Lotus Blossom

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. [1]

ID: G0030
Associated Groups: DRAGONFISH, Spring Dragon
Version: 2.0
Created: 31 May 2017
Last Modified: 25 March 2019

Associated Group Descriptions

Name Description
DRAGONFISH [3]
Spring Dragon [2][3]

Software

ID Name References Techniques
S0081 Elise

[2][3]

Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Process Discovery, Process Injection: Dynamic-link Library Injection, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery
S0082 Emissary

[4][5]

Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Process Injection: Dynamic-link Library Injection, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Service Discovery

References