1. Home
  2. Groups
  3. Lotus Blossom

Lotus Blossom

Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.[1][2][3]

ID: G0030
Associated Groups: DRAGONFISH, Spring Dragon, RADIUM, Raspberry Typhoon, Bilbug, Thrip
Contributors: Prinesha Dobariya
Version: 4.0
Created: 31 May 2017
Last Modified: 23 April 2025
Version Permalink

Associated Group Descriptions

Name Description
DRAGONFISH

[4]
Spring Dragon

[5][4]
RADIUM

[6]
Raspberry Typhoon

[6]
Bilbug

[2]
Thrip

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

Lotus Blossom has retrieved process tokens for processes to adjust the privileges of the launch process or other items.[3]
Enterprise T1087 .001 Account Discovery: Local Account

Lotus Blossom has used commands such as net to profile local system users.[3]
.002 Account Discovery: Domain Account

Lotus Blossom has used net commands and tools such as AdFind to profile domain accounts associated with victim machines and make Active Directory queries.[3][2]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Lotus Blossom has used WinRAR for compressing data in RAR format.[3][2]
.003 Archive Collected Data: Archive via Custom Method

Lotus Blossom has used custom tools to compress and archive data on victim systems.[3]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Lotus Blossom has configured tools such as Sagerunex to run as Windows services.[3]
Enterprise T1074 .001 Data Staged: Local Data Staging

Lotus Blossom has locally staged compressed and archived data for follow-on exfiltration.[3]
Enterprise T1482 Domain Trust Discovery

Lotus Blossom has used tools such as AdFind to make Active Directory queries.[2]
Enterprise T1083 File and Directory Discovery

Lotus Blossom has used commands such as dir to examine the local filesystem of victim machines.[3]
Enterprise T1112 Modify Registry

Lotus Blossom has installed tools such as Sagerunex by writing them to the Windows registry.[3]
Enterprise T1046 Network Service Discovery

Lotus Blossom has used port scanners to enumerate services on remote hosts.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

Lotus Blossom has used publicly-available tools such as a Python-based cookie stealer for Chrome browsers, Impacket, and the Venom proxy tool.[3]
Enterprise T1090 .001 Proxy: Internal Proxy

Lotus Blossom has used publicly available tools such as the Venom proxy tool to proxy traffic out of victim environments.[3]
.003 Proxy: Multi-hop Proxy

Lotus Blossom has used tools such as the publicly available HTran tool for proxying traffic in victim environments.[3]
Enterprise T1012 Query Registry

Lotus Blossom has run commands such as reg query HKLM\SYSTEM\CurrentControlSet\Services\[service name]\Parameters to verify if installed implants are running as a service.[3]
Enterprise T1018 Remote System Discovery

Lotus Blossom has used Ping to identify remote systems.[2]
Enterprise T1539 Steal Web Session Cookie

Lotus Blossom has used publicly-available tools to steal cookies from browsers such as Chrome.[3]
Enterprise T1016 System Network Configuration Discovery

Lotus Blossom has used commands such as ipconfig and netstat to gather network information on compromised hosts.[3]
.001 Internet Connection Discovery

Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.[3]
Enterprise T1049 System Network Connections Discovery

Lotus Blossom has used commands such as netstat to identify system network connections.[3]
Enterprise T1047 Windows Management Instrumentation

Lotus Blossom has used WMI to enable lateral movement.[3]

Software

ID Name References Techniques
S0552 AdFind Lotus Blossom has used AdFind to query Active Directory in victim environments.[2] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0160 certutil Lotus Blossom has used certutil during operations.[2] Archive Collected Data: Archive via Utility, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0081 Elise Lotus Blossom has used Elise.[5][4] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Process Injection: Dynamic-link Library Injection, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S0082 Emissary Lotus Blossom has used Emissary.[7][8] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Group Policy Discovery, Ingress Tool Transfer, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Binary Padding, Permission Groups Discovery: Local Groups, Process Injection: Dynamic-link Library Injection, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S1211 Hannotog Hannotog is a backdoor associated with Lotus Blossom operations.[2] Automated Exfiltration, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Non-Standard Port, Service Stop
S0357 Impacket Lotus Blossom has used Impacket during operations.[3] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Lateral Tool Transfer, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0590 NBTscan Lotus Blossom has used NBTscan during operations.[2] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0097 Ping Lotus Blossom has used Ping to verify connectivity to remote hosts.[2] Remote System Discovery
S1210 Sagerunex Lotus Blossom is the exclusive user of Sagerunex, and has employed variants of this in operations since 2016.[2][3] Access Token Manipulation, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Execution Guardrails, Exfiltration Over C2 Channel, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Software Packing, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, System Information Discovery, System Network Configuration Discovery, Web Service: One-Way Communication, Web Service: Bidirectional Communication

References

  1. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  2. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
  3. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  4. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
  1. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  4. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.