{
	"id": "62222934-358e-41f6-bb6b-d2252aa52d72",
	"created_at": "2026-04-06T00:12:02.635346Z",
	"updated_at": "2026-04-10T03:34:27.561206Z",
	"deleted_at": null,
	"sha1_hash": "fd47e3b95ea1e9cc3f077a45dccd6c355ad16b08",
	"title": "Operation Lotus Blossom: A New Nation-State Cyberthreat?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37586,
	"plain_text": "Operation Lotus Blossom: A New Nation-State Cyberthreat?\r\nBy Unit 42\r\nPublished: 2015-06-16 · Archived: 2026-04-05 17:02:55 UTC\r\nToday Unit 42 published new research identifying a persistent cyber espionage campaign targeting government\r\nand military organizations in Southeast Asia. The adversary group responsible for the campaign, which we named\r\n“Lotus Blossom,” is well organized and likely state-sponsored, with support from a country that has interests in\r\nSoutheast Asia. The campaign has been in operation for some time; we have identified over 50 different attacks\r\ntaking place over the past three years.\r\nBackground and Findings\r\nUnit 42 has linked more than 50 individual attacks across Hong Kong, Taiwan, Vietnam, the Philippines, and\r\nIndonesia to the Lotus Blossom group. These attacks share a number of characteristics, including:\r\nThey are against military and government targets\r\nSpearphishing is used as the initial attack vector\r\nThey use a custom Trojan backdoor named “Elise” to gain a foothold\r\nA decoy file appears during initial compromise with Elise, tricking users into thinking they opened a\r\nbenign file\r\nAttacks by the Lotus Blossom group rely heavily on the use of spearphishing emails that use enticing subject lines\r\nand legitimate-looking decoy documents to trick users into opening a malware executable they think is a\r\nlegitimate document. This document is usually a personnel roster for a specific military or government office.\r\nWe believe that the Lotus Blossom group developed the Elise malware specifically to meet the needs of the attack\r\ncampaigns, and we’ve observed three variants across 50 samples during the three-year period of these attacks.\r\nElise is a relatively sophisticated tool, including variants with the ability to evade detection in virtual\r\nenvironments, connect to command-and-control servers for additional instruction, and exfiltrate data.\r\nOperation Lotus Blossom is a prime example of how a well-resourced adversary will deploy advanced tools, over\r\nan extended time period, sometimes years, in order to reach its goals. In this case, the pattern of behavior suggests\r\nthat the actors behind this group were nation-state sponsored, from a country with an interest in the government\r\nand military affairs of Southeast Asian nations.\r\nUnit 42 discovered this attack using the Palo Alto Networks AutoFocus service, which allows analysts to quickly\r\nfind correlations among malware samples analyzed by WildFire. Palo Alto Networks customers are protected from\r\nthe malware used in Operation Lotus Blossom via WildFire and our Security Platform’s Threat Prevention\r\ncapabilities (IPS signature 14358).\r\nWe recommend that other security practitioners review the Indicators of Compromise (IoCs) in the full report to\r\nensure they have not been targets in this campaign, and add the appropriate security controls to prevent future\r\nhttps://unit42.paloaltonetworks.com/operation-lotus-blossom/\r\nPage 1 of 2\n\nattacks.\r\nThe full report on Lotus Blossom from Unit 42 can be downloaded here, which includes all IOCs. The IOCs are\r\nalso accessible via GitHub.\r\nVisit Unit 42 for new research and a full list of speaking appearances, as well to subscribe to updates.\r\nSource: https://unit42.paloaltonetworks.com/operation-lotus-blossom/\r\nhttps://unit42.paloaltonetworks.com/operation-lotus-blossom/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/operation-lotus-blossom/"
	],
	"report_names": [
		"operation-lotus-blossom"
	],
	"threat_actors": [
		{
			"id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98",
			"created_at": "2022-10-25T15:50:23.538608Z",
			"updated_at": "2026-04-10T02:00:05.378092Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"Lotus Blossom",
				"DRAGONFISH",
				"Spring Dragon",
				"RADIUM",
				"Raspberry Typhoon",
				"Bilbug",
				"Thrip"
			],
			"source_name": "MITRE:Lotus Blossom",
			"tools": [
				"AdFind",
				"Impacket",
				"Elise",
				"Hannotog",
				"NBTscan",
				"Sagerunex",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eaa8168f-3fab-4831-aa60-5956f673e6b3",
			"created_at": "2022-10-25T16:07:23.805824Z",
			"updated_at": "2026-04-10T02:00:04.754761Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"ATK 1",
				"ATK 78",
				"Billbug",
				"Bronze Elgin",
				"CTG-8171",
				"Dragonfish",
				"G0030",
				"G0076",
				"Lotus Blossom",
				"Operation Lotus Blossom",
				"Red Salamander",
				"Spring Dragon",
				"Thrip"
			],
			"source_name": "ETDA:Lotus Blossom",
			"tools": [
				"BKDR_ESILE",
				"Catchamas",
				"EVILNEST",
				"Elise",
				"Group Policy Results Tool",
				"Hannotog",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PsExec",
				"Rikamanu",
				"Sagerunex",
				"Spedear",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie",
				"gpresult"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434322,
	"ts_updated_at": 1775792067,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd47e3b95ea1e9cc3f077a45dccd6c355ad16b08.pdf",
		"text": "https://archive.orkl.eu/fd47e3b95ea1e9cc3f077a45dccd6c355ad16b08.txt",
		"img": "https://archive.orkl.eu/fd47e3b95ea1e9cc3f077a45dccd6c355ad16b08.jpg"
	}
}