The China-linked cyber espionage group tracked as Lotus Panda has
been attributed to a campaign that compromised multiple organizations in
an unnamed Southeast Asian country between August 2024 and February
2025.
“Targets included a government ministry, an air traffic control
organization, a telecoms operator, and a construction company,” the
Symantec Threat Hunter Team said
in a new report shared with The Hacker News. “The attacks involved the
use of multiple new custom tools, including loaders, credential
stealers, and a reverse SSH tool.”
The intrusion set is also said to have targeted a news agency located
in another country in Southeast Asia and an air freight organization
located in another neighboring country.
The threat cluster, per Broadcom’s cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023.
Then last month, Cisco Talos connected
the Lotus Panda actor to intrusions aimed at government, manufacturing,
telecommunications, and media sectors in the Philippines, Vietnam, Hong
Kong, and Taiwan with a backdoor known as Sagerunex.
Lotus Panda (aka Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon,
and Thrip) has a history of orchestrating cyber attacks against
governments and military organizations in Southeast Asia.
Believed to be active since at least 2009, the group came under the
spotlight for the first time in June 2015 when Palo Alto Networks attributed the threat actor to a persistent spear-phishing campaign that exploded a Microsoft Office flaw (CVE-2012-0158) to distribute a backdoor dubbed Elise (aka Trensil) that’s designed to execute commands and read/write files.
Subsequent attacks mounted by the group have weaponized a Microsoft Windows OLE flaw (CVE-2014-6332) via a booby-trapped attachment sent in a spear-phishing email
to an individual then working for the French Ministry of Foreign
Affairs in Taiwan to deploy another trojan related to Elise codenamed
Emissary.
In the latest wave of attacks spotted by Symantec, the attackers have
leveraged legitimate executables from Trend Micro (“tmdbglog.exe”) and
Bitdefender (“bds.exe”) to sideload malicious DLL files, which act as
loaders to decrypt and launch a next-stage payload embedded within a
locally stored file.
The Bitdefender binary has also been used to sideload another DLL,
although the exact nature of the file is unclear. Another unknown aspect
of the campaign is the initial access vector used to reach the entities
in question.
The attacks paved the way for an updated version of Sagerunex, a tool
exclusively used by Lotus Panda. It comes with capabilities to harvest
target host information, encrypt it, and exfiltrate the details to an
external server under the attacker’s control.
Also deployed in the attacks are a reverse SSH tool, and two
credential stealers ChromeKatz and CredentialKatz that are equipped to
siphon passwords and cookies stored in the Google Chrome web browser.
“The attackers deployed the publicly available Zrok peer-to-peer
tool, using the sharing function of the tool in order to provide remote
access to services that were exposed internally,” Symantec said.
“Another legitimate tool used was called ‘datechanger.exe.’ It is
capable of changing timestamps for files, presumably to muddy the waters
for incident analysts.
REF:https://thehackernews.com/2025/04/lotus-panda-hacks-se-asian-governments.html