The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a marketing campaign that compromised a number of organizations in an unnamed Southeast Asian nation between August 2024 and February 2025.
“Targets included a authorities ministry, an air site visitors management group, a telecoms operator, and a building firm,” the Symantec Menace Hunter Staff mentioned in a brand new report shared with The Hacker Information. “The assaults concerned using a number of new customized instruments, together with loaders, credential stealers, and a reverse SSH device.”
The intrusion set can also be mentioned to have focused a information company situated overseas in Southeast Asia and an air freight group situated in one other neighboring nation.
The risk cluster, per Broadcom’s cybersecurity division, is assessed to be a continuation of a marketing campaign that was disclosed by the corporate in December 2024 as a high-profile group in Southeast Asia since at the very least October 2023.
Then final month, Cisco Talos linked the Lotus Panda actor to intrusions geared toward authorities, manufacturing, telecommunications, and media sectors within the Philippines, Vietnam, Hong Kong, and Taiwan with a backdoor referred to as Sagerunex.
Lotus Panda (aka Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip) has a historical past of orchestrating cyber assaults in opposition to governments and army organizations in Southeast Asia.
Believed to be lively since at the very least 2009, the group got here beneath the highlight for the primary time in June 2015 when Palo Alto Networks attributed the risk actor to a persistent spear-phishing marketing campaign that exploded a Microsoft Workplace flaw (CVE-2012-0158) to distribute a backdoor dubbed Elise (aka Trensil) that is designed to execute instructions and skim/write recordsdata.
Subsequent assaults mounted by the group have weaponized a Microsoft Home windows OLE flaw (CVE-2014-6332) by way of a booby-trapped attachment despatched in a spear-phishing e mail to a person then working for the French Ministry of International Affairs in Taiwan to deploy one other trojan associated to Elise codenamed Emissary.
Within the newest wave of assaults noticed by Symantec, the attackers have leveraged reliable executables from Pattern Micro (“tmdbglog.exe”) and Bitdefender (“bds.exe”) to sideload malicious DLL recordsdata, which act as loaders to decrypt and launch a next-stage payload embedded inside a domestically saved file.
The Bitdefender binary has additionally been used to sideload one other DLL, though the precise nature of the file is unclear. One other unknown side of the marketing campaign is the preliminary entry vector used to achieve the entities in query.
The assaults paved the way in which for an up to date model of Sagerunex, a device completely utilized by Lotus Panda. It comes with capabilities to reap goal host data, encrypt it, and exfiltrate the main points to an exterior server beneath the attacker’s management.
Additionally deployed within the assaults are a reverse SSH device, and two credential stealers ChromeKatz and CredentialKatz which are outfitted to siphon passwords and cookies saved within the Google Chrome internet browser.
“The attackers deployed the publicly out there Zrok peer-to-peer device, utilizing the sharing operate of the device to be able to present distant entry to companies that have been uncovered internally,” Symantec mentioned. “One other reliable device used was referred to as ‘datechanger.exe.’ It’s able to altering timestamps for recordsdata, presumably to muddy the waters for incident analysts.
