{ "id": "5aee23fc-ac3b-44a2-bea6-ef5b2aa39f15", "created_at": "2026-04-06T02:12:31.506015Z", "updated_at": "2026-04-10T03:34:27.635675Z", "deleted_at": null, "sha1_hash": "89d52c5903d7584dbaf756fff7acf700be7e2ac5", "title": "Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3526743, "plain_text": "Lotus Blossom espionage group targets multiple industries with\r\ndifferent versions of Sagerunex and hacking tools\r\nBy Joey Chen\r\nPublished: 2025-02-27 · Archived: 2026-04-06 01:31:09 UTC\r\nThursday, February 27, 2025 06:00\r\nCisco Talos discovered multiple cyber espionage campaigns that target government, manufacturing,\r\ntelecommunications and media, delivering Sagerunex and other hacking tools for post-compromise\r\nactivities. \r\nTalos attributes these attacks to the threat actor known as Lotus Blossom. Lotus Blossom has actively\r\nconducted cyber espionage operations since at least 2012 and continues to operate today. \r\nBased on our examination of the tactics, techniques, and procedures (TTPs) utilized in these campaigns,\r\nalongside the deployment of Sagerunex, a backdoor family used exclusively by Lotus Blossom, we\r\nattribute these campaigns to the Lotus Blossom group with high confidence.  \r\nWe also observed Lotus Blossom gain persistence using specific commands to install their Sagerunex\r\nbackdoor within the system registry and configuring it to run as a service on infected endpoints.  \r\nLotus Blossom has also developed new variants of Sagerunex that not only use traditional command and\r\ncontrol (C2) servers but also use legitimate, third-party cloud services such as Dropbox, Twitter, and the\r\nZimbra open-source webmail as C2 tunnels. \r\nA multi-campaign, multi-variant backdoor operation  \r\nTalos assesses with high confidence that Lotus Blossom (also referred to as Spring Dragon, Billbug, Thrip) threat\r\nactors are responsible for these campaigns. The group was previously publicly disclosed as an active espionage\r\ngroup operating since 2012. Our assessment is based on the TTPs, backdoors, and victim profiles associated with\r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 1 of 23\n\neach activity. Our observations indicate that Lotus Blossom has been using the Sagerunex backdoor since at least\r\n2016 and is increasingly employing long-term persistence command shells and developing new variants of the\r\nSagerunex malware suite. The operation appears to have achieved significant success, targeting organizations in\r\nsectors such as government, manufacturing, telecommunications and media in areas including the Philippines,\r\nVietnam, Hong Kong and Taiwan.  \r\nOur investigation uncovered two new variants of the Sagerunex backdoor, which were detected during attacks on\r\ntelecommunications and media companies, as well as many Sagerunex variants persistent in the government and\r\nmanufacturing industries. These new variants no longer rely on the original Virtual Private Server (VPS) for their\r\nC2 servers. Instead, they use third-party cloud services such as Dropbox, Twitter, and the Zimbra open-source\r\nwebmail service as C2 tunnels to evade detection. In our malware analysis section, we will delve into the technical\r\nspecifics of each Sagerunex backdoor variant and illustrate their configurations. Some configurations reveal the\r\npossible original file paths of the malware, providing insights into the threat actor’s host paths. \r\nWe also compiled a timeline for the evolution of Sagerunex by analyzing data from the campaigns we observed,\r\nthird-party reports, malware compilation timestamps, and the timestamps of victim uploads on the C2 service: \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 2 of 23\n\nAttributing the attacks to Lotus Blossom \r\nTalos has identified strong evidence to attribute these campaigns to the Lotus Blossom group, primarily due to the\r\npresence of the Sagerunex backdoor within these operations. Sagerunex is a remote access tool (RAT) assessed to\r\nbe an evolution of an older Billbug tool known as Evora. Sagerunex is designed to be dynamic link library (DLL)\r\ninjected into an infected endpoint and executed directly in memory.  \r\nWe also observed the Sagerunex backdoor employ various network connection strategies to ensure it remains\r\nunder the actor's control. Despite the development of three distinct variants, the foundational structures and core\r\nfunctionalities of the backdoor remain consistent. These consistent elements enable us to confidently categorize all\r\nidentified variant backdoors as part of the Sagerunex family.  \r\nMoreover, the consistent patterns in victimology and the TTPs identified across these campaigns strongly support\r\nour attribution to the Lotus Blossom espionage group. This consistency, seen in the selection of targets and the\r\nmethods employed, aligns with the known operational characteristics of Lotus Blossom, providing compelling\r\nevidence that these campaigns are orchestrated by this specific threat actor. \r\nLotus Blossom’s latest attack chain  \r\nWe conducted research into the main elements of the attack including the specific functions of each malware strain\r\nand how Lotus Blossom managed to evade detection  for several months. We also observed the threat actor\r\nleverage a number of hacking and open-source tools to achieve their objectives. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 3 of 23\n\nCookie stealer tool: Pyinstaller bundle of a Chrome cookie stealer which is an open-source tool from\r\ngithub. Lotus Blossom used it to harvest Chrome browser credentials.   \r\nVenom proxy tool: A proxy tool developed for penetration testers using Go language. The threat actor\r\ncustomized this Venom tool and hardcoded the destination IP address in each activity. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 4 of 23\n\nAdjust privilege tool: Enabled the threat actor to retrieve another process token and adjust privilege for the\r\nlaunch process.  \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 5 of 23\n\nArchiving tool: A customized compressed and encrypted tool which enabled the attacker to steal each file\r\nor entire folder to the specific file path with protection. For example, the tool archived Chrome and Firefox\r\nbrowser cookies folders. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 6 of 23\n\nPort relay tool: The threat actor named this tool “mtrain V1.01” which is a modified proxy relay tool from\r\nHTran. The tool allowed the threat actor to relay the connection from the victim machine to the internet. \r\nRAR tool: An archive manager that the threat actor used to archive or zip files. \r\nExtended persistence   \r\nLotus Blossom frequently utilizes the Impacket tool to execute remote processes and commands within the\r\nvictim's environment, consistent with known Lotus Blossom TTPs. Once they gain access to a target, their\r\noperations typically unfold over multiple stages. Each stage is carefully executed, indicating a well-planned\r\nstrategy aimed at achieving long-term objectives. This multi-stage approach enables them to maintain a presence\r\nin the network for extended periods, often going undetected for several months. Below is an example of overall\r\nattack chain visualization.  \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 7 of 23\n\nIn the compromised environment, the threat actor executes various commands such as “net,” “tasklist,” “quser,”\r\n“ipconfig,” “netstat,” and “dir.” These commands are used to gather detailed information about user accounts,\r\ndirectory structures, process activities, and network configurations. Following the initial reconnaissance, the actor\r\nassesses whether the compromised machine can connect to the internet. If internet access is restricted, then the\r\nactor has two strategies: using the target's proxy settings to establish a connection or using the Venom proxy tool\r\nto link the isolated machines to internet-accessible systems. Additionally, we have noticed that the actor frequently\r\ndeposits backdoor and hacking tools in the \"public\\pictures\" subfolder. This location is publicly accessible to all\r\nusers and, unlike system folders, is not hidden or protected, making it a strategic choice for evasion and continued\r\naccess. \r\nBesides running commands for discovery and lateral movement, we also observed Lotus Blossom use specific\r\ncommands to install their notorious Sagerunex backdoor within the system registry, configuring it to run as a\r\nservice. Presented below are the command lines the actor used to install the backdoor as a service. \r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\tapisrv\\Parameters /v ServiceDll /t REG_EXPAND_SZ\r\n/d c:\\windows\\tapisrv.dll /f \r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\tapisrv /v Start /t REG_DWORD /d 2 /f \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 8 of 23\n\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\swprv\\Parameters /v ServiceDll /t REG_EXPAND_SZ\r\n/d c:\\windows\\swprv.dll /f \r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\swprv\\Parameters /v ServiceDll /t REG_EXPAND_SZ\r\n/d c:\\windows\\system32\\swprv.dll /f \r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\appmgmt\\Parameters /v ServiceDll /t\r\nREG_EXPAND_SZ /d c:\\windows\\swprv.dll /f \r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\appmgmt /v Start /t REG_DWORD /d 2 /f \r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\appmgmt\\Parameters /v ServiceDll /t\r\nREG_EXPAND_SZ /d c:\\windows\\system32\\appmgmts.dll /f \r\n The actor used the following commands to verify that the backdoor can successfully run as a service.  \r\nreg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\swprv\\Parameters \r\nreg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\tapisrv\\Parameters \r\nreg query HKLM\\SYSTEM\\CurrentControlSet\\Services\\appmgmt\\Parameters \r\nSagerunex malware analysis \r\nIn this section, we provide in-depth technical analysis of the multiple variants of the Sagerunex backdoor. Our\r\nexploration will begin with a detailed examination of a particular Sagerunex backdoor variant that exhibits a high\r\ndegree of code similarity and workflow resemblance to those described in other vendors' blog posts. This analysis\r\nwill help establish connections and highlight the shared characteristics observed across different Sagerunex\r\nvariants.  \r\nNext, we will shift our focus to another intriguing variant of the Sagerunex backdoor, which utilizes Dropbox as\r\nits C2 server. This unconventional choice of a third-party cloud service illustrates the threat actor's adaptability\r\nand efforts to evade detection. Additionally, we have identified another variant of the Sagerunex backdoor that\r\nleverages the Zimbra open-source webmail service for its C2 operations. This finding further underscores the\r\ndiverse strategies Lotus Blossom employs to maintain control and persist within compromised environments. \r\nWe examined the loader code similarity to identify numerous variants of the Sagerunex backdoor. By analyzing\r\nthe loader and the behavior of the Sagerunex backdoor, we can classify the malware into the Sagerunex family.\r\nDespite the loader's compact size and primary function of injecting the Sagerunex backdoor into memory, we have\r\nidentified two distinct loader patterns. The first pattern involves the decryption algorithm: the loader embeds and\r\nencrypts the Sagerunex backdoor, utilizing a customized decryption process to extract it. The second pattern is the\r\n\"servicemain\" function, where the loader verifies its environment, ensuring it can only be executed as a service.  \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 9 of 23\n\nFurthermore, we also observed the actor employ VMProtect, a software protection tool, to obfuscate Sagerunex\r\ncode and evade detection by antivirus products. These sophisticated techniques are used to maintain the\r\npersistence of Sagerunex backdoor variants.  \r\nSagerunex malware similarity \r\nDuring its initial execution, Sagerunex conducts several checks before sending a beacon to its C2 server. These\r\nverification functions are present across all Sagerunex variants. The initial check involves searching for a debug\r\nlog file in the temp folder. Regardless of whether this debug log file is present, all Sagerunex variants will proceed\r\nwith execution. If the debug log is found, the backdoors will encrypt the debug strings along with a timestamp and\r\nstore them in the log file. Below is a screenshot displaying the debug file names for all Sagerunex variants. From\r\nleft to right, the versions include: the \"Beta\" version, featuring clear debug strings within its code flow; the\r\noriginal version, previously discussed in another blog post and the code flow is same as Beta version; the Dropbox\r\nand Twitter versions, which utilize these third-party cloud services as C2 channels; and finally, the Zimbra\r\nversion, which employs the Zimbra webmail service for C2 purposes. \r\nThe second check involves verifying the existence of the backdoor configuration file within a specific directory\r\nand under a designated filename. Below, we provide examples of different versions of the Sagerunex\r\nconfiguration file paths and filenames uncovered during our research. We suspect there may be additional\r\ndirectories that remain undiscovered. These are likewise ordered in the same manner as the preceeding\r\nparagraph.  \r\nSubsequently, the Sagerunex backdoor examines the system time to decide whether to execute its main function\r\nimmediately or delay its execution. Each Sagerunex variant possesses its own time-check logic. For example, one\r\nvariant checks if it operates during working hours (e.g. 10:00 am to 7:00 pm), while another ensures that the\r\nsystem hours do not exceed the system minutes. Despite these slight variations in check strategies among the\r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 10 of 23\n\nSagerunex backdoors, they all utilize the same pause API, \"WaitForSingleObject,\" and uniformly wait for 300,000\r\nmilliseconds before proceeding again with time-check logic. \r\nA final shared feature among all Sagerunex variants is their approach to proxy configuration, which enables the\r\nbackdoor to successfully connect to the C2 server. While the malware includes several proxy-related functions,\r\nnot all variants utilize every available option. Some rely solely on web proxy “autodiscovery” for accessing proxy\r\nservices. Additionally, we identified hardcoded proxy servers, along with proxy usernames and passwords, within\r\nthe Sagerunex configuration files. This discovery strongly supports our assessment that Lotus Blossom's activities\r\nare intended for espionage purposes.  \r\nBeta version of Sagerunex \r\nThe Beta version of Sagerunex closely resembles the Sagerunex backdoor discussed previously in this post.\r\nHowever, this Beta version includes additional debug strings featuring more complete sentences, which is why we\r\nhave called it the Beta version of Sagerunex. For example, as shown in the screenshot below, while typical\r\nSagerunex debug strings often use \"0x00\" as a prefix followed by error or behavior shortcut strings, the Beta\r\nversion offers more detailed information, such as \"Online Fail! Wait for %d mins\\r\\n.\" Furthermore, this Beta\r\nversion also provides us with a clearer understanding of Sagerunex workflow. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 11 of 23\n\nFig. The left side is the Beta version of Sagerunex and the right side is typical Sagerunex. \r\nOnce all the checks are bypassed, the Beta version of Sagerunex gathers information from the target host,\r\nincluding the hostname, MAC address, and IP address. It also queries the public IP address using\r\n\"api.ipaddress[.]com.\" This collected information is then encrypted and sent back to the C2 server. Upon receiving\r\nthe encrypted data, Sagerunex decrypts it, successfully bringing the backdoor online and enabling the threat actor\r\nto control the target. Below are the debug strings indicating successful online status and the backdoor command\r\nfunctions. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 12 of 23\n\nFig. The left side is the online debug strings, and the right side is backdoor command functions.  \r\nThe Beta version of Sagerunex backdoor overall infection chain is visualized below. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 13 of 23\n\nDropbox \u0026 Twitter version of Sagerunex \r\nTalos also discovered another variant of Sagerunex backdoor that uses Dropbox and Twitter API as C2 services.\r\nAfter bypassing the initial checking steps, this backdoor variant retrieves the necessary Dropbox or Twitter tokens\r\nto successfully bring the backdoor online. Once the backdoor sends a beacon message and receives a response ID,\r\nit evaluates the ID number to determine subsequent actions. If the ID is less than 16, the function will return,\r\nprompting the backdoor to send another beacon message and wait for a new ID. If the ID is between 16 and 32,\r\nthe backdoor proceeds to collect host information and execute paired backdoor command functions. After\r\ngathering the information and executing the commands, the backdoor encrypts and archives all collected data,\r\nthen transmits it back to Dropbox or Twitter. When the ID received equals 39, the backdoor retrieves data from\r\nDropbox files or Twitter status updates to confirm the status of the backdoor service. Below are the screenshots of\r\nDropbox and Twitter connection testing function and this variant's command functions. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 14 of 23\n\nFig. The left side is the online debug strings, and the right side is backdoor command functions. \r\nAdditionally, our reverse engineering of this version of the Sagerunex backdoor revealed one intriguing finding.\r\nWe discovered that the configuration file for this version not only includes Dropbox tokens and Twitter tokens but\r\nalso reveals its original file path, which we believe may originate from the actor's machine. Below, we provide a\r\nlist of all the file paths we identified, along with a screenshot of the configuration file. \r\nC:\\Users\\aa\\Desktop\\dpst.dll \r\nC:\\Users\\3\\Desktop\\DT-1-64-G\\msiscsii.dll \r\nC:\\Users\\balabala\\Desktop\\swprve64.dll \r\nC:\\Users\\test04\\Desktop\\a\\dtsvc32.dll \r\nC:\\Users\\USER\\Documents\\dtj32\\dj32.dll \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 15 of 23\n\nMoreover, our observations of the timestamps on Dropbox files and Twitter content indicate that this version of\r\nthe backdoor was predominantly active between 2018 and 2022, and we assess this version of backdoor might still\r\nbe active now. This timeframe suggests a consistent pattern of use over several years, highlighting the longevity\r\nand persistence of this threat in the wild. Below is an example where we extract the file details from one of the\r\nDropbox accounts. