A recent cyber-espionage campaign targeting critical sectors in Southeast Asia has been linked to the China-based group Billbug, also known as Lotus Blossom or Bronze Elgin. The attacks, which occurred between August 2024 and February 2025, affected a government ministry, an air traffic control authority, a telecoms operator, and a construction company in a single Southeast Asian country. Additionally, a news agency in a neighboring nation and an air freight company in another were also targeted.
What sets this campaign apart is the use of previously unseen tools by Billbug, including credential stealers, advanced loaders, and a reverse SSH tool capable of listening for inbound connections. This campaign appears to be a progression of a previous operation identified by Symantec in late 2024. While the initial attribution of the attacks was unclear, a recent blog from Cisco Talos has linked the indicators of compromise to Billbug operations, strengthening the case against the group.
Billbug utilized sophisticated techniques such as DLL sideloading, where legitimate executables from reputable vendors like Trend Micro and Bitdefender were exploited to launch malicious payloads. For example, a Trend Micro binary was used to load a DLL that decrypted and executed code from a file named TmDebug.log. In another instance, a Bitdefender executable loaded a DLL that injected malicious content into the Windows systray.exe process.
The cyber-espionage campaign also involved the use of new tools such as ChromeKatz and CredentialKatz to extract login data and cookies from Google Chrome browsers. These tools were coupled with a custom reverse SSH utility that created listening services on Port 22. Additionally, Billbug deployed a new Sagerunex backdoor variant with improved persistence through registry modifications, the peer-to-peer tool Zrok for remote access, and Datechanger.exe, a timestamp manipulation tool likely used to hinder forensic analysis.
Billbug has been active since at least 2009, focusing on government, defense, and telecom sectors across Southeast Asia. The group has employed tactics like spear-phishing, abuse of digital certificates, and the use of malware families such as Trensil and Infostealer.Catchamas. Over the years, Billbug has displayed increasing sophistication and persistence, often utilizing legitimate software to mask intrusions and avoid detection.
In conclusion, the cyber-espionage campaign orchestrated by Billbug targeting critical sectors in Southeast Asia highlights the evolving tactics and strategies employed by threat actors in the region. As cyber threats continue to evolve, it is essential for organizations to enhance their cybersecurity measures to prevent and mitigate such attacks in the future.