Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

Lotus Blossom group targets the Vietnamese government and neighboring countries

Updated
5 min read
Lotus Blossom group targets the Vietnamese government and neighboring countries
M
Mai Đức Nam Anh
Part of seriesNewsletters-eng

The APT Lotus Blossom hacker group from China was recently discovered to have launched multiple attack campaigns targeting government organizations, manufacturing businesses, telecommunications, and media in Vietnam, Hong Kong, Taiwan, and the Philippines.

Lotus Blossom, also known as Lotus Panda, Spring Dragon, and Thrip, is a hacker organization from China. First appearing around late 2011, this hacker group often uses attack methods like spear-phishing (email scams) and watering hole attacks (targeting websites frequently visited by the victim) to infiltrate and deploy backdoors on victims' systems. The group's attack targets include government agencies, military organizations, and state-owned enterprises in Southeast Asia, including Vietnam.

In a report by Joey Chen from Cisco Talos, the hacker group was noted to have launched attack campaigns targeting government organizations, manufacturing businesses, telecommunications, and media in Vietnam, Hong Kong, Taiwan, and the Philippines. This campaign spreads and infects variants of the Sagerunex backdoor, allowing hackers arbitrary access while establishing long-term persistence, concealing activities, and ensuring uninterrupted criminal operations on the victim's system with command shells.

Figure 1: Target countries in the Lotus Blossom campaign - Source: Cisco Talos

Two new variants of the Sagerunex backdoor have been discovered in recorded attacks, targeting media and telecommunications businesses. Notably, these new variants do not rely on Virtual Private Servers (VPS) as the initial server for the Command & Control (C2) server. Instead, they use legitimate third-party cloud services like Dropbox, Twitter, or open-source webmail services like Zimbra to avoid detection when connecting to the C2 server.

Figure 2: Attack chain of Lotus Blossom - Source: Cisco Talos

Although the initial attack vector has not been specifically concluded, based on recorded evidence, it can be speculated that Lotus Blossom uses tactics like spear-phishing and watering hole. The group's TTP (Tactics, Techniques, and Procedures) occurs in multiple stages, allowing them to gradually achieve specific campaign goals while deploying a backdoor to maintain persistence and conceal their presence on the infected system for an extended period. Once Sagerunex is successfully infected, the malware automatically gathers system information through various commands like net, tasklist, quser, ipconfig, netstat, and dir. These commands help display information about users, directory structure, process activity, and network configuration on the infected system.

After the initial information gathering process, if the system has restricted internet access, the hackers will configure the victim's proxy to establish a connection or use the Venom proxy tool to connect isolated machines to systems with internet access. Additionally, the hackers also move backdoors and malware to the operating system's Public\Pictures directory, as this folder allows all users on the system to access it, and the files in this directory are not hidden or protected on the system, making it a strategic choice to hide their presence and establish long-term access.

To ensure further, the hackers also deploy keys for the backdoor to run as a system service, such as:

  • reg query HKLM\SYSTEM\CurrentControlSet\Services\swprv\Parameters

  • reg query HKLM\SYSTEM\CurrentControlSet\Services\tapisrv\Parameters

  • reg query HKLM\SYSTEM\CurrentControlSet\Services\appmgmt\Parameters

Lotus Blossom also uses open-source hacking tools in its attacks. Some tools mentioned by security researcher Joey Chen in his report include:

  • Cookie Stealing Tool: The group uses Pyinstaller from the open-source Chrome cookie stealing tool on GitHub to steal login information from the Chrome browser.

  • Venom Proxy Tool: Originally developed for penetration testers using the Go language, the hacker group reconfigured this tool and hardcoded the target IP address in each operation.

  • Privilege Escalation Tool: Allows hackers to take a token from another process and adjust privileges to execute a new process.

  • Archiving Tool: Enables hackers to compress and encrypt stolen files or entire directories to a specific path with protection mechanisms.

  • Port Forwarding Tool: Hackers named this tool "mtrain V1.01", a proxy relay tool modified from HTran, allowing connections to be forwarded from the victim's machine to the Internet.

  • RAR Tool: An archive manager that hackers use to store or compress files.

Khuyến nghị

A backdoor is a type of malware that allows attackers to access a user's system without any approval. To protect yourself from becoming a victim of Lotus Blossom or similar threats, users should take the following measures:

  1. Install antivirus and system security software: Use reputable antivirus software to detect and block malware. Enable real-time protection to stop malware before it can execute.

  2. Be cautious when browsing and downloading files: Do not click on suspicious links in emails, messages, or unfamiliar websites. Only download software from official sources like the developer's website or trusted app stores. Use a browser with strong security features and enable ad blocking to reduce exposure to malicious websites.

  3. Protect email from phishing attacks: Do not open emails from unknown senders or emails with suspicious content. Carefully check links before clicking to avoid being redirected to fake websites. Enable spam filtering to reduce the risk of receiving emails containing malware.

  4. Enable firewalls and network protection: Activate the firewall on your system or use firewall software to control network traffic.

  5. Enable two-factor authentication (2FA) on important accounts: Use two-factor authentication (MFA/2FA) to enhance security for your email, banking, and social media accounts.

  6. Regularly update your operating system and software: Always keep your operating system and software up to date to patch security vulnerabilities.

  7. Regularly back up important data: Use external hard drives or cloud services (Google Drive, OneDrive) to store copies of important data. Avoid storing important data on the same device to prevent loss in case of an attack or ransomware infection.

IOCs

For detailed IOC information, users can refer to the official Cisco Talos GitHub page:

https://github.com/Cisco-Talos/IOCs/blob/main/2025/02/lotus-blossom-espionage-group.txt

References

  1. Cisco Talos blog: https://blog.talosintelligence.com/lotus-blossom-espionage-group/
#repost#threat-intelligence

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 1 of 50

More from this blog

F

FPT IS Security

761 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.