Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
April 7, 2025, 8:04 a.m.
Description
The Lotus Blossom espionage group has been conducting cyber espionage campaigns targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. The group employs various versions of the Sagerunex backdoor, including new variants that use cloud services like Dropbox, Twitter, and Zimbra for command and control. Lotus Blossom utilizes multiple hacking tools and techniques to maintain long-term persistence in compromised networks. The attacks involve multi-stage operations, including reconnaissance, lateral movement, and data exfiltration. The group has been active since at least 2012 and continues to evolve its tactics and malware to evade detection.
Tags
Date
- Created: April 4, 2025, 7:54 p.m.
- Published: April 4, 2025, 7:54 p.m.
- Modified: April 7, 2025, 8:04 a.m.
Attack Patterns
- Evora
- Sagerunex
- Lotus Blossom
- T1550
- T1583
- T1087
- T1505
- T1518
- T1082
- T1105
- T1071
- T1543
- T1569
- T1204
- T1140
- T1132
- T1053
- T1584
- T1562
- T1190
- T1133
- T1078
- T1059
Additional Informations
- Media
- Telecommunications
- Government
- Manufacturing
- Hong Kong
- Taiwan
- Philippines