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 16 of 23\n\nThe Dropbox \u0026 Twitter version of Sagerunex backdoor infection chain is visualized below. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 17 of 23\n\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 18 of 23\n\nZimbra webmail version of Sagerunex \r\nThe final variant of the Sagerunex backdoor Talos discovered employs the Zimbra API to connect to a legitimate\r\nZimbra mail service, using it as a C2 channel to exfiltrate victim information. Like other versions, this Sagerunex\r\nvariant performs all the necessary checks before establishing its initial beacon connection. It uses the Zimbra\r\nwebmail URL, along with a username and password, to login and obtain an authentication token. Upon\r\nsuccessfully acquiring this token, the backdoor synchronizes the account's folders and documents and utilizes the\r\nsearch function API to verify the connection's functionality. Once the connection and synchronization processes\r\nare complete, the backdoor gathers host information, encrypts the information, and saves the data as\r\n\"mail_report.rar\". The rar file is being attached to a draft email the user's email account draft folder. With these\r\nsteps finalized, the beacon connection is successfully established. \r\nThe Zimbra webmail version of Sagerunex is not only designed to collect victim information and send it to the\r\nZimbra mailbox but also to allow the actor to use Zimbra mail content to give orders and control the victim\r\nmachine. If there is a legitimate command order content in the mail box, the backdoor will download the content\r\nand extract the command, otherwise the backdoor will delete the content and wait for a legitimate command. Once\r\nfinished executing the command, the backdoor will package the command result and also save the data as\r\n\"mail_report.rar\". The rar file is being attached to a draft email the user's email account trash folder. \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 19 of 23\n\nFig. The left side is the Zimbra status path, and the right side are the backdoor command functions.  \r\nTalos observed that this version of the Sagerunex backdoor has been active since 2019, and there are still several\r\nZimbra mailboxes receiving the compromised machine beacon information.  \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 20 of 23\n\nThe Zimbra version of Sagerunex backdoor infection chain is visualized below. \r\nCoverage \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 21 of 23\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protection with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are 64511, 64510, 64509. \r\nClamAV detections are also available for this threat: \r\nWin.Backdoor.Sagerunex-10041845-0 \r\nWin.Tool.Mtrain-10041846-0 \r\nWin.Tool.Ntfsdump-10041854-0 \r\nWin.Backdoor.Sagerunex-10041857-0  \r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 22 of 23\n\nIndicators of compromise (IOCs) \r\nCampaign code \r\n st\r\nqaz\r\ntest\r\ncmhk\r\ndtemp\r\n0305\r\n4007\r\n4007_new\r\nJf_b64_t1\r\nBer_64\r\n0817-svc64\r\nNSX32-0710\r\nNsx32-0419\r\nNJX32-0710\r\nWS1x321014\r\npccw-svc32\r\nCTMsx32-0712\r\nIOCs for this research can also be found at our GitHub repository here. \r\nSource: https://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nhttps://blog.talosintelligence.com/lotus-blossom-espionage-group/\r\nPage 23 of 23\n\n https://blog.talosintelligence.com/lotus-blossom-espionage-group/ \nFig. The left side is the online debug strings, and the right side is backdoor command functions.\nThe Beta version of Sagerunex backdoor overall infection chain is visualized below.\n Page 13 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://blog.talosintelligence.com/lotus-blossom-espionage-group/" ], "report_names": [ "lotus-blossom-espionage-group" ], "threat_actors": [ { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441551, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89d52c5903d7584dbaf756fff7acf700be7e2ac5.pdf", "text": "https://archive.orkl.eu/89d52c5903d7584dbaf756fff7acf700be7e2ac5.txt", "img": "https://archive.orkl.eu/89d52c5903d7584dbaf756fff7acf700be7e2ac5.jpg" } }