{
	"id": "f8494ba2-82c7-4ca5-9072-086c7ec24f50",
	"created_at": "2026-04-06T00:17:26.916178Z",
	"updated_at": "2026-04-10T03:34:27.62548Z",
	"deleted_at": null,
	"sha1_hash": "30ed76f483ef6d3f1bf92db12229d4d8fdd515c5",
	"title": "Billbug: Intrusion Campaign Against Southeast Asia Continues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54676,
	"plain_text": "Billbug: Intrusion Campaign Against Southeast Asia Continues\r\nBy About the Author\r\nArchived: 2026-04-05 18:19:56 UTC\r\nThe Billbug espionage group (aka Lotus Blossom, Lotus Panda, Bronze Elgin) compromised multiple\r\norganizations in a single Southeast Asian country during an intrusion campaign that ran between August 2024 and\r\nFebruary 2025. Targets included a government ministry, an air traffic control organization, a telecoms operator,\r\nand a construction company. \r\nIn addition to this, the group staged an intrusion against a news agency located in another country in Southeast\r\nAsia and an air freight organization located in another neighboring country. \r\nThe attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse\r\nSSH tool. \r\nThe campaign is one of the findings documented in the Threat Hunter Team’s new whitepaper - Relentless Force:\r\nChina-linked Espionage Actors\r\nAttribution\r\nThe activity appears to be a continuation of a campaign first documented by Symantec in December 2024, where\r\nmultiple high-profile organizations in Southeast Asian countries were targeted. While it was clear that Chinese\r\nactors were behind the attacks, attribution to a single actor could not be determined.\r\nHowever, a recent blog by Cisco Talos detailing recent Billbug activity contained indicators of compromise\r\n(IOCs) used in this campaign, indicating that it was the work of Billbug. \r\nSideloaded Malware\r\nIn several of the intrusions, the attackers used legitimate software from Trend Micro and Bitdefender to load\r\nmalicious loaders, using the technique known as DLL sideloading. \r\nOne of the legitimate executables used for sideloading was a Trend Micro binary named tmdbglog.exe (SHA246:\r\nf9036b967aaadf51fe0a7017c87086c7839be73efabb234e2c21885a6840343e). This was used to sideload a\r\nmalicious DLL named tmdglog.dll (SHA256:\r\nb75a161caab0a90ef5ce57b889534b5809af3ce2f566af79da9184eaa41135bd). Analysis of tmdglog.dll revealed\r\nthat it was a loader that read, decrypted, and executed the contents of the file C:\\Windows\\temp\\TmDebug.log. It\r\nthen logged the execution progress to C:\\Windows\\Temp\\VT001.tmp.\r\nAnother legitimate executable used was a Bitdefender binary named bds.exe (SHA256:\r\n2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924). This was used to sideload a\r\nmalicious DLL named log.dll (SHA256:\r\nhttps://www.security.com/threat-intelligence/billbug-china-espionage\r\nPage 1 of 3\n\n54f0eaf2c0a3f79c5f95ef5d0c4c9ff30a727ccd08575e97cce278577d106f6b). Analysis of log.dll concluded that it\r\nwas another loader which read and decrypted the contents of the file winnt.config. It then started the process\r\nC:\\Windows\\system32\\systray.exe and injected the decrypted contents to it. \r\nSeveral variants of log.dll were used in the campaign, but only one was retrieved for analysis. The same\r\nBitdefender binary was also used to sideload a file named sqlresourceloader.dll, which was also not retrieved. It is\r\nunknown if this is related to the loader analyzed or a different tool. \r\nSagerunex Backdoor\r\nThe attackers also used a new variant of the Sagerunex backdoor, a custom tool that is exclusively used by\r\nBillbug. The variant (SHA256: 4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805e)\r\nappears to be related to variants of Sagerunex documented by Cisco in February 2025. As documented by Cisco,\r\nthe attackers created a persistence mechanism by modifying the registry to ensure that it would run as a service. \r\nNew tools\r\nAmong the new tools deployed were two designed to steal credentials from the Chrome web browser. Deployed\r\ntools included:\r\nChromeKatz – Capable of stealing both credentials and cookies stored in Chrome\r\nCredentialKatz – Capable of stealing credentials stored in Chrome\r\nReverse SSH Tool – Custom tool capable of listening for SSH connections on Port 22 \r\nOther Tools\r\nThe attackers deployed the publicly available Zrok peer-to-peer tool, using the sharing function of the tool in order\r\nto provide remote access to services that were exposed internally. \r\nAnother legitimate tool used was called datechanger.exe (SHA256:\r\nb337a3b55e9f6d72e22fe55aba4105805bb0cf121087a3f6c79850705593d904). It is capable of changing\r\ntimestamps for files, presumably to muddy the waters for incident analysts. \r\nBackground\r\nActive since at least 2009, Billbug has largely focused on Southeast Asia, targeting governments and military\r\norganizations in particular. \r\nThe group first came to public attention in 2015 when Palo Alto published a report on its activities in Southeast\r\nAsia, linking it to over 50 different attacks over a period of three years. Its campaigns used spear-phishing emails\r\nand convincing lure documents to deliver the custom Trensil (aka Elise) Trojan. \r\nIn 2018, Symantec published an investigation on the group’s activity, detailing an attack on a large telecoms\r\noperator in Southeast Asia. The attackers used PsExec to install a previously unknown piece of malware\r\n(Infostealer.Catchamas). The discovery of this attack led to the discovery of further attacks against the\r\ncommunications, geospatial imaging, and defense sectors, both in the U.S. and Southeast Asia. During that\r\nhttps://www.security.com/threat-intelligence/billbug-china-espionage\r\nPage 2 of 3\n\ninvestigation, Symantec referred to the actor as Thrip, but we subsequently determined that Thrip and Billbug\r\nwere most likely the same group and began tracking all activity under the Billbug name.\r\nIn 2019, Symantec published another report on the group, detailing the use of two previously unseen backdoors\r\nknown as Hannotog (Backdoor.Hannotog) and Sagerunex (Backdoor.Sagerunex). Targets of this campaign\r\nincluded at least 12 organizations in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam. In\r\naddition to military targets, the group also attacked organizations in the maritime communications, media, and\r\neducation sectors.\r\nBillbug remained active in subsequent years. In November 2022, Symantec published new research on the group,\r\nhighlighting an attack on a digital certificate authority in an Asian country. The targeting of a certificate authority\r\nwas notable because the attackers could have accessed certificates and used them to sign malware, helping them to\r\nevade detection. Compromised certificates could also potentially be used to intercept HTTPS traffic. \r\nLearn more about Billbug and other Chinese threat actors in our comprehensive whitepaper: \r\nRelentless Force: China-linked Espionage Actors\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\n4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805e – Sagerunex\r\n2e1c25bf7e2ce2d554fca51291eaeb90c1b7c374410e7656a48af1c0afa34db4 – ChromeKatz\r\n6efb16aa4fd785f80914e110a4e78d3d430b18cbdd6ebd5e81f904dd58baae61 – ChromeKatz\r\nea87d504aff24f7daf026008fa1043cb38077eccec9c15bbe24919fc413ec7c7 – ChromeKatz\r\ne3869a6b82e4cf54cc25c46f2324c4bd2411222fd19054d114e7ebd32ca32cd1 – CredentialKatz\r\n29d31cfc4746493730cda891cf88c84f4d2e5c630f61b861acc31f4904c5b16d – CredentialKatz\r\n461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9ced – Reverse SSH tool\r\nb337a3b55e9f6d72e22fe55aba4105805bb0cf121087a3f6c79850705593d904 – Date changer\r\n54f0eaf2c0a3f79c5f95ef5d0c4c9ff30a727ccd08575e97cce278577d106f6b – Loader\r\nb75a161caab0a90ef5ce57b889534b5809af3ce2f566af79da9184eaa41135bd – Loader\r\nbecbfc26aef38e669907a5e454655dc9699085ca9a4e5f6ccd3fe12cde5e0594 – Suspected loader\r\nSource: https://www.security.com/threat-intelligence/billbug-china-espionage\r\nhttps://www.security.com/threat-intelligence/billbug-china-espionage\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.security.com/threat-intelligence/billbug-china-espionage"
