{
	"id": "16c419b9-4bcf-45c6-8588-ca9cc4905ee1",
	"created_at": "2026-04-06T00:06:17.008777Z",
	"updated_at": "2026-04-10T03:34:41.578237Z",
	"deleted_at": null,
	"sha1_hash": "cbb0e19845f0e302c142e7db242020b24a2160a5",
	"title": "Lotus Blossom, Spring Dragon, Thrip",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72703,
	"plain_text": "Lotus Blossom, Spring Dragon, Thrip\r\nArchived: 2026-04-05 19:53:39 UTC\r\nHome \u003e List all groups \u003e Lotus Blossom, Spring Dragon, Thrip\r\n APT group: Lotus Blossom, Spring Dragon, Thrip\r\nNames\r\nLotus Blossom (Palo Alto)\r\nSpring Dragon (Kaspersky)\r\nDragonfish (iDefense)\r\nBillbug (Symantec)\r\nThrip (Symantec)\r\nBronze Elgin (SecureWorks)\r\nCTG-8171 (SecureWorks)\r\nATK 1 (Thales)\r\nATK 78 (Thales)\r\nRed Salamander (PWC)\r\nG0030 (MITRE)\r\nG0076 (MITRE)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nDescription\r\n(Kaspersky) Spring Dragon is a long running APT actor that operates on a massive scale. The\r\ngroup has been running campaigns, mostly in countries and territories around the South China Sea,\r\nsince as early as 2012. The main targets of Spring Dragon attacks are high profile governmental\r\norganizations and political parties, education institutions such as universities, as well as companies\r\nfrom the telecommunications sector.\r\nSpring Dragon is known for spear phishing and watering hole techniques and some of its tools\r\nhave previously been analyzed and reported on by security researchers, including Kaspersky Lab.\r\nOperation Poisoned News, TwoSail Junk may be one of their campaigns.\r\nObserved\r\nSectors: Aerospace, Defense, Education, Government, High-Tech, Satellites, Telecommunications.\r\nCountries: ASEAN, Brunei, Cambodia, Hong Kong, Indonesia, Japan, Laos, Macao, Malaysia,\r\nMyanmar, Philippines, Singapore, Taiwan, Thailand, USA, Vietnam.\r\nTools used\r\nCatchamas, Elise, Emissary, gpresult, Hannotog, Mimikatz, PsExec, Rikamanu, Sagerunex,\r\nSpedear, WMI Ghost, Living off the Land.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3b0d3a5d-1858-4be6-b23e-c2620e6e1065\r\nPage 1 of 3\n\nOperations performed\nJun 2015\nOperation “Lotus Blossom”\nToday Unit 42 published new research identifying a persistent cyber espionage\ncampaign targeting government and military organizations in Southeast Asia. The\nadversary group responsible for the campaign, which we named “Lotus Blossom,”\nis well organized and likely state-sponsored, with support from a country that has\ninterests in Southeast Asia. The campaign has been in operation for some time; we\nhave identified over 50 different attacks taking place over the past three years.\nNov 2015\nAttack on French Diplomat\nWe observed a targeted attack in November directed at an individual working for\nthe French Ministry of Foreign Affairs. The attack involved a spear-phishing email\nsent to a single French diplomat based in Taipei, Taiwan and contained an invitation\nto a Science and Technology support group event.\nEarly 2017\nIn the beginning of 2017, Kaspersky Lab became aware of new activities by an\nAPT actor we have been tracking for several years called Spring Dragon (also\nknown as LotusBlossom).\nInformation about the new attacks arrived from a research partner in Taiwan and we\ndecided to review the actor’s tools, techniques and activities.\nUsing Kaspersky Lab telemetry data we detected the malware in attacks against\nsome high-profile organizations around the South China Sea.\nJan 2018\nAttacks on Association of South East Asian Nations (ASEAN) countries\nDuring the last weeks of January (2018), nation state actors from Lotus Blossom\nconducted a targeted malware spam campaign against the Association of South East\nAsian Nations (ASEAN) countries.\nJan 2018\nBack in January 2018, TAA triggered an alert at a large telecoms operator in\nSoutheast Asia.