{ "id": "a34fb7bf-1164-408f-9178-c3ad5af071b3", "created_at": "2026-04-06T00:21:14.467072Z", "updated_at": "2026-04-10T03:34:27.596927Z", "deleted_at": null, "sha1_hash": "11c7427ff0800e4d0738abfdf41541d51a02b8e5", "title": "Thrip: Ambitious Attacks Against High Level Targets Continue", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46844, "plain_text": "Thrip: Ambitious Attacks Against High Level Targets Continue\r\nBy About the Author\r\nArchived: 2026-04-05 13:02:33 UTC\r\nSince Symantec first exposed the Thrip group in 2018, the stealthy China-based espionage group has continued to\r\nmount attacks in South East Asia, hitting military organizations, satellite communications operators, and a diverse\r\nrange of other targets in the region.\r\nMany of its recent attacks have involved a previously unseen backdoor known as Hannotog (Backdoor.Hannotog)\r\nand another backdoor known as Sagerunex (Backdoor.Sagerunex). Analysis of the latter has revealed close links\r\nto another long-established espionage group called Billbug (aka Lotus Blossom). In all likelihood, Thrip and\r\nBillbug now appear to be one and the same.\r\nSince we last published on Thrip in June 2018, the group has attacked at least 12 organizations, all located within\r\nSouth East Asia. Its targets have been located in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and\r\nVietnam.\r\nThe group has attacked a diverse range of targets over the past year, most notably military targets in two different\r\ncountries. It has also attacked organizations in the maritime communications, media, and education sectors.\r\nOne of the most alarming discoveries we made in our original Thrip research was that the group had targeted a\r\nsatellite communications operator and seemed to be interested in the operational side of the company, looking for\r\nand infecting computers running software that monitored and controlled satellites. Significantly, Thrip has\r\ncontinued to target organizations in the satellite communications sector, with evidence of activity dating to as\r\nrecently as July 2019.\r\nNew malware provides more leads\r\nMuch of this recent activity was uncovered by Symantec following the discovery of a Thrip tool, a backdoor\r\ncalled Hannotog which appears to have been used since at least January 2017. It was first detected in an\r\norganization in Malaysia, where it triggered an alert for suspicious WMI activity with our Targeted Attack\r\nAnalytics (TAA) technology, available in Symantec Endpoint Detection and Response (EDR).\r\nTAA leverages artificial intelligence in order to comb through Symantec’s vast data and spot patterns associated\r\nwith targeted attacks. It is capable of automatically flagging incidents that would otherwise have taken thousands\r\nof hours of analyst time to identify.\r\nTAA allowed us to uncover Hannotog and from there, our expert threat hunting team built out a profile of the\r\nadversary’s tools, tactics, and procedures. This allowed us to identify other organizations that have been\r\ncompromised by Thrip, allowing us to build up a complete picture of the group’s most recent activities.\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-apt-south-east-asia\r\nPage 1 of 3\n\nHannotog is a custom backdoor which provides the attackers with a persistent presence on the victim’s network. It\r\nhas been used in conjunction with several other Thrip tools, including Sagerunex, another custom backdoor\r\nproviding remote access to the attackers, and Catchamas (Infostealer.Catchamas), a custom Trojan deployed on\r\nselected computers of interest and designed to steal information.\r\nIn addition to custom malware, Thrip has made extensive use of dual-use tools and living-off-the-land tactics.\r\nThese include:\r\nCredential dumping\r\nArchiving tools\r\nPowerShell\r\nProxy tools\r\nThe Billbug link\r\nSince Symantec first uncovered Thrip in 2018, we’ve found strong evidence linking it to the Billbug group.\r\nWhat ties the two groups together is the Sagerunex backdoor. This malware appears to be an evolution of an older\r\nBillbug tool known as Evora. By comparing strings and code flow between the two, we found that:\r\nThe code for logging in both is the same\r\nThe logging string format is similar, Evora is just more verbose\r\nThe log name for both starts with “\\00EV”\r\nThe command and control (C\u0026C) communication code flows are similar\r\nBillbug is a long-established espionage group, active since at least January 2009. Similar to the Thrip sub-group,\r\nthe wider Billbug group is known for specializing in operations against targets in South Asia.\r\nBillbug’s targets are usually compromised by either spear-phishing emails or watering hole attacks. The group’s\r\nspear-phishing attacks have tended to use exploits in Microsoft Office and PDF documents to drop its malware\r\nonto victims’ computers. To date, many of the group’s targets have been governments or military organizations.\r\nWider picture\r\nThrip appears to have been undeterred by its exposure last year, continuing to mount espionage attacks against a\r\nwide range of targets in South East Asia. Its link to the Billbug group puts its activities into context and proves its\r\nattacks are part of a broader range of espionage activity heavily focused on (but not limited to) governments,\r\narmed forces, and communications providers.\r\nSymantec’s TAA was the catalyst for both our initial discovery of Thrip in 2018 and the discovery of new tools\r\nand victims in 2019. Without TAA’s artificial intelligence, it is quite likely that the group’s activities may have\r\ngone undetected for a lot longer.\r\nProtection/Mitigation\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-apt-south-east-asia\r\nPage 2 of 3\n\nSymantec Endpoint Detection and Response (SEDR), which contains TAA technology, automatically detects\r\nThrip-related activity.\r\nIn addition to SEDR, Symantec’s Managed Endpoint Detection and Response (MEDR) service leverages\r\nautomated attack hunting provided by analytics as well as Symantec analyst security expertise to remotely\r\ninvestigate and contain incursions by adversaries such as Thrip in Symantec customer networks.\r\nThe following protections are also in place to protect customers against Thrip attacks:\r\nFile-based protection\r\nBackdoor.Hannotog\r\nInfostealer.Catchamas\r\nBackdoor.Sagerunex\r\nThreat Intelligence\r\nCustomers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have\r\nreceived reports on Thrip and Billbug, which detail methods of detecting and thwarting activities of this group.\r\nIndicators of Compromise\r\nSource: https://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-apt-south-east-asia\r\nhttps://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-apt-south-east-asia\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/thrip-apt-south-east-asia" ], "report_names": [ "thrip-apt-south-east-asia" ], "threat_actors": [ { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434874, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11c7427ff0800e4d0738abfdf41541d51a02b8e5.pdf", "text": "https://archive.orkl.eu/11c7427ff0800e4d0738abfdf41541d51a02b8e5.txt", "img": "https://archive.orkl.eu/11c7427ff0800e4d0738abfdf41541d51a02b8e5.jpg" } }