex communicates via HTTPS, at times using a hard-coded User Agent of `Mozilla/5.0 (compatible; MSIE 7.0; Win32)`.(Citation: Symantec Bilbug 2022)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Sagerunex has archived collected materials in RAR format.(Citation: Cisco LotusBlossom 2025)

Enterprise T1074 .001 Data Staged: Local Data Staging

Sagerunex gathers host information and stages it locally as a RAR file prior to exfiltration.(Citation: Cisco LotusBlossom 2025) Sagerunex stores logged data in an encrypted file located at `%TEMP%/TS_FB56.tmp` during execution.(Citation: Symantec Bilbug 2022)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Sagerunex uses HTTPS for command and control communication.(Citation: Symantec Bilbug 2022)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Sagerunex has used VMProtect to pack and obscure itself.(Citation: Cisco LotusBlossom 2025)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Sagerunex can be passed a reference to an XOR-encrypted configuration file at runtime.(Citation: Symantec Bilbug 2022)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Sagerunex is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.(Citation: Cisco LotusBlossom 2025)

Enterprise T1102 .002 Web Service: Bidirectional Communication

Sagerunex has used virtual private servers (VPS) for command and control traffic as well as third-party cloud services in more recent variants.(Citation: Cisco LotusBlossom 2025)

.003 Web Service: One-Way Communication

Sagerunex has used web services such as Twitter for command and control purposes.(Citation: Cisco LotusBlossom 2025)

Groups That Use This Software

ID Name References
G0030 Lotus Blossom

(Citation: Cisco LotusBlossom 2025) (Citation: Symantec Bilbug 2022)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.