The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025.
“Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company,” the Symantec Threat Hunter Team said in a new report shared with The Hacker News. “The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool.”
The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country.
The threat cluster, per Broadcom’s cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023.
Then last month, Cisco Talos connected the Lotus Panda actor to intrusions aimed at government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with a backdoor known as Sagerunex.
Lotus Panda (aka Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip) has a history of orchestrating cyber attacks against governments and military organizations in Southeast Asia.
Believed to be active since at least 2009, the group came under the spotlight for the first time in June 2015 when Palo Alto Networks attributed the threat actor to a persistent spear-phishing campaign that exploded a Microsoft Office flaw (CVE-2012-0158) to distribute a backdoor dubbed Elise (aka Trensil) that’s designed to execute commands and read/write files.
Subsequent attacks mounted by the group have weaponized a Microsoft Windows OLE flaw (CVE-2014-6332) via a booby-trapped attachment sent in a spear-phishing email to an individual then working for the French Ministry of Foreign Affairs in Taiwan to deploy another trojan related to Elise codenamed Emissary.
In the latest wave of attacks spotted by Symantec, the attackers have leveraged legitimate executables from Trend Micro (“tmdbglog.exe”) and Bitdefender (“bds.exe”) to sideload malicious DLL files, which act as loaders to decrypt and launch a next-stage payload embedded within a locally stored file.
The Bitdefender binary has also been used to sideload another DLL, although the exact nature of the file is unclear. Another unknown aspect of the campaign is the initial access vector used to reach the entities in question.
The attacks paved the way for an updated version of Sagerunex, a tool exclusively used by Lotus Panda. It comes with capabilities to harvest target host information, encrypt it, and exfiltrate the details to an external server under the attacker’s control.
Also deployed in the attacks are a reverse SSH tool, and two credential stealers ChromeKatz and CredentialKatz that are equipped to siphon passwords and cookies stored in the Google Chrome web browser.
“The attackers deployed the publicly available Zrok peer-to-peer tool, using the sharing function of the tool in order to provide remote access to services that were exposed internally,” Symantec said. “Another legitimate tool used was called ‘datechanger.exe.’ It is capable of changing timestamps for files, presumably to muddy the waters for incident analysts.
