Full Report
China-linked group introduces new custom tools in recent attacks.
Analysis Summary
# Threat Actor: Billbug
## Attribution & Identity
* **Attribution:** Chinese-linked espionage actor.
* **Known Aliases:** Lotus Blossom, Lotus Panda, Bronze Elgin, Thrip (previously referred to by Symantec).
* **Associated Groups:** Linked to activity documented in the "_Relentless Force: China-linked Espionage Actors_" whitepaper.
## Activity Summary
* **Recent Campaign:** An intrusion campaign active between August 2024 and February 2025 that successfully compromised multiple organizations in a single Southeast Asian country, and staged intrusions against entities in neighboring SE Asian countries.
* **Historical Activities:** Active since at least 2009, focusing primarily on governments and military organizations in Southeast Asia. Past activity in 2015 involved spear-phishing and the custom Trensil (aka Elise) Trojan. In 2018, they attacked a telecoms operator, installing Infostealer.Catchamas, and targeted communications, geospatial imaging, and defense sectors in the US and SE Asia. In 2022, they targeted a digital certificate authority in an Asian country, suggestive of intentions to use compromised certificates for signing malware or intercepting HTTPS traffic.
## Tactics, Techniques & Procedures
* **DLL Sideloading:** Used legitimate software from Trend Micro (`tmdbglog.exe`) and Bitdefender (`bds.exe`) to load malicious DLLs (`tmdglog.dll` and `log.dll`, respectively).
* **Persistence:** Created persistence mechanisms by modifying the registry to run malware as a service.
* **Lateral Movement/Access:** Deployed a custom Reverse SSH Tool capable of listening on Port 22. Deployed the publicly available Zrok peer-to-peer tool to provide remote access to internally exposed services via its sharing function.
* **Defense Evasion:** Used a legitimate tool, `datechanger.exe`, to alter file timestamps, likely to obscure forensic timelines.
* **Specific TTPs Mentioned:**
* DLL Sideloading (MTTR-0048)
* In-memory execution (reading, decrypting, and executing contents of files like `TmDebug.log`) (T1055.012 - Process Injection)
* **MITRE ATT&CK IDs (Inferred from descriptions):** T1055 (Process Injection), T1547.001 (Registry Run Keys/Startup Folder). Specific IDs for custom tools were not provided.
## Targeting
* **Sectors:** Government (ministries), Air Traffic Control organizations, Telecommunications, Construction, News Agencies, Air Freight organizations, Military, Maritime Communications, Media, Education, Digital Certificate Authorities.
* **Geography:** Primarily Southeast Asia. Specific countries mentioned or implied in historical context include China, Hong Kong, Macau, Indonesia, Malaysia, the Philippines, Vietnam, and other unnamed neighboring countries in SE Asia. The U.S. was also historically targeted.
* **Victims (2024-2025 Campaign):** A government ministry, an air traffic control organization, a telecoms operator, a construction company (all in one SE Asian country), a news agency (in another SE Asian country), and an air freight organization (in a neighboring country).
## Tools & Infrastructure
* **Malware Families Used:**
* New variants of the **Sagerunex** backdoor (exclusively used by Billbug).
* **ChromeKatz** (Custom credential stealer for Chrome).
* **CredentialKatz** (Custom credential stealer for Chrome).
* **Reverse SSH Tool** (Custom listener for SSH connections).
* **tmdglog.dll** (Loader executing content from `TmDebug.log`).
* **log.dll** (Loader injecting decrypted contents into `systray.exe`).
* **sqlresourceloader.dll** (Suspected loader).
* **Infostealer.Catchamas** (Historical malware).
* **Trensil/Elise** (Historical custom Trojan).
* **Infrastructure/Other Tools:**
* **Zrok** (Public P2P tool used for C2/remote access).
* **datechanger.exe** (Tool to modify file timestamps).
* **Leveraged legitimate binaries:** Trend Micro (`tmdbglog.exe`) and Bitdefender (`bds.exe`).
* **IOC Artifact Hashes (SHA256):**
* Sagerunex: `4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805e`
* ChromeKatz: `2e1c25bf7e2ce2d554fca51291eaeb90c1b7c374410e7656a48af1c0afa34db4`, `6efb16aa4fd785f80914e110a4e78d3d430b18cbdd6ebd5e81f904dd58baae61`, `ea87d504aff24f7daf026008fa1043cb38077eccec9c15bbe24919fc413ec7c7`
* CredentialKatz: `e3869a6b82e4cf54cc25c46f2324c4bd2411222fd19054d114e7ebd32ca32cd1`, `29d31cfc4746493730cda891cf88c84f4d2e5c630f61b861acc31f4904c5b16d`
* Reverse SSH tool: `461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9ced`
* Date changer: `b337a3b55e9f6d72e22fe55aba4105805bb0cf121087a3f6c79850705593d904`
* Loaders: `54f0eaf2c0a3f79c5f95ef5d0c4c9ff30a727ccd08575e97cce278577d106f6b` (log.dll), `b75a161caab0a90ef5ce57b889534b5809af3ce2f566af79da9184eaa41135bd` (tmdglog.dll)
* Suspected Loader: `becbfc26aef38e669907a5e454655dc9699085ca9a4e5f6ccd3fe12cde5e0594`
## Implications
Billbug remains a highly sophisticated, state-sponsored espionage threat actor with a long operational history focusing on strategic sectors in Southeast Asia. Their continued development and deployment of custom credential-stealing tools (ChromeKatz, CredentialKatz) and novel operational security techniques (DLL sideloading via legitimate vendor software, using Zrok for internal access) indicate a strong desire to maintain persistence, harvest sensitive information, and evade detection within high-value networks. The historical interest in certificate authorities suggests potential secondary objectives related to supply chain compromise or improved code-signing legitimacy.
## Mitigations
* Implement enhanced monitoring for DLL sideloading attempts, especially targeting executables from trusted vendors like Trend Micro and Bitdefender.
* Monitor for registry modifications aimed at establishing persistence via services.
* Review configurations related to internally exposed services to prevent unintentional relay through tools like Zrok.
* Ensure robust credential hygiene and multi-factor authentication, particularly targeting browser credentials stolen by tools like ChromeKatz.
* Maintain proactive hunting for established group malware, such as new variants of the Sagerunex backdoor.