ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Hannotog

Hannotog is a type of backdoor malware uniquely assoicated with Lotus Blossom operations since at least 2022.^[1]

ID: S1211

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 16 March 2025

Last Modified: 04 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1020		Automated Exfiltration	Hannotog can upload encyrpted data for exfiltration.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Hannotog can execute various `cmd.exe /c %s` commands.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Hannotog creates a new service for persistence.^[1]
Enterprise	T1562	.004	Impair Defenses: Disable or Modify System Firewall	Hannotog can modify local firewall settings via `netsh` commands to open a listening UDP port.^[1]
Enterprise	T1105		Ingress Tool Transfer	Hannotog can download additional files to the victim machine.^[1]
Enterprise	T1571		Non-Standard Port	Hannotog uses non-standard listening ports, such as UDP 5900, for command and control purposes.^[1]
Enterprise	T1489		Service Stop	Hannotog can stop Windows services.^[1]

Groups That Use This Software

ID	Name	References
G0030	Lotus Blossom	Hannotog is a backdoor associated with Lotus Blossom operations.^[1]

References

Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.