S1210 Sagerunex
Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants existing since at least 2016. Variations of Sagerunex leverage non-traditional command and control mechanisms such as various web services.21
| Item | Value |
|---|---|
| ID | S1210 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 15 March 2025 |
| Last Modified | 16 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | Sagerunex finds the explorer.exe process after execution and uses it to change the token of its executing thread.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Sagerunex communicates via HTTPS, at times using a hard-coded User Agent of Mozilla/5.0 (compatible; MSIE 7.0; Win32).2 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Sagerunex has archived collected materials in RAR format.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Sagerunex gathers host information and stages it locally as a RAR file prior to exfiltration.1 Sagerunex stores logged data in an encrypted file located at %TEMP%/TS_FB56.tmp during execution.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Sagerunex uses a custom decryption routine to unpack itself during installation.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Sagerunex uses HTTPS for command and control communication.2 |
| enterprise | T1480 | Execution Guardrails | Sagerunex uses a “servicemain” function to verify its environment to ensure it can only be executed as a service, as well as the existence of a configuration file in a specified directory.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Sagerunex encrypts collected system data then exfiltrates via existing command and control channels.1 |
| enterprise | T1106 | Native API | Sagerunex calls the WaitForSingleObject API function as part of time-check logic.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Sagerunex has used VMProtect to pack and obscure itself.1 |
| enterprise | T1027.013 | Encrypted/Encoded File | Sagerunex can be passed a reference to an XOR-encrypted configuration file at runtime.2 |
| enterprise | T1057 | Process Discovery | Sagerunex identifies the explorer.exe process on the executing system.2 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Sagerunex is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.1 |
| enterprise | T1090 | Proxy | Sagerunex uses several proxy configuration settings to ensure connectivity.1 |
| enterprise | T1082 | System Information Discovery | Sagerunex gathers information from the infected system such as hostname.1 |
| enterprise | T1016 | System Network Configuration Discovery | Sagerunex will gather system information such as MAC and IP addresses.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | Sagerunex has used virtual private servers (VPS) for command and control traffic as well as third-party cloud services in more recent variants.1 |
| enterprise | T1102.003 | One-Way Communication | Sagerunex has used web services such as Twitter for command and control purposes.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0030 | Lotus Blossom | Lotus Blossom is the exclusive user of Sagerunex, and has employed variants of this in operations since 2016.21 |
References
-
Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025. ↩↩↩↩↩↩↩↩