{ "id": "f2a53d99-ee2c-4fad-a034-6fe75a4cb749", "created_at": "2026-04-06T00:16:38.07745Z", "updated_at": "2026-04-10T03:35:47.143761Z", "deleted_at": null, "sha1_hash": "d52eb135b88e22819a6201509ecc0b9d58e216eb", "title": "A Deep Dive into Sagerunex – Securite360", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6094180, "plain_text": "A Deep Dive into Sagerunex – Securite360\r\nBy Muffin\r\nArchived: 2026-04-05 14:05:45 UTC\r\nFirst post of the year — I wish you all a happy New Year. Habits die hard, so to inaugurate 2026, I have chosen to\r\nwrite about another (likely) China-linked APT.\r\nLotus Blossom, also known as Red Salamander, Lotus Panda, or Billbug, is an intrusion set active since at least\r\n2009. While several pieces of evidence suggest that this intrusion set is linked to China, it is worth noting that\r\nLotus Panda does not appear to leverage the common shared tooling used among Chinese attackers, such as PlugX\r\nor ShadowPad.\r\nIn this post, I delve into one of Lotus Panda’s signature malware families, Sagerunex. While Symantec and Cisco\r\nTalos have already written about this piece of code, I felt like there were still some additional insights to share\r\nabout it.\r\nVictimology\r\nLotus Blossom is known to target the Southeast Asian region, including but not limited to Taiwan, Vietnam, the\r\nPhilippines, Indonesia, and Hong Kong.\r\nhttps://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex\r\nPage 1 of 8\n\nThis intrusion set targets a wide range of sectors, including government organizations, telecommunications,\r\nmanufacturing, as well as banking, energy, media, and the military. It has also targeted digital certificate issuers.\r\nAs a result, the victimology associated with this intrusion set is quite broad.\r\nIn the past, it has also allegedly targeted French diplomats operating in this region. There is a reasonable\r\nprobability that this was a case of tangential targeting, with these diplomats being targeted solely because of their\r\npresence in Southeast Asia. However, according to Symantec, this intrusion set also targeted communications,\r\ngeospatial imaging, and defense sectors in the United States. According to Thales, this intrusion set also targeted\r\nFrance and Canada.\r\nAnalysts concur that the offensive operations of this intrusion set aim to collect intelligence.\r\nAttribution\r\nAccording to PwC, Lotus Panda (aka Red Salamander) is a “China-based threat actor”. CrowdStrike goes further,\r\nstating that it “is a targeted intrusion adversary with a suspected nexus to the People’s Republic of China (PRC).”\r\nFor Symantec, Lotus Panda is a “China-linked group”.\r\nSome editors even attribute Lotus Panda to the People’s Liberation Army, and more specifically to PLA Unit\r\n78020. This attribution appears, however, to stem from a confusion between Lotus Blossom and Naikon. We do\r\nnot find strong evidence in open sources suggesting that these represent either the same intrusion set or distinct\r\nsubclusters of the latter.\r\nThat said, the victimology is fully consistent with a China-linked threat actor. Southeast Asian countries, as well\r\nas high-value and strategic sectors such as those targeted by Lotus Panda, are well-known priority targets for\r\nintrusion sets operating on behalf of the Chinese government.\r\nMoreover, Symantec identified three computers in China being used to launch the Thrip attacks.\r\nIn a notable analysis, Viettel Intelligence also mentioned that this intrusion set appears to operate on UTC+8,\r\nfurther reinforcing the hypothesis that it may be a Chinese-backed intrusion set.\r\nWe therefore believe we a high level of confidence that this intrusion set is operating on behalf of China.\r\nhttps://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex\r\nPage 2 of 8\n\nNow that we have a better understanding of Lotus Panda, let’s delve into the analysis of Sagerunex.\r\nMalware Analysis\r\nWhile Symantec and Cisco Talos did a great job analyzing Sagerunex, I thought that this piece of malware still\r\nkept some of its secrets. This is why I decided to spend some time working on it (sample\r\nhash:ddb767316a996b0a32bd72a49ab87ed243244e39).\r\nAs for the sample analyzed by Symantec, the one I investigated had no hardcoded configuration. Instead, the\r\nconfiguration is passed as an argument, and Sagerunex creates a file to store it on the computer on which it is\r\nrunning.\r\nFigure: Creating the config file to be used by the malware\r\nMain Features:\r\nhttps://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex\r\nPage 3 of 8\n\nSagerunex is shipped with several features, including modifying its configuration, executing commands remotely,\r\ndownloading further files, or sending files to the C2.\r\nFigure: Features of Sagerunex\r\nThis piece of malware therefore appears as an efficient backdoor for espionage purposes.\r\nWhen analyzing the commands supported by the malware, the sample shows that the attacker can execute\r\nexecutable files, DLLs, and arbitrary shell commands via cmd.exe .\r\nFigure: extract of the function used to execute files or command function\r\nThe malware inspects the command string received from the C2 server and determines the execution method\r\nbased on its prefix:\r\nrunexe : executes an .exe file\r\nrundll : loads a DLL and invokes a specified exported function\r\nany other command : is passed directly to cmd.exe for execution\r\nhttps://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex\r\nPage 4 of 8\n\nBy parsing these command prefixes, the malware allows the operator to flexibly execute programs, invoke DLL\r\nfunctions, or run arbitrary system commands on the infected host.\r\nCommunications:\r\nTo communicate with its command and control server (C2), Sagerunex uses the following user-agent:\r\nFigure: user-agent used by the malware\r\nThe malware uses WinHTTP for C2 communications. It initially attempts to connect using the system’s default\r\nWinHTTP configuration, which may result in a direct connection or the use of a configured proxy. If this attempt\r\nfails, it seems to fall back to multiple explicit proxy discovery mechanisms including WPAD, Internet Explorer,\r\nFirefox, auto-proxy, and preconfigured proxy settings.\r\nTo get the default configuration on the infected machine, the malware attempts to open the registry key that may\r\nhttps://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex\r\nPage 5 of 8\n\nstore the proxy configuration :\r\nfigure: Opening registry key to retrive proxy configuration\r\nTo fly under the radar when doing so, Sagerunex leverage Explorer token impersonation. It can then behave\r\nexactly like the logged-in user, ensuring proxy access, registry visibility, filesystem permissions, and reliable C2\r\ncommunication, without spawning a new process:\r\nFigure: Sagerunex uses token impersonation to mimick Explorer.exe\r\nOther:\r\nTo fly under the radar, it is also possible to set up operational time windows for Sagerunex and therefore have it\r\noperate only during office hours, as shown by the following function:\r\nhttps://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex\r\nPage 6 of 8\n\nFigure: setting up time windows for the malware (I hope I was not too bad at recreating the custom structure used)\r\nThis strategy, coupled with token impersonation and the usage of proxies, shows that Lotus Panda actively\r\nattempts to avoid the detection of Sagerunex.\r\nConclusion:\r\nIt was definitely worth looking into Lotus Panda. The literature about this intrusion set is not only limited, but its\r\nsignature malware, Sagerunex, is a very interesting piece of code. Highly efficient, this malware also attempts to\r\nstay as discreet as possible by leveraging several features, such as token impersonation, the use of default proxy\r\nconfiguration or configured proxies, and the configuration of custom operating time windows. Such an assessment\r\nis also consistent with Cisco Talos’ findings, according to which Sagerunex also leverages legitimate services such\r\nas Dropbox, Twitter, and Zimbra for C2 purposes.\r\nhttps://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex\r\nPage 7 of 8\n\nSource: https://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex\r\nhttps://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securite360.net/the-intriguing-lotus-a-deep-dive-into-sagerunex" ], "report_names": [ "the-intriguing-lotus-a-deep-dive-into-sagerunex" ], "threat_actors": [ { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c21da9ce-944f-4a37-8ce3-71a0f738af80", "created_at": "2025-08-07T02:03:24.586257Z", "updated_at": "2026-04-10T02:00:03.804264Z", "deleted_at": null, "main_name": "BRONZE ELGIN", "aliases": [ "CTG-8171 ", "Lotus Blossom ", "Lotus Panda ", "Lstudio", "Spring Dragon " ], "source_name": "Secureworks:BRONZE ELGIN", "tools": [ "Chrysalis", "Cobalt Strike", "Elise", "Emissary Trojan", "Lzari", "Meterpreter" ], "source_id": "Secureworks", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "87a20b72-ab72-402f-9013-c746c8458b0b", "created_at": "2023-01-06T13:46:38.293223Z", "updated_at": "2026-04-10T02:00:02.915184Z", "deleted_at": null, "main_name": "LOTUS PANDA", "aliases": [ "Red Salamander", "Lotus BLossom", "Billbug", "Spring Dragon", "ST Group", "BRONZE ELGIN", "ATK1", "G0030", "Lotus Blossom", "DRAGONFISH" ], "source_name": "MISPGALAXY:LOTUS PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434598, "ts_updated_at": 1775792147, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d52eb135b88e22819a6201509ecc0b9d58e216eb.pdf", "text": "https://archive.orkl.eu/d52eb135b88e22819a6201509ecc0b9d58e216eb.txt", "img": "https://archive.orkl.eu/d52eb135b88e22819a6201509ecc0b9d58e216eb.jpg" } }