The China-based cyber espionage group known as Lotus Panda has been linked to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025.
According to the Symantec Threat Hunter Team, the targets of this campaign included a government ministry, an air traffic control organization, a telecoms operator, and a construction company. The team reported that the attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool.
Additionally, the intrusion set is believed to have targeted a news agency in another Southeast Asian country and an air freight organization in a neighboring country.
Broadcom’s cybersecurity division has assessed that this threat cluster is a continuation of a campaign that was disclosed by the company in December 2024, which targeted a high-profile organization in Southeast Asia since at least October 2023.
Last month, Cisco Talos connected the Lotus Panda actor to intrusions aimed at government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan using a backdoor known as Sagerunex.
Lotus Panda, also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, has a history of orchestrating cyber attacks against governments and military organizations in Southeast Asia, with its activities dating back to at least 2009.
The group first came under the spotlight in June 2015 when Palo Alto Networks attributed the threat actor to a persistent spear-phishing campaign that exploited a Microsoft Office flaw (CVE-2012-0158) to distribute a backdoor dubbed Elise (aka Trensil), designed to execute commands and read/write files.
Subsequent attacks by the group have weaponized a Microsoft Windows OLE flaw (CVE-2014-6332) via a booby-trapped attachment sent in a spear-phishing email to an individual working for the French Ministry of Foreign Affairs in Taiwan, deploying another trojan related to Elise codenamed Emissary.
In the latest wave of attacks spotted by Symantec, the attackers leveraged legitimate executables from Trend Micro (“tmdbglog.exe”) and Bitdefender (“bds.exe”) to sideload malicious DLL files, acting as loaders to decrypt and launch a next-stage payload embedded within a locally stored file.
The Bitdefender binary has also been used to sideload another DLL, although the exact nature of the file remains unclear. Additionally, the initial access vector used to reach the targeted entities is still unknown.
The attacks paved the way for an updated version of Sagerunex, a tool exclusively used by Lotus Panda, which is capable of harvesting target host information, encrypting it, and exfiltrating the details to an external server under the attacker’s control.
Furthermore, the attacks involved the deployment of a reverse SSH tool and two credential stealers, ChromeKatz and CredentialKatz, which are designed to siphon passwords and cookies stored in the Google Chrome web browser.
According to Symantec, the attackers also deployed the publicly available Zrok peer-to-peer tool, utilizing its sharing function to provide remote access to services that were exposed internally. Another legitimate tool used was called ‘datechanger.exe,’ which is capable of changing timestamps for files, presumably to obscure the trail for incident analysts.
