Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

SUMMARY :

Cisco Talos uncovered multiple cyber espionage campaigns attributed to the Lotus Blossom group, targeting government, manufacturing, telecommunications, and media sectors. The operations utilize various versions of the Sagerunex backdoor and other hacking tools. Lotus Blossom has been active since 2012 and continues to evolve its tactics. New Sagerunex variants use third-party cloud services like Dropbox, Twitter, and Zimbra for command and control, enhancing evasion capabilities. The group employs a multi-stage attack chain for long-term persistence, often remaining undetected for months. Victims include organizations in the Philippines, Vietnam, Hong Kong, and Taiwan. The analysis reveals Lotus Blossom's sophisticated techniques, including the use of VMProtect for code obfuscation and strategic placement of tools in public folders for evasion.

OPENCTI LABELS :

apt,backdoor,espionage,persistence,multi-stage attack,cloud services,vmprotect,sagerunex,evora


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools