{ "id": "0e7f934f-3550-4ba3-8041-5e14771282dd", "created_at": "2026-04-06T00:10:10.347708Z", "updated_at": "2026-04-10T03:34:27.67349Z", "deleted_at": null, "sha1_hash": "2e7c4e1fccea3de15d43482a10e7f69e543ba3c6", "title": "Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70348, "plain_text": "Billbug: State-sponsored Actor Targets Cert Authority, Government\r\nAgencies in Multiple Asian Countries\r\nBy About the Author\r\nArchived: 2026-04-02 11:19:58 UTC\r\nState-sponsored actors compromised a digital certificate authority in an Asian country during a campaign in which multiple\r\ngovernment agencies were also targeted.\r\nSymantec, by Broadcom Software, was able to link this activity to a group we track as Billbug due to the use in this\r\ncampaign of tools previously attributed to this group. Billbug (aka Lotus Blossom, Thrip) is a long-established advanced\r\npersistent threat (APT) group that is believed to have been active since at least 2009. Symantec has previously published on\r\nthis group’s activity in 2018 and 2019 under the Thrip name, but following our 2019 investigation, we determined that Thrip\r\nand Billbug were most likely the same group so now track all activity under the Billbug name.\r\nIn activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog\r\n(Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in\r\nthis more recent activity.\r\nThe victims in this campaign included a certificate authority, as well as government and defense agencies. All the victims\r\nwere based in various countries in Asia. Billbug is known to focus on targets in Asian countries. In at least one of the\r\ngovernment victims, a large number of machines on the network were compromised by the attackers.\r\nThe targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access\r\ncertificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim\r\nmachines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a\r\npossible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in\r\ncompromising digital certificates. Symantec has notified the cert authority in question to inform them of this activity.\r\nThis activity has been ongoing since at least March 2022.\r\nAttack chain\r\nThere are some indications that the attackers are exploiting public-facing applications to gain initial access to victim\r\nnetworks.\r\nThe attackers use multiple dual-use tools in this attack campaign, as well as custom malware. Billbug’s extensive use of\r\ndual-use and living-off-the-land tools was also notable in its previous campaigns. Among the dual-use tools leveraged in this\r\nrecent activity are:\r\nAdFind – A publicly available tool that is used to query Active Directory. It has legitimate uses but is widely used by\r\nattackers to help map a network.\r\nWinmail – Can open winmail.dat files.\r\nWinRAR – An archive manager that can be used to archive or zip files - for example, prior to exfiltration.\r\nPing – A tool that is freely available online that can allow users to determine if a specific location on a network is\r\nresponding.\r\nTracert – A network tool that can be used to determine the “path” packets take from one IP address to another. It\r\nprovides the hostname, IP address, and the response time to a ping.\r\nRoute – A path for sending packets through the internet network to an address on another network.\r\nNBTscan – Open-source command-line NetBIOS scanner.\r\nhttps://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority\r\nPage 1 of 5\n\nCertutil – Microsoft Windows utility that can be used for various malicious purposes, such as to decode information,\r\nto download files, and to install browser root certificates.\r\nPort Scanner – Allows an attacker to determine what ports are open on a network and could potentially be used to\r\nsend and receive data.