{ "id": "a37b3b5c-f7d9-4d04-88ef-dcb7923fa244", "created_at": "2026-04-06T00:18:17.641047Z", "updated_at": "2026-04-10T03:34:27.637971Z", "deleted_at": null, "sha1_hash": "51b16efe644751eb277bf605f1ea01e33d4cea25", "title": "Spring Dragon - Updated Activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 659590, "plain_text": "Spring Dragon - Updated Activity\r\nBy Noushin Shabab\r\nPublished: 2017-07-24 · Archived: 2026-04-05 17:21:24 UTC\r\nSpring Dragon is a long running APT actor that operates on a massive scale. The group has been running\r\ncampaigns, mostly in countries and territories around the South China Sea, since as early as 2012. The main\r\ntargets of Spring Dragon attacks are high profile governmental organizations and political parties, education\r\ninstitutions such as universities, as well as companies from the telecommunications sector.\r\nIn the beginning of 2017, Kaspersky Lab became aware of new activities by an APT actor we have been tracking\r\nfor several years called Spring Dragon (also known as LotusBlossom).\r\nInformation about the new attacks arrived from a research partner in Taiwan and we decided to review the actor’s\r\ntools, techniques and activities.\r\nUsing Kaspersky Lab telemetry data we detected the malware in attacks against some high-profile organizations\r\naround the South China Sea.\r\nSpring Dragon is known for spear phishing and watering hole techniques and some of its tools have previously\r\nbeen analyzed and reported on by security researchers, including Kaspersky Lab. We collected a large set (600+)\r\nof malware samples used in different attacks, with customized C2 addresses and campaign codes hardcoded in the\r\nmalware samples.\r\nSpring Dragon’s Toolset\r\nThe threat actor behind Spring Dragon APT has been developing and updating its range of tools throughout the\r\nyears it has been operational. Its toolset consists of various backdoor modules with unique characteristics and\r\nfunctionalities.\r\nThe threat actor owns a large C2 infrastructure which comprises more than 200 unique IP addresses and C2\r\ndomains.\r\nThe large number of samples which we have managed to collect have customized configuration data, different sets\r\nof C2 addresses with new hardcoded campaign IDs, as well as customized configuration data for creating a service\r\nfor malware on a victim’s system. This is designed to make detection more difficult.\r\nAll the backdoor modules in the APT’s toolset are capable of downloading more files onto the victim’s machine,\r\nuploading files to the attacker’s servers, and also executing any executable file or any command on the victim’s\r\nmachine. These functionalities enable the attackers to undertake different malicious activities on the victim’s\r\nmachine.\r\nA detailed analysis of known malicious tools used by this threat actor is available for customers of Kaspersky\r\nThreat Intelligence Services.\r\nhttps://securelist.com/spring-dragon-updated-activity/79067/\r\nPage 1 of 5\n\nCommand and Control (C2) Infrastructure\r\nThe main modules in Spring Dragon attacks are backdoor files containing IP addresses and domain names of C2\r\nservers. We collected and analyzed information from hundreds of C2 IP addresses and domain names used in\r\ndifferent samples of Spring Dragon tools that have been compiled over the years.\r\nIn order to hide their real location, attackers have registered domain names and used IP addresses from different\r\ngeographical locations. The chart below shows the distribution of servers based on geographical location which\r\nthe attackers used as their C2 servers.\r\nDistribution chart of C2 servers by country\r\nMore than 40% of all the C2 servers used for Spring Dragon’s operations are located in Hong Kong, which hints\r\nat the geographical region (Asia) of the attackers and/or their targets. The next most popular countries are the US,\r\nGermany, China and Japan.\r\nTargets of the Attacks\r\nAs was mentioned, the Spring Dragon threat actor has been mainly targeting countries and territories around the\r\nSouth China Sea with a particular focus on Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia\r\nand Thailand.\r\nOur research shows that the main targets of the attacks are in the following sectors and industries:\r\nHigh-profile governmental organizations\r\nPolitical parties\r\nhttps://securelist.com/spring-dragon-updated-activity/79067/\r\nPage 2 of 5\n\nEducation institutions, including universities\r\nCompanies from the telecommunications sector\r\nThe following map shows the geographic distribution of attacks according to our telemetry, with the frequency of\r\nthe attacks increasing from yellow to red.