	],
	"report_names": [
		"billbug-china-espionage"
	],
	"threat_actors": [
		{
			"id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788",
			"created_at": "2022-10-25T15:50:23.722608Z",
			"updated_at": "2026-04-10T02:00:05.397432Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"Thrip"
			],
			"source_name": "MITRE:Thrip",
			"tools": [
				"PsExec",
				"Mimikatz",
				"Catchamas"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98",
			"created_at": "2022-10-25T15:50:23.538608Z",
			"updated_at": "2026-04-10T02:00:05.378092Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"Lotus Blossom",
				"DRAGONFISH",
				"Spring Dragon",
				"RADIUM",
				"Raspberry Typhoon",
				"Bilbug",
				"Thrip"
			],
			"source_name": "MITRE:Lotus Blossom",
			"tools": [
				"AdFind",
				"Impacket",
				"Elise",
				"Hannotog",
				"NBTscan",
				"Sagerunex",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b69484be-98d1-49e6-aed1-a28dbf65176a",
			"created_at": "2022-10-25T16:07:23.886782Z",
			"updated_at": "2026-04-10T02:00:04.779029Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"G0019",
				"Hellsing",
				"ITG06",
				"Lotus Panda",
				"Naikon",
				"Operation CameraShy"
			],
			"source_name": "ETDA:Naikon",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"AR",
				"ARL",
				"Agent.dhwf",
				"Aria-body",
				"Aria-body loader",
				"Asset Reconnaissance Lighthouse",
				"BackBend",
				"Creamsicle",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"Flashflood",
				"FoundCore",
				"Gemcutter",
				"HDoor",
				"JadeRAT",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LadonGo",
				"Lecna",
				"Living off the Land",
				"NBTscan",
				"Naikon",
				"NetEagle",
				"Neteagle_Scout",
				"NewCore RAT",
				"Orangeade",
				"PlugX",
				"Quarks PwDump",
				"RARSTONE",
				"RainyDay",
				"RedDelta",
				"RoyalRoad",
				"Sacto",
				"Sandboxie",
				"ScoutEagle",
				"Shipshape",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"SslMM",
				"Sys10",
				"TIGERPLUG",
				"TVT",
				"TeamViewer",
				"Thoper",
				"WinMM",
				"Xamtrav",
				"XsFunction",
				"ZRLnk",
				"nbtscan",
				"nokian",
				"norton",
				"xsControl",
				"xsPlus"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb",
			"created_at": "2023-01-06T13:46:38.793461Z",
			"updated_at": "2026-04-10T02:00:03.102807Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"G0076",
				"ATK78"
			],
			"source_name": "MISPGALAXY:Thrip",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eaa8168f-3fab-4831-aa60-5956f673e6b3",
			"created_at": "2022-10-25T16:07:23.805824Z",
			"updated_at": "2026-04-10T02:00:04.754761Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"ATK 1",
				"ATK 78",
				"Billbug",
				"Bronze Elgin",
				"CTG-8171",
				"Dragonfish",
				"G0030",
				"G0076",
				"Lotus Blossom",
				"Operation Lotus Blossom",
				"Red Salamander",
				"Spring Dragon",
				"Thrip"
			],
			"source_name": "ETDA:Lotus Blossom",
			"tools": [
				"BKDR_ESILE",
				"Catchamas",
				"EVILNEST",
				"Elise",
				"Group Policy Results Tool",
				"Hannotog",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PsExec",
				"Rikamanu",
				"Sagerunex",
				"Spedear",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie",
				"gpresult"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434646,
	"ts_updated_at": 1775792067,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/30ed76f483ef6d3f1bf92db12229d4d8fdd515c5.pdf",
		"text": "https://archive.orkl.eu/30ed76f483ef6d3f1bf92db12229d4d8fdd515c5.txt",
		"img": "https://archive.orkl.eu/30ed76f483ef6d3f1bf92db12229d4d8fdd515c5.jpg"
	}
}