Skip to content

G0030 Lotus Blossom

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. 1

Item Value
ID G0030
Associated Names DRAGONFISH, Spring Dragon
Version 2.0
Created 31 May 2017
Last Modified 25 March 2019
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
DRAGONFISH 2
Spring Dragon 32

Software

ID Name References Techniques
S0081 Elise 32 Local Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Timestomp:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Service Discovery
S0082 Emissary 45 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Symmetric Cryptography:Encrypted Channel Group Policy Discovery Ingress Tool Transfer Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Local Groups:Permission Groups Discovery Dynamic-link Library Injection:Process Injection Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Service Discovery

References

  1. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  2. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. 

  3. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016. 

  4. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. 

  5. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.