← threatfilter.dev / all groups / Lotus Blossom

Lotus Blossom

G0030 China Espionage MITRE ATT&CK →

Also known as: DRAGONFISH · Spring Dragon · RADIUM · Raspberry Typhoon · Bilbug · Thrip

Overview

Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.

Targets

Government · Military · Private sector

Regions

Hong Kong · Indonesia · Japan · Philippines · Taiwan · United States · Vietnam

Capabilities

Custom malware/implant development — ATT&CK: 4 attributed custom malware families

TTPs — 21 techniques across 9 tactics

Resource Development

T1588.002 Tool

Collection

Command and Control

T1090.001 Internal Proxy
T1090.003 Multi-hop Proxy

Tools & malware (9)

AdFind · Ping · Impacket · Emissary · Elise · Hannotog · NBTscan · Sagerunex · certutil

Reporting (3)

Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools — Joey Chen, Cisco Talos
How Microsoft names threat actors — Microsoft
Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries — Symntec Threat Hunter Team

Overview

Targets

Regions

Capabilities

TTPs — 21 techniques across 9 tactics

Resource Development

Execution

Persistence

Stealth

Defense Impairment

Credential Access

Discovery

Collection

Command and Control

Tools & malware (9)

Reporting (3)