- The group struck government, air control, and telco firms in Southeast Asia
- Victims were not named
- Lotus Panda used never-before-seen infostealers and loaders
Lotus Panda, a Chinese state-sponsored threat actor, managed to compromise multiple organizations in a number of Southeast-Asian countries, in a campaign that took place between mid-2024 and early 2025.
Cybersecurity researchers from the Symantec Threat Hunter Team said the organizations included government agencies, air traffic control organizations, telecom operators, and a construction company in one country, a news agency in another, and an air freight organization in another. The victim countries, or organizations, were not named.
In the attack, the group used never-before-seen malware, loaders, credential stealers, and reverse SSH tools.
Chinese cyber-spies
Lotus Panda allegedly abused legitimate executables from antivirus companies Trend Micro and Bitdefender, using them to sideload malicious DLL files which dropped and decrypted second-stage payloads. The threat actor also allegedly updated Sagerunex, a group-exclusive tool that can steal sensitive information and exfiltrate it, encrypted, to a third-party server. We don’t know how the group made the initial breach, though.
Other notable tools used in this campaign are infostealers ChromeKatz and CredentialKatz.
“The attackers deployed the publicly available Zrok peer-to-peer tool, using the sharing function of the tool in order to provide remote access to services that were exposed internally,” Symantec said. “Another legitimate tool used was called ‘datechanger.exe.’ It is capable of changing timestamps for files, presumably to muddy the waters for incident analysts.
Lotus Panda is a known state-sponsored group, sometimes reported as Billbug, Lotus Blossom, Thrip, Spring Dragon, and Bronze Elgin. The group has allegedly been active since 2009, and is focused primarily on cyber-espionage. Its usual targets are government agencies, defense organizations, telcos and the media in Southeast Asia.
There were also reports of Lotus Panda attacks in the United States and Australia, too, which could suggest that the group is looking to expand its reach.
Via The Hacker News
