1. Home
  2. Groups
  3. Lotus Blossom

Lotus Blossom

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. [1]

ID: G0030
Associated Groups: DRAGONFISH, Spring Dragon, RADIUM, Raspberry Typhoon
Version: 3.0
Created: 31 May 2017
Last Modified: 08 January 2024
Version Permalink

Associated Group Descriptions

Name Description
DRAGONFISH

[2]
Spring Dragon

[3][2]
RADIUM

[4]
Raspberry Typhoon

[4]

Software

ID Name References Techniques
S0081 Elise [3][2] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Process Injection: Dynamic-link Library Injection, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S0082 Emissary [5][6] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Group Policy Discovery, Ingress Tool Transfer, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Binary Padding, Permission Groups Discovery: Local Groups, Process Injection: Dynamic-link Library Injection, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery

References

  1. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  2. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  3. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.
  1. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  2. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  3. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.