Full Report
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report
Analysis Summary
# Threat Actor: Lotus Panda
## Attribution & Identity
**Identification:** China-linked cyber espionage group.
**Known Aliases:** Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, Thrip.
## Activity Summary
Lotus Panda has been attributed to a recent campaign compromising multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. This activity is considered a continuation of a campaign previously disclosed by Broadcom in December 2024. Prior to this, the group was connected by Cisco Talos to intrusions in the Philippines, Vietnam, Hong Kong, and Taiwan. The actor has a history dating back to at least 2009, focusing on cyberattacks against governments and military organizations in Southeast Asia.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing campaigns utilizing weaponized attachments have been historically significant. The exact vector for the latest campaign is unknown.
- **Payload Delivery/Execution:** Use of custom tools including loaders and credential stealers.
- **Defense Evasion/Execution:** Leveraged legitimate Trend Micro ("tmdbglog.exe") and Bitdefender ("bds.exe") executables to sideload malicious DLL files, which function as decrypting loaders for next-stage payloads.
- **Historical TTPs:** Exploited legacy Microsoft Office flaws, specifically **CVE-2012-0158** and **CVE-2014-6332**, to distribute backdoors.
- **Custom Tools:** Use of new custom loaders, credential stealers, and a reverse SSH tool.
## Targeting
- **Sectors:** Government Ministry, Air Traffic Control Organization, Telecommunications Operator, Construction Company, News Agency, Air Freight Organization.
- **Geography:** Various organizations in an unnamed Southeast Asian country, as well as the Philippines, Vietnam, Hong Kong, and Taiwan (based on previous reporting).
- **Victims:** Specific organizations mentioned include a government ministry, air traffic control, telecoms operator, construction company, and a news agency.
## Tools & Infrastructure
- **Malware families used:**
- Sagerunex (updated version mentioned in the latest activity).
- Elise (aka Trensil) backdoor.
- Emissary (trojan related to Elise).
- Custom loaders and credential stealers.
- Reverse SSH tool.
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed beyond the usage of custom tools and sideloading legitimate binaries.
## Implications
Lotus Panda remains a persistent, state-sponsored threat actor (China-linked) focused on cyber espionage in the Southeast Asian region. Their continued use and development of custom tooling, including sophisticated sideloading techniques leveraging legitimate vendor software, indicate a high level of operational sophistication aimed at bypassing established security monitoring.
## Mitigations
- Implement enhanced monitoring for DLL sideloading, particularly involving legitimate system or antivirus binaries like those from Trend Micro or Bitdefender.
- Ensure all endpoint detection and response (EDR) systems are configured to detect anomalous process execution chains stemming from trusted binaries.
- Maintain rigorous patching cycles, especially to address potential vulnerabilities exploited via spear-phishing (relevant due to historical use of Office flaws).