Group description: Lotus Blossom

Lotus Blossom, DRAGONFISH, Spring Dragon, RADIUM, Raspberry Typhoon, Bilbug, Thrip, Group G0030 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Lotus Blossom Lotus Blossom Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers. [1] [2] [3] ID: G0030 ⓘ Associated Groups : DRAGONFISH, Spring Dragon, RADIUM, Raspberry Typhoon, Bilbug, Thrip Contributors : Prinesha Dobariya Version : 4.0 Created: 31 May 2017 Last Modified: 23 April 2025 Version Permalink Live Version Associated Group Descriptions Name Description DRAGONFISH [4] Spring Dragon [5] [4] RADIUM [6] Raspberry Typhoon [6] Bilbug [2] Thrip [3] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1134 Access Token Manipulation Lotus Blossom has retrieved process tokens for processes to adjust the privileges of the launch process or other items. [3] Enterprise T1087 .001 Account Discovery : Local Account Lotus Blossom has used commands such as net to profile local system users. [3] .002 Account Discovery : Domain Account Lotus Blossom has used net commands and tools such as AdFind to profile domain accounts associated with victim machines and make Active Directory queries. [3] [2] Enterprise T1560 .001 Archive Collected Data : Archive via Utility Lotus Blossom has used WinRAR for compressing data in RAR format. [3] [2] .003 Archive Collected Data : Archive via Custom Method Lotus Blossom has used custom tools to compress and archive data on victim systems. [3] Enterprise T1543 .003 Create or Modify System Process : Windows Service Lotus Blossom has configured tools such as Sagerunex to run as Windows services. [3] Enterprise T1074 .001 Data Staged : Local Data Staging Lotus Blossom has locally staged compressed and archived data for follow-on exfiltration. [3] Enterprise T1482 Domain Trust Discovery Lotus Blossom has used tools such as AdFind to make Active Directory queries. [2] Enterprise T1083 File and Directory Discovery Lotus Blossom has used commands such as dir to examine the local filesystem of victim machines. [3] Enterprise T1112 Modify Registry Lotus Blossom has installed tools such as Sagerunex by writing them to the Windows registry. [3] Enterprise T1046 Network Service Discovery Lotus Blossom has used port scanners to enumerate services on remote hosts. [2] Enterprise T1588 .002 Obtain Capabilities : Tool Lotus Blossom has used publicly-available tools such as a Python-based cookie stealer for Chrome browsers, Impacket , and the Venom proxy tool. [3] Enterprise T1090 .001 Proxy : Internal Proxy Lotus Blossom has used publicly available tools such as the Venom proxy tool to proxy traffic out of victim environments. [3] .003 Proxy : Multi-hop Proxy Lotus Blossom has used tools such as the publicly available HTran tool for proxying traffic in victim environments. [3] Enterprise T1012 Query Registry Lotus Blossom has run commands such as reg query HKLM\SYSTEM\CurrentControlSet\Services\[service name]\Parameters to verify if installed implants are running as a service. [3] Enterprise T1018 Remote System Discovery Lotus Blossom has used Ping to identify remote systems. [2] Enterprise T1539 Steal Web Session Cookie Lotus Blossom has used publicly-available tools to steal cookies from browsers such as Chrome. [3] Enterprise T1016 System Network Configuration Discovery Lotus Blossom has used commands such as ipconfig and netstat to gather network information on compromised hosts. [3] .001 Internet Connection Discovery Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet. [3] Enterprise T1049 System Network Connections Discovery Lotus Blossom has used commands such as netstat to identify system network connections. [3] Enterprise T1047 Windows Management Instrumentation Lotus Blossom has used WMI to enable lateral movement. [3] Software ID Name References Techniques S0552 AdFind Lotus Blossom has used AdFind to query Active Directory in victim environments. [2] Account Discovery : Domain Account , Domain Trust Discovery , Permission Groups Discovery : Domain Groups , Remote System Discovery , System Network Configuration Discovery S0160 certutil Lotus Blossom has used certutil during operations. [2] Archive Collected Data : Archive via Utility , Deobfuscate/Decode Files or Information , Ingress Tool Transfer , Subvert Trust Controls : Install Root Certificate S0081 Elise Lotus Blossom has used Elise . [5] [4] Account Discovery : Local Account , Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Data Staged : Local Data Staging , Encrypted Channel : Symmetric Cryptography , File and Directory Discovery , Indicator Removal : Timestomp , Indicator Removal : File Deletion , Ingress Tool Transfer , Masquerading : Match Legitimate Resource Name or Location , Obfuscated Files or Information : Encrypted/Encoded File , Process Discovery , Process Injection : Dynamic-link Library Injection , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Network Configuration Discovery , System Service Discovery S0082 Emissary Lotus Blossom has used Emissary . [7] [8] Application Layer Protocol : Web Protocols , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Encrypted Channel : Symmetric Cryptography , Group Policy Discovery , Ingress Tool Transfer , Obfuscated Files or Information : Encrypted/Encoded File , Obfuscated Files or Information : Binary Padding , Permission Groups Discovery : Local Groups , Process Injection : Dynamic-link Library Injection , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Network Configuration Discovery , System Service Discovery S1211 Hannotog Hannotog is a backdoor associated with Lotus Blossom operations. [2] Automated Exfiltration , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Impair Defenses : Disable or Modify System Firewall , Ingress Tool Transfer , Non-Standard Port , Service Stop S0357 Impacket Lotus Blossom has used Impacket during operations. [3] Adversary-in-the-Middle : LLMNR/NBT-NS Poisoning and SMB Relay , Lateral Tool Transfer , Network Sniffing , OS Credential Dumping : NTDS , OS Credential Dumping : LSASS Memory , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSA Secrets , Steal or Forge Kerberos Tickets : Kerberoasting , Steal or Forge Kerberos Tickets : Ccache Files , System Services : Service Execution , Windows Management Instrumentation S0590 NBTscan Lotus Blossom has used NBTscan during operations. [2] Network Service Discovery , Network Sniffing , Remote System Discovery , System Network Configuration Discovery , System Owner/User Discovery S0097 Ping Lotus Blossom has used Ping to verify connectivity to remote hosts. [2] Remote System Discovery S1210 Sagerunex Lotus Blossom is the exclusive user of Sagerunex , and has employed variants of this in operations since 2016. [2] [3] Access Token Manipulation , Application Layer Protocol : Web Protocols , Archive Collected Data : Archive via Utility , Data Staged : Local Data Staging , Deobfuscate/Decode Files or Information , Encrypted Channel : Asymmetric Cryptography , Execution Guardrails , Exfiltration Over C2 Channel , Native API , Obfuscated Files or Information : Encrypted/Encoded File , Obfuscated Files or Information : Software Packing , Process Discovery , Process Injection : Dynamic-link Library Injection , Proxy , System Information Discovery , System Network Configuration Discovery , Web Service : One-Way Communication , Web Service : Bidirectional Communication References Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. × load more results