\r\nGeographic map of attacks\r\nOrigin of the Attacks\r\nThe victims of this threat actor have always been mainly governmental organizations and political parties. These\r\nare known to be of most interest to state-supported groups.\r\nThe type of malicious tools the actor has implemented over time are mostly backdoor files capable of stealing files\r\nfrom victims’ systems, downloading and executing additional malware components as well as running system\r\ncommands on victims’ machines. This suggests an intention to search and manually collect information\r\n(cyberespionage). This activity is most commonly associated with the interests of state-sponsored attackers.\r\nAs a routine analysis procedure, we decided to figure out the attacker’s possible time zone using the malware\r\ncompilation timestamps from a large number of Spring Dragon samples. The following diagram shows the\r\nfrequency of the timestamps during daytime hours. The timestamps range from early 2012 until now and are\r\naligned to the GMT time zone.\r\nAssuming the peak working hours of malware developers are the standard working day of 09:00-17:00, the chart\r\nshows that compilation took place in the GMT+8 time zone. It also suggests that either there is a second group\r\nworking another shift in the same time zone or the attackers are cross-continental and there is another group,\r\npossibly in Europe. The uneven distribution of timestamps (low activity around 10am, 7-8pm UTC) suggests that\r\nthe attackers didn’t change the timestamps to random or constant values and they might be real.\r\nhttps://securelist.com/spring-dragon-updated-activity/79067/\r\nPage 3 of 5\n\nHistogram of malware files’ timestamps\r\nConclusions\r\nSpring Dragon is one of many long-running APT campaigns by unknown Chinese-speaking actors. The number of\r\nmalware samples which we managed to collect (over 600) for the group surpassed many others, and suggests an\r\noperation on a massive scale. It’s possible that this malware toolkit is offered in specialist public or private forums\r\nto any buyers, although, to date, we haven’t seen this.\r\nWe believe that Spring Dragon is going to continue resurfacing regularly in the Asian region and it is therefore\r\nworthwhile having good detection mechanisms (such as Yara rules and network IDS signatures) in place. We will\r\ncontinue to track this group going forward and, should the actor resurface, we will provide updates on its new\r\nmodus operandi.\r\nMore information is available to Kaspersky Lab private report subscribers. Please contact\r\nintelreports@kaspersky.com.\r\nReferences\r\nBelow is the list of public references and reports related to the Spring Dragon attackers:\r\n1. 1 Securelist – https://securelist.com/blog/research/70726/the-spring-dragon-apt/\r\n2. 2 Palo Alto Networks – http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/\r\n3. 3 Palo Alto Networks IoC2 – https://github.com/pan-unit42/iocs/tree/master/lotusblossom\r\n4. 4 Palo Alto Networks 2 – http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nhttps://securelist.com/spring-dragon-updated-activity/79067/\r\nPage 4 of 5\n\n5. 5 Palo Alto Networks Unit 42, full report – https://app.box.com/s/xhn6ru62qqom1kuxoe3mxnqrtb1sqw2q\r\n6. 6 TrendMicro – http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments\r\n7. 7 TrendMicro – http://s.itho.me/infosec/2016/AT8.pdf\r\n8. 8 PwC – http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html\r\nSource: https://securelist.com/spring-dragon-updated-activity/79067/\r\nhttps://securelist.com/spring-dragon-updated-activity/79067/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/spring-dragon-updated-activity/79067/" ], "report_names": [ "79067" ], "threat_actors": [ { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "4b066585-3591-4ddd-b3cc-f4e19e0e00ef", "created_at": "2022-10-25T16:07:24.086915Z", "updated_at": "2026-04-10T02:00:04.862463Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "4HCrew", "APT 2", "G0024", "Group 36", "Putter Panda", "SearchFire", "TG-6952" ], "source_name": "ETDA:Putter Panda", "tools": [ "3PARA RAT", "4H RAT", "4h_rat", "MSUpdater", "httpclient", "pngdowner" ], "source_id": "ETDA", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434697, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51b16efe644751eb277bf605f1ea01e33d4cea25.pdf", "text": "https://archive.orkl.eu/51b16efe644751eb277bf605f1ea01e33d4cea25.txt", "img": "https://archive.orkl.eu/51b16efe644751eb277bf605f1ea01e33d4cea25.jpg" } }