Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
Cisco Talos uncovered multiple cyber espionage campaigns attributed to the Lotus Blossom group, targeting government, manufacturing, telecommunications, and media sectors. The operations utilize various versions of the Sagerunex backdoor and other hacking tools. Lotus Blossom has been active since 2012 and continues to evolve its tactics. New Sagerunex variants use third-party cloud services like Dropbox, Twitter, and Zimbra for command and control, enhancing evasion capabilities. The group employs a multi-stage attack chain for long-term persistence, often remaining undetected for months. Victims include organizations in the Philippines, Vietnam, Hong Kong, and Taiwan. The analysis reveals Lotus Blossom's sophisticated techniques, including the use of VMProtect for code obfuscation and strategic placement of tools in public folders for evasion.
Pulse ID: 67c05b0d295ebf7aab02efbd
Pulse Link: https://otx.alienvault.com/pulse/67c05b0d295ebf7aab02efbd
Pulse Author: AlienVault
Created: 2025-02-27 12:31:09
Be advised, this data is unverified and should be considered preliminary. Always do further verification.