\nJun 2018\nSince Symantec first exposed the Thrip group in 2018, the stealthy China-based\nespionage group has continued to mount attacks in South East Asia, hitting military\norganizations, satellite communications operators, and a diverse range of other\ntargets in the region.\nMar 2022 Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in\nMultiple Asian Countries\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3b0d3a5d-1858-4be6-b23e-c2620e6e1065\nPage 2 of 3\n\nAug 2024\nBillbug: Intrusion Campaign Against Southeast Asia Continues\nInformation MITRE ATT\u0026CK\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3b0d3a5d-1858-4be6-b23e-c2620e6e1065\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3b0d3a5d-1858-4be6-b23e-c2620e6e1065\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3b0d3a5d-1858-4be6-b23e-c2620e6e1065"
	],
	"report_names": [
		"showcard.cgi?u=3b0d3a5d-1858-4be6-b23e-c2620e6e1065"
	],
	"threat_actors": [
		{
			"id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788",
			"created_at": "2022-10-25T15:50:23.722608Z",
			"updated_at": "2026-04-10T02:00:05.397432Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"Thrip"
			],
			"source_name": "MITRE:Thrip",
			"tools": [
				"PsExec",
				"Mimikatz",
				"Catchamas"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98",
			"created_at": "2022-10-25T15:50:23.538608Z",
			"updated_at": "2026-04-10T02:00:05.378092Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"Lotus Blossom",
				"DRAGONFISH",
				"Spring Dragon",
				"RADIUM",
				"Raspberry Typhoon",
				"Bilbug",
				"Thrip"
			],
			"source_name": "MITRE:Lotus Blossom",
			"tools": [
				"AdFind",
				"Impacket",
				"Elise",
				"Hannotog",
				"NBTscan",
				"Sagerunex",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb",
			"created_at": "2023-01-06T13:46:38.793461Z",
			"updated_at": "2026-04-10T02:00:03.102807Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"G0076",
				"ATK78"
			],
			"source_name": "MISPGALAXY:Thrip",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3703894e-cf68-4c1e-a71a-e8fd2ef76747",
			"created_at": "2023-11-08T02:00:07.166789Z",
			"updated_at": "2026-04-10T02:00:03.432192Z",
			"deleted_at": null,
			"main_name": "TwoSail Junk",
			"aliases": [
				"Operation Poisoned News"
			],
			"source_name": "MISPGALAXY:TwoSail Junk",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eaa8168f-3fab-4831-aa60-5956f673e6b3",
			"created_at": "2022-10-25T16:07:23.805824Z",
			"updated_at": "2026-04-10T02:00:04.754761Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"ATK 1",
				"ATK 78",
				"Billbug",
				"Bronze Elgin",
				"CTG-8171",
				"Dragonfish",
				"G0030",
				"G0076",
				"Lotus Blossom",
				"Operation Lotus Blossom",
				"Red Salamander",
				"Spring Dragon",
				"Thrip"
			],
			"source_name": "ETDA:Lotus Blossom",
			"tools": [
				"BKDR_ESILE",
				"Catchamas",
				"EVILNEST",
				"Elise",
				"Group Policy Results Tool",
				"Hannotog",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PsExec",
				"Rikamanu",
				"Sagerunex",
				"Spedear",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie",
				"gpresult"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "741d58a1-0fc0-41a8-9681-106a06c07e61",
			"created_at": "2022-10-25T16:07:23.983046Z",
			"updated_at": "2026-04-10T02:00:04.822372Z",
			"deleted_at": null,
			"main_name": "Operation Poisoned News",
			"aliases": [
				"Operation Poisoned News",
				"TwoSail Junk"
			],
			"source_name": "ETDA:Operation Poisoned News",
			"tools": [
				"dmsSpy",
				"lightSpy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433977,
	"ts_updated_at": 1775792081,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cbb0e19845f0e302c142e7db242020b24a2160a5.pdf",
		"text": "https://archive.orkl.eu/cbb0e19845f0e302c142e7db242020b24a2160a5.txt",
		"img": "https://archive.orkl.eu/cbb0e19845f0e302c142e7db242020b24a2160a5.jpg"
	}
}