ATT&CK sub-techniques have now been released! Take a tour, read the blog post or release notes, or see the previous version of the site.

Lotus Blossom

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. ^[1]

ID: G0030

Associated Groups: DRAGONFISH, Spring Dragon

Version: 2.0

Created: 31 May 2017

Last Modified: 25 March 2019

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
DRAGONFISH	^[3]
Spring Dragon	^[2]^[3]

Software

ID	Name	References	Techniques
S0081	Elise	^[2]^[3]	Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S0082	Emissary	^[4]^[5]	Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Process Injection: Dynamic-link Library Injection, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery

References

Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.
Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.