Lotus Blossom

Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.^[1]^[2]^[3]

ID: G0030

ⓘ

Associated Groups: DRAGONFISH, Spring Dragon, RADIUM, Raspberry Typhoon, Bilbug, Thrip

Version: 4.0

Created: 31 May 2017

Last Modified: 04 April 2025

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
DRAGONFISH	^[4]
Spring Dragon	^[5]^[4]
RADIUM	^[6]
Raspberry Typhoon	^[6]
Bilbug	^[2]
Thrip	^[3]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1134		Access Token Manipulation	Lotus Blossom has retrieved process tokens for processes to adjust the privileges of the launch process or other items.^[3]
Enterprise	T1087	.001	Account Discovery: Local Account	Lotus Blossom has used commands such as `net` to profile local system users.^[3]
		.002	Account Discovery: Domain Account	Lotus Blossom has used `net` commands and tools such as AdFind to profile domain accounts associated with victim machines and make Active Directory queries.^[3]^[2]
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Lotus Blossom has used WinRAR for compressing data in RAR format.^[3]^[2]
		.003	Archive Collected Data: Archive via Custom Method	Lotus Blossom has used custom tools to compress and archive data on victim systems.^[3]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Lotus Blossom has configured tools such as Sagerunex to run as Windows services.^[3]
Enterprise	T1074	.001	Data Staged: Local Data Staging	Lotus Blossom has locally staged compressed and archived data for follow-on exfiltration.^[3]
Enterprise	T1482		Domain Trust Discovery	Lotus Blossom has used tools such as AdFind to make Active Directory queries.^[2]
Enterprise	T1083		File and Directory Discovery	Lotus Blossom has used commands such as `dir` to examine the local filesystem of victim machines.^[3]
Enterprise	T1112		Modify Registry	Lotus Blossom has installed tools such as Sagerunex by writing them to the Windows registry.^[3]
Enterprise	T1046		Network Service Discovery	Lotus Blossom has used port scanners to enumerate services on remote hosts.^[2]
Enterprise	T1588	.002	Obtain Capabilities: Tool	Lotus Blossom has used publicly-available tools such as a Python-based cookie stealer for Chrome browsers, Impacket, and the Venom proxy tool.^[3]
Enterprise	T1090	.001	Proxy: Internal Proxy	Lotus Blossom has used publicly available tools such as the Venom proxy tool to proxy traffic out of victim environments.^[3]
		.003	Proxy: Multi-hop Proxy	Lotus Blossom has used tools such as the publicly available HTran tool for proxying traffic in victim environments.^[3]
Enterprise	T1012		Query Registry	Lotus Blossom has run commands such as `reg query HKLM\SYSTEM\CurrentControlSet\Services\[service name]\Parameters` to verify if installed implants are running as a service.^[3]
Enterprise	T1018		Remote System Discovery	Lotus Blossom has used Ping to identify remote systems.^[2]
Enterprise	T1539		Steal Web Session Cookie	Lotus Blossom has used publicly-available tools to steal cookies from browsers such as Chrome.^[3]
Enterprise	T1016		System Network Configuration Discovery	Lotus Blossom has used commands such as `ipconfig` and `netstat` to gather network information on compromised hosts.^[3]
		.001	Internet Connection Discovery	Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.^[3]
Enterprise	T1049		System Network Connections Discovery	Lotus Blossom has used commands such as `netstat` to identify system network connections.^[3]
Enterprise	T1047		Windows Management Instrumentation	Lotus Blossom has used WMI to enable lateral movement.^[3]

Software

ID	Name	References	Techniques
S0552	AdFind	Lotus Blossom has used AdFind to query Active Directory in victim environments.^[2]	Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0160	certutil	Lotus Blossom has used certutil during operations.^[2]	Archive Collected Data: Archive via Utility, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0081	Elise	Lotus Blossom has used Elise.^[5]^[4]	Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Process Injection: Dynamic-link Library Injection, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S0082	Emissary	Lotus Blossom has used Emissary.^[7]^[8]	Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Group Policy Discovery, Ingress Tool Transfer, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Binary Padding, Permission Groups Discovery: Local Groups, Process Injection: Dynamic-link Library Injection, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S1211	Hannotog	Hannotog is a backdoor associated with Lotus Blossom operations.^[2]	Automated Exfiltration, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Non-Standard Port, Service Stop
S0357	Impacket	Lotus Blossom has used Impacket during operations.^[3]	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Lateral Tool Transfer, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0590	NBTscan	Lotus Blossom has used NBTscan during operations.^[2]	Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0097	Ping	Lotus Blossom has used Ping to verify connectivity to remote hosts.^[2]	Remote System Discovery
S1210	Sagerunex	Lotus Blossom is the exclusive user of Sagerunex, and has employed variants of this in operations since 2016.^[2]^[3]	Access Token Manipulation, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Execution Guardrails, Exfiltration Over C2 Channel, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Software Packing, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, System Information Discovery, System Network Configuration Discovery, Web Service: One-Way Communication, Web Service: Bidirectional Communication

Lotus Blossom

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References