Sagerunex
Sagerunex is a Windows backdoor/RAT associated exclusively and consistently with the China-linked Lotus Blossom espionage group, also tracked as Billbug, Thrip, Spring Dragon, Lotus Panda, Bronze Elgin, Raspberry Typhoon, and Red Salamander. Reporting states the group adopted Sagerunex around 2016 and that it became a defining and primary backdoor framework in Lotus Blossom operations for nearly a decade. It has been observed in cyber-espionage campaigns targeting government, defense, manufacturing, telecommunications, media, and a digital certificate authority, with victims reported across Asia including the Philippines, Vietnam, Hong Kong, Taiwan, and other Asian countries.
Sagerunex is described as a resilient backdoor that supports modular command execution and multiple communication methods. It is commonly installed as a Windows service for persistence, and Talos reported Lotus Blossom also persisted it via Windows Registry service configuration. The malware is designed to be DLL-injected and executed directly in memory. It supports execution of programs and shell commands, file theft, file download/drop, path selection, proxy enumeration, and collection of host/system information. Symantec also described related backdoor functionality in the campaign as including service creation/stopping, firewall modification via netsh, command execution, file transfer, encrypted upload, and listening on UDP port 5900.
For collection and exfiltration, Sagerunex gathers host information, stages it locally, archives collected materials in RAR format, encrypts collected system data, and exfiltrates it over existing command-and-control channels. Logged data has been stored in an encrypted temporary file at %TEMP%/TS_FB56.tmp during execution; one analyzed sample wrote encrypted logs there only if the file already existed. Symantec reported encrypted configuration and state stored at %appdata%/microsoft/protect/windows/DMI%X.DAT with the file modification year altered to 2011.
Sagerunex uses HTTPS for command-and-control communications and implements multiple proxy-aware connectivity modes, including configured proxy, WPAD, Internet Explorer proxy, Firefox proxy, WinHTTP auto proxy, and direct connection. It has used VPS infrastructure for C2 as well as legitimate third-party services in newer variants. Cisco Talos reported variants using Dropbox, Twitter, and Zimbra webmail as C2 tunnels instead of the original VPS infrastructure. One analyzed sample used the user agent Mozilla/5.0 (compatible; MSIE 7.0; Win32). The malware has also been described as using token impersonation, proxy configuration, and custom operating time windows to remain discreet.
Additional tradecraft linked to Sagerunex includes code obfuscation with VMProtect, time-based execution delay logic, pre-beacon checks for temp debug logs and configuration files, and access token manipulation: content states Sagerunex locates explorer.exe and uses it to change the token of its executing thread. Symantec reported one sample required configuration passed through the exported function MainEntry and decrypted it with a simple XOR operation, while log and network communications were encrypted with AES-256-CBC using 8192 rounds of SHA-256.
Sagerunex has also been linked by code lineage to other Lotus Blossom tooling. Rapid7 reported that the Chrysalis backdoor used in the 2025 Notepad++ supply-chain compromise shared a rare API hashing algorithm with Sagerunex, indicating shared development lineage.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Furthermore, the custom Chrysalis backdoor deployed in this attack shares a rare API hashing algorithm with the group's exclusive Sagerunex malware, indicating a shared development lineage.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniques
Execution
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
9 techniques
Stealth
Attackers used a sophisticated loader that leverages Microsoft Warbird, an undocumented internal Windows code-protection framework. This allowed them to execute malicious shellcode while masquerading as a legitimate, Microsoft-signed binary, effectively bypassing many security solutions.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The sample stores configuration and state in the following file: %appdata%/microsoft/protect/windows/DMI%X.DAT
The config file modification date will always be in the year 2011 – the “file last edit” year is changed by the malware to 2011.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Credential Access
1 technique
Credential Access
Discovery
4 techniques
Discovery
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
1 technique
Lateral Movement
Collection
3 techniques
Collection
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Multiple actors and tools are described as using 7-Zip/WinRAR/zip/tar/gzip/makecab/PowerShell Compress-Archive to compress (often password-protect/encrypt) collected data prior to exfiltration (e.g., “used 7zip to archive extracted data in preparation for exfiltration”, “created password-protected RAR archives prior to exfiltration”, “used built-in PowerShell capabilities (Compress-Archive cmdlet) to compress collected data”).
Command and Control
9 techniques
Command and Control
APT41 DUST used HTTPS for command and control. APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS. Lumma Stealer has used HTTPS for command and control purposes.
AuditCred can utilize proxy for communications... FunnyDream can identify and use configured proxies in a compromised network for C2 communication... Kapeka can identify system proxy settings via WinHttpGetIEProxyConfigForCurrentUser() during initialization and utilize these settings for subsequent command and control operations... PoshC2 contains modules that allow for use of proxies in command and control.
the sample will try all the following supported connection modes... HTTPS with configured proxy ... use proxy provided by WPAD mechanism ... Use proxy from ... Internet Settings\ProxyServer ... get proxy from \Mozilla\Firefox\profiles.ini ... use proxy obtained from WinHttpGetIEProxyConfigForCurrentUser
"APT28 has used Google Drive for C2."; "APT37 leverages social networking sites and cloud platforms ... for C2."; "FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2."
A tool called Stowaway Proxy Tool was also downloaded to victim machines.
In all cases, HTTPS is used... The network packet is composed of two parts: the header and the payload. Both are encrypted separately.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
Exfiltration
2 techniques
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
29 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Primary modular backdoor framework for Lotus Blossom; commonly installed as a Windows service; newer variants use legitimate cloud/email services for C2 to increase stealth.
Backdoor family described as a defining toolset element for Lotus Blossom operations for nearly a decade.
Backdoor used by Lotus Panda/Lotus Blossom since at least 2016; updated variants used against government and other sectors in parts of Asia.
A long-running backdoor family associated with Lotus Blossom, used for persistent access and espionage across multiple variants over years.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.