\r\nMultiple files that are believed to be loaders for the Hannotog backdoor were spotted on victim machines. A backdoor was\r\nthen deployed on the compromised system. This backdoor has multiple functionalities:\r\nIt executes netsh to update the firewall settings:\r\nnetsh advfirewall firewall add rule name=\"Core Networking - Router Solicitation (ICMP-In)\" dir=in action=allow\r\nprogram=\"%s\" enable=yes\r\nnetsh firewall add portopening UDP 5900 @xpsp2res.dll,-22006 ENABLE ALL',0\r\nnetsh firewall add allowedprogram name=\"SNMP Trap Service\" program=\"%s\" mode=enable\r\nListens on port 5900\r\nCan create a service for persistence\r\nCan also stop services\r\nCan upload encrypted data\r\nCan execute cmd.exe /c %s command to gather system information\r\nCan download files to the machine\r\nA tool called Stowaway Proxy Tool was also downloaded to victim machines. Stowaway is a multi-level proxy tool written\r\nin the Go language and intended for use by penetration testers. Users can use this program to proxy external traffic to the\r\nintranet through multiple nodes, break through intranet access restrictions, construct a tree-like node network, and easily\r\nimplement management functions. It is not unusual to see penetration testing tools misused by threat actors. Cobalt Strike,\r\nwhich is a penetration testing framework, is considered commodity malware by many due to how often it is used by\r\nmalicious actors.\r\nSagerunex - Technical details\r\nThe Sagerunex backdoor is fairly resilient and implements multiple forms of communication with its command-and-control\r\n(C\u0026C) server. The analyzed sample had no hardcoded configuration, so it had to be dropped on the machine by a loader\r\nmalware, such as Hannotog.\r\nIn the sample analyzed by Symantec, configuration is passed to the sample via a parameter of the exported function (called\r\nMainEntry). That configuration is decrypted with a simple XOR operation:\r\ndef simplecrypt(x):\r\n    return xor(x, b\"\\xad\" + x[:-1])\r\nNext, the sample finds the explorer.exe process and uses it to change the token of the current thread. It then writes logs to a\r\ntemporary file (%TEMP%/TS_FB56.tmp), but only if the file already exists. These logs are encrypted and the encryption\r\nalgorithm used is AES256-CBC with 8192 rounds of SHA256:\r\ndef decrypt(datasample):\r\n      key =\r\nb'\\x53\\x12\\x76\\x23\\x94\\x89\\x78\\x45\\x58\\x31\\x62\\x83\\x77\\x95\\x59\\x17\\x31\\x47\\x73\\x50\\x22\\x34\\x65\\x89\\x49\\x12\\x67\\x41\\x90\\x35\\x91\r\n   realkey = datasample[:0x10]+ b'\\x00' * 0x10\r\n    for i in range(0x2000):\r\n       realkey = hashlib.sha256(realkey + key).digest()\r\nhttps://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority\r\nPage 2 of 5\n\nraw = aes.cbc.decrypt(realkey, datasample[:16], datasample[16:])\r\n    print(\"checksum\", raw[-32:].hex())\r\n    return raw[:-32]\r\nThe encryption key is hardcoded, and was previously used in an older sample of this malware. The same encryption\r\nalgorithm is used for network communication. The encrypted data structure is as follows:\r\nstruct encrypted_data {\r\n    byte[16] IV;\r\n    byte[N] message_data;  // always divisible by 16, padding added as necessary\r\n    byte[32] sha256_checksum;\r\n}\r\nThe sample stores configuration and state in the following file:\r\n%appdata%/microsoft/protect/windows/DMI%X.DAT (where %X is variable and depends on the parameter with which\r\nsample was started).\r\nIt is also encrypted, but with RC4. This key was hardcoded in older versions of Sagerunex, but recent samples started to read\r\nthe key from configuration instead. The config file modification date will always be in the year 2011 – the “file last edit”\r\nyear is changed by the malware to 2011.\r\nNetwork communication\r\nIn normal mode, the sample will try all the following supported connection modes in this order. In all cases, HTTPS is used,\r\nwith user agent equal to: Mozilla/5.0 (compatible; MSIE 7.0; Win32).\r\n- 1: httpsviaconfigproxy: HTTPS with configured proxy\r\n - 2: httpswpadproxy: instead of using configured proxy, use proxy provided by WPAD mechanism (web proxy autodiscovery)\r\n - 3: httpsviaiexproxy: self-explanatory. Use proxy from \\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\r\nSettings\\\\ProxyServer\r\n - 4: httpsviafirefoxproxy - get proxy from \\\\Mozilla\\\\Firefox\\\\profiles.ini (one of FF config files)\r\n - 5: httpsviaautoproxy - use proxy obtained from WinHttpGetIEProxyConfigForCurrentUser\r\n - 6: httpspreconfig - try to connect without proxy\r\nThe network packet is composed of two parts: the header and the payload. Both are encrypted separately.