{ "id": "41366bd9-6981-4de2-89c3-29e698e93d92", "created_at": "2026-04-06T00:07:24.217817Z", "updated_at": "2026-04-10T03:34:27.624252Z", "deleted_at": null, "sha1_hash": "8c402c86cfe0fe27be74d8ac3b5d37fda7170fc6", "title": "Threat Signal Report | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38434, "plain_text": "Threat Signal Report | FortiGuard Labs\r\nArchived: 2026-04-02 10:59:45 UTC\r\nFortiGuard Labs is aware of a report that APT group \"Billbug\" compromised a certificate authority (CA) as well\r\nas multiple government and defense organizations in Asia. Also known as Lotus Blossom and Thrip, the APT\r\ngroup reportedly has been active since 2009 and uses custom backdoor malware \"Hannotog\" and \"Sagerunex\" as\r\nwell as available tools in compromised machines.\r\nWhy is this Significant?\r\nThis is significant because Billbug APT threat actor group targeted a certificate authority (CA). Should digital\r\ncertificates be compromised, the attacker could use them to sign malware for detection evasion by security\r\nsolutions and eavesdrop on HTTPS communications.\r\nAlso, the reports indicate that multiple organizations in government and defense sectors in Asia were\r\ncompromised by Billbug APT.\r\nWhat is Billbug APT?\r\nBillbug, Lotus Blossom and Thrip, is a threat actor that has been reportedly active since at last 2009 and has\r\ninterests in U.S. organizations as well as government, defense, and communications organizations in Southeast\r\nAsia. Their primary motive is thought to be information espionage.\r\nBillbug APT employs living-off-the-land techniques and uses custom malware. The tools that were reportedly\r\nused by Billbug APT are the following:\r\nHannotog backdoor\r\nSagerunex backdoor\r\nAdFind\r\nCertutil\r\nLogMeIn\r\nMimikatz\r\nNBTscan\r\nPing\r\nPort Scanner\r\nPowerShell\r\nPsExec\r\nRoute\r\nTracert\r\nWinmail\r\nWinRAR\r\nWinSCP\r\nhttps://fortiguard.fortinet.com/threat-signal-report/4879\r\nPage 1 of 2\n\nWhat is the Status of Coverage?\r\nFortiGuard Labs detects the files in the report with the following AV signatures:\r\nW32/Agent.QTP!tr\r\nW32/Elsentric.J!tr\r\nW32/Generic.A!tr\r\nW32/PossibleThreat\r\nW64/Agentb.F!tr\r\nW64/Agent.LF!tr\r\nW64/Elsentric.E!tr\r\nW64/Elsentric.G!tr\r\nMalicious_Behavior.SB\r\nPossibleThreat.PALLAS.H\r\nRiskware/Kryptik\r\nNo Telemetry data available at the moment.\r\nSource: https://fortiguard.fortinet.com/threat-signal-report/4879\r\nhttps://fortiguard.fortinet.com/threat-signal-report/4879\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://fortiguard.fortinet.com/threat-signal-report/4879" ], "report_names": [ "4879" ], "threat_actors": [ { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434044, "ts_updated_at": 1775792067, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c402c86cfe0fe27be74d8ac3b5d37fda7170fc6.pdf", "text": "https://archive.orkl.eu/8c402c86cfe0fe27be74d8ac3b5d37fda7170fc6.txt", "img": "https://archive.orkl.eu/8c402c86cfe0fe27be74d8ac3b5d37fda7170fc6.jpg" } }