Skip to content

G0030 Lotus Blossom

Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.364

Item Value
ID G0030
Associated Names DRAGONFISH, Spring Dragon, RADIUM, Raspberry Typhoon, Bilbug, Thrip
Version 4.0
Created 31 May 2017
Last Modified 23 April 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
DRAGONFISH 1
Spring Dragon 21
RADIUM 5
Raspberry Typhoon 5
Bilbug 6
Thrip 4

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation Lotus Blossom has retrieved process tokens for processes to adjust the privileges of the launch process or other items.4
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Lotus Blossom has used commands such as net to profile local system users.4
enterprise T1087.002 Domain Account Lotus Blossom has used net commands and tools such as AdFind to profile domain accounts associated with victim machines and make Active Directory queries.46
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Lotus Blossom has used WinRAR for compressing data in RAR format.46
enterprise T1560.003 Archive via Custom Method Lotus Blossom has used custom tools to compress and archive data on victim systems.4
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Lotus Blossom has configured tools such as Sagerunex to run as Windows services.4
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Lotus Blossom has locally staged compressed and archived data for follow-on exfiltration.4
enterprise T1482 Domain Trust Discovery Lotus Blossom has used tools such as AdFind to make Active Directory queries.6
enterprise T1083 File and Directory Discovery Lotus Blossom has used commands such as dir to examine the local filesystem of victim machines.4
enterprise T1112 Modify Registry Lotus Blossom has installed tools such as Sagerunex by writing them to the Windows registry.4
enterprise T1046 Network Service Discovery Lotus Blossom has used port scanners to enumerate services on remote hosts.6
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Lotus Blossom has used publicly-available tools such as a Python-based cookie stealer for Chrome browsers, Impacket, and the Venom proxy tool.4
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Lotus Blossom has used publicly available tools such as the Venom proxy tool to proxy traffic out of victim environments.4
enterprise T1090.003 Multi-hop Proxy Lotus Blossom has used tools such as the publicly available HTran tool for proxying traffic in victim environments.4
enterprise T1012 Query Registry Lotus Blossom has run commands such as reg query HKLM\SYSTEM\CurrentControlSet\Services\[service name]\Parameters to verify if installed implants are running as a service.4
enterprise T1018 Remote System Discovery Lotus Blossom has used Ping to identify remote systems.6
enterprise T1539 Steal Web Session Cookie Lotus Blossom has used publicly-available tools to steal cookies from browsers such as Chrome.4
enterprise T1016 System Network Configuration Discovery Lotus Blossom has used commands such as ipconfig and netstat to gather network information on compromised hosts.4
enterprise T1016.001 Internet Connection Discovery Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.4
enterprise T1049 System Network Connections Discovery Lotus Blossom has used commands such as netstat to identify system network connections.4
enterprise T1047 Windows Management Instrumentation Lotus Blossom has used WMI to enable lateral movement.4

Software

ID Name References Techniques
S0552 AdFind Lotus Blossom has used AdFind to query Active Directory in victim environments.6 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0160 certutil Lotus Blossom has used certutil during operations.6 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0081 Elise Lotus Blossom has used Elise.21 Local Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel File and Directory Discovery Timestomp:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Encrypted/Encoded File:Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Service Discovery
S0082 Emissary Lotus Blossom has used Emissary.87 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Symmetric Cryptography:Encrypted Channel Group Policy Discovery Ingress Tool Transfer Encrypted/Encoded File:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Local Groups:Permission Groups Discovery Dynamic-link Library Injection:Process Injection Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Service Discovery
S1211 Hannotog Hannotog is a backdoor associated with Lotus Blossom operations.6 Automated Exfiltration Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Disable or Modify System Firewall:Impair Defenses Ingress Tool Transfer Non-Standard Port Service Stop
S0357 Impacket Lotus Blossom has used Impacket during operations.4 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0590 NBTscan Lotus Blossom has used NBTscan during operations.6 Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0097 Ping Lotus Blossom has used Ping to verify connectivity to remote hosts.6 Remote System Discovery
S1210 Sagerunex Lotus Blossom is the exclusive user of Sagerunex, and has employed variants of this in operations since 2016.64 Access Token Manipulation Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Execution Guardrails Exfiltration Over C2 Channel Native API Encrypted/Encoded File:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Proxy System Information Discovery System Network Configuration Discovery One-Way Communication:Web Service Bidirectional Communication:Web Service

References

  1. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024. 

  2. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016. 

  3. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  4. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025. 

  5. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  6. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025. 

  7. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. 

  8. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.