\r\nstruct network_packet {\r\n    byte[64] encrypted_header;  // see encrypted_data above\r\n    byte[N] encrypted_payload;  // see encrypted_data above\r\n}\r\nThe structure of the decrypted header is as follows:\r\nstruct header {\r\n    int32 command_id;\r\n    int16 packet_length;\r\n    int32 packet_crc32;\r\n}\r\nThe structure of the decrypted payload mostly depends on the command ID. The list of supported commands includes:\r\nhttps://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority\r\nPage 3 of 5\n\n7: Return the list of currently configured proxies.\r\n9: Execute a program, DLL or shell command. There are three supported subcommands: \"runexe\" to run an\r\nexecutable, \"rundll\" to run a DLL file, and anything else for arbitrary shell command.\r\n11: Steal a local file (gets a file name specified in the command payload).\r\n15: Get a configured file path (configured by command 18).\r\n17: Drop a file to a specified path – but only if the specified path was previously selected by command 18.\r\n18: Select a file path for commands 15 and 17.\r\nMotivation\r\nWhile we do not see data being exfiltrated in this campaign, Billbug is widely regarded as being an espionage actor,\r\nindicating that data theft is the most likely motivation in this campaign. The victims in this campaign – government agencies\r\nand a certificate authority – also point to an espionage and data-theft motive. The targeting of the government victims is\r\nmost likely driven by espionage motivations, with the certificate authority likely targeted in order to steal legitimate digital\r\ncertificates, as mentioned in the introduction.\r\nThis is potentially very dangerous, as if Billbug is able to sign its malware with a valid digital certificate it may be able to\r\nbypass security detections on victim machines. The ability of this actor to compromise multiple victims at once indicates\r\nthat this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns. Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it\r\nreusing tools that have been linked to the group in the past.  \r\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\n072022b54085690001ff9ec546051b2f60564ffbf5b917ac1f5a0e3abe7254a5\r\n0cc6285d4bfcb5de4ebe58a7eab9b8d25dfcfeb12676b0c084e8705e69f6f281\r\n148145b9a2e3f3abdc6c2d3de340eabc82457be67fb44cfa400a5e7bd2f88760\r\n2a4302e61015fdf5f65fbd456249bafe96455cd5cc8aefe075782365b9ae3076\r\n3585a5cbbf1b8b3206d7280355194d5442ed997f61e061fd6938a93163c79507\r\n37fe8efe828893042e4f1db7386d20fec55518a3587643f54d4c3ec82c35df6d\r\n3c35514b27c57a46a5593dbbbfceddbc49979b20fddc14b68bf4f0ee965a7c59\r\n3dd7b684024941d5ab26df6730d23087037535783e342ee98a3934cccddb8c3e\r\n64c546439b6b2d930f5aced409844535cf13f5c6d24e0870ba9bc0cf354d8c11\r\n79f9f25b15e88c47ce035f15dd88f18ecc11e1319ff6f88568fdd0d327ad7cc1\r\n7fe67567a5de33166168357d663b85bd452d64a4340bdad29fe71588ad95bf6f\r\n80a8a9a2e91ead0ae5884e823dca73ef9fce59ff96111c632902d6c04401a4fe\r\n861d1307913d1c2dbf9c6db246f896c0238837c47e1e1132a44ece5498206ec2\r\n8f7c74a9e1d04ff116e785f3234f80119d68ae0334fb6a5498f6d40eee189cf7\r\nhttps://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority\r\nPage 4 of 5\n\na462085549f9a1fdeff81ea8190a1f89351a83cf8f6d01ecb5f238541785d4b3\r\nadb61560363fcda109ea077a6aaf66da530fcbbb5dbde9c5923a59385021a498\r\nbcc99bc9c02e1e2068188e63bc1d7ebe308d0d12ce53632baa31ce992f06c34a\r\nb631abbfbbc38dac7c59f2b0dd55623b5caa1eaead2fa62dc7e4f01b30184308\r\nc4a7a9ff4380f6b4730e3126fdaf450c624c0b7f5e9158063a92529fa133eaf2\r\ne4a460db653c8df4223ec466a0237943be5de0da92b04a3bf76053fa1401b19e\r\nf7ea532becda13a1dcef37b4a7ca140c56796d1868867e82500e672a68d029e4\r\nf969578a0e7fe90041d2275d59532f46dee63c6c193f723a13f4ded9d1525c6b\r\nfea2f48f4471af9014f92026f3c1b203825bb95590e2a0985a3b57d6b598c3ff\r\nSource: https://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority\r\nhttps://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority" ], "report_names": [ "espionage-asia-governments-cert-authority" ], "threat_actors": [ { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434210, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e7c4e1fccea3de15d43482a10e7f69e543ba3c6.pdf", "text": "https://archive.orkl.eu/2e7c4e1fccea3de15d43482a10e7f69e543ba3c6.txt", "img": "https://archive.orkl.eu/2e7c4e1fccea3de15d43482a10e7f69e543ba3c6.jpg" } }