Lotus Blossom

Lotus Blossom is a long-established China-linked advanced persistent threat group believed to have been active since at least 2009. Known aliases in the provided content include Billbug, Thrip, APT30, Lotus Panda, LotusBlossom, Raspberry Typhoon, Bronze Elgin, Dragonfish, Radium, Spring Dragon, and Bilbug. Symantec concluded after a 2019 investigation that Thrip and Billbug were most likely the same group, and recent reporting also links Lotus Blossom to Billbug and Raspberry Typhoon. The group is associated with espionage activity and selective intrusions against government, defense, telecommunications, financial, IT services, and other organizations, with a strong regional focus on Asia. Symantec attributed a campaign active since at least March 2022 to Billbug/Lotus Blossom/Thrip that targeted a digital certificate authority in an Asian country as well as multiple government and defense agencies in Asia. In at least one government victim, the attackers compromised a large number of machines. Symantec assessed this activity as espionage-driven. Rapid7 also attributed, with moderate confidence, the 2025 Notepad++ supply chain compromise to Lotus Blossom, assessing that campaign as highly selective and targeting government, telecommunications, and financial sectors. Kaspersky identified victims in Vietnam, El Salvador, Australia, the Philippines, and targeted government, financial, and IT service entities. Observed tradecraft in the provided content includes spearphishing with malicious attachments, including malicious DOC attachments, relying on user execution for initial compromise; possible exploitation of public-facing applications for initial access; PowerShell use to download payloads, traverse compromised networks, and conduct reconnaissance; use of dual-use and living-off-the-land tools such as AdFind, WinRAR, Ping, Tracert, Route, NBTscan, Certutil, Winmail, Mimikatz, PsExec, and port scanners; remote system and service enumeration; local staging of compressed and archived data for exfiltration; proxying traffic with HTran; and persistence via Windows services and Windows Registry modifications. The group has configured tools such as Sagerunex to run as Windows services and has installed tools such as Sagerunex by writing them to the Windows registry. Malware and tooling directly mentioned in the content include Sagerunex, Hannotog, Chrysalis, HTran, and Stowaway. Symantec reported reuse of Hannotog and Sagerunex in the 2022-onward espionage campaign. A deployed backdoor in that campaign modified Windows firewall settings with netsh, listened on UDP port 5900, could create or stop services, upload encrypted data, execute cmd.exe commands, gather system information, and download files. Symantec analyzed a Sagerunex sample that used AES256-CBC with 8192 rounds of SHA256 for log and network encryption, stored encrypted configuration/state under %appdata%\microsoft\protect\windows\DMI%X.DAT, altered the file modification year to 2011, and used HTTPS command-and-control with the user agent Mozilla/5.0 (compatible; MSIE 7.0; Win32). Supported Sagerunex commands included listing proxies, executing programs or shell commands, stealing local files, selecting file paths, and dropping files. The attackers also downloaded the Stowaway proxy tool. In the Notepad++ supply chain case, Rapid7 reported delivery of a previously undocumented backdoor named Chrysalis via a trojanized NSIS installer, abuse of Microsoft Warbird obfuscation, DLL side-loading through legitimate renamed binaries including the Bitdefender Submission Wizard, and follow-on deployment of Cobalt Strike and Metasploit. Attribution support cited in the content included the BluetoothService.exe and log.dll side-loading combination previously documented as a hallmark of Lotus Blossom campaigns and a rare API hashing algorithm shared between Chrysalis and Sagerunex. The content also states that Thrip/Lotus Blossom most recently exploited CVE-2012-0158 and CVE-2017-11882 in November 2022.