The cyber espionage group known as Lotus Panda, believed to be linked to China, has escalated its operations targeting various sectors within Southeast Asia. Between August 2024 and February 2025, the group compromised multiple organizations in an unnamed Southeast Asian country, including a government ministry, an air traffic control organization, a telecommunications operator, and a construction company. Additionally, a news agency in another Southeast Asian nation and an air freight organization in a neighboring country were also targeted.
Symantec’s Threat Hunter Team reported that these attacks involved the deployment of several new custom tools, such as loaders, credential stealers, and a reverse SSH tool. This campaign is considered a continuation of previous activities disclosed in December 2024, which had been ongoing since at least October 2023.
In March 2025, Cisco Talos linked Lotus Panda to intrusions aimed at government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan, utilizing a backdoor known as Sagerunex. This backdoor has been in use since at least 2016 and has evolved over time to enhance long-term persistence and evade detection.
Background and Evolution of Lotus Panda
Active since at least 2009, Lotus Panda—also referred to as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip—has a history of orchestrating cyber attacks against governments and military organizations in Southeast Asia. The group first gained public attention in June 2015 when Palo Alto Networks attributed it to a persistent spear-phishing campaign exploiting a Microsoft Office vulnerability (CVE-2012-0158) to distribute a backdoor named Elise (also known as Trensil). This malware was designed to execute commands and read/write files on compromised systems.
Subsequent attacks by Lotus Panda have weaponized other vulnerabilities, such as the Microsoft Windows OLE flaw (CVE-2014-6332), to deploy trojans like Emissary. These campaigns often involved spear-phishing emails with malicious attachments targeting individuals in sensitive positions.
Recent Attack Techniques and Tools
In its latest wave of attacks, Lotus Panda has employed sophisticated techniques to maintain persistence and evade detection:
– DLL Sideloading: The group leveraged legitimate executables from security software vendors, including Trend Micro (tmdbglog.exe) and Bitdefender (bds.exe), to sideload malicious DLL files. These DLLs act as loaders, decrypting and launching next-stage payloads embedded within locally stored files.
– Sagerunex Backdoor: An updated version of the Sagerunex backdoor was deployed, capable of harvesting system information, encrypting it, and exfiltrating the data to external servers under the attackers’ control.
– Credential Stealers: Tools such as ChromeKatz and CredentialKatz were used to siphon passwords and cookies stored in the Google Chrome web browser, providing the attackers with access to sensitive information.
– Reverse SSH Tool: This tool facilitated remote access to compromised systems, allowing the attackers to maintain control over the infected networks.
– Use of Legitimate Tools: The attackers deployed publicly available tools like Zrok, a peer-to-peer application, to provide remote access to services exposed internally. Additionally, a tool named datechanger.exe was used to alter file timestamps, likely to hinder forensic analysis.
Implications and Recommendations
The continuous evolution of Lotus Panda’s tactics underscores the persistent threat posed by state-sponsored cyber espionage groups. Their ability to adapt and develop new tools highlights the need for organizations, especially those in government and critical infrastructure sectors, to implement robust cybersecurity measures.
To mitigate the risks associated with such advanced threats, organizations should consider the following actions:
1. Regular Security Audits: Conduct comprehensive assessments of network security to identify and address vulnerabilities.
2. Employee Training: Educate staff on recognizing phishing attempts and other common attack vectors to reduce the likelihood of successful social engineering attacks.
3. Advanced Threat Detection: Deploy and maintain up-to-date intrusion detection and prevention systems capable of identifying sophisticated malware and anomalous activities.
4. Patch Management: Ensure timely application of security patches to software and systems to close known vulnerabilities that could be exploited by attackers.
5. Incident Response Planning: Develop and regularly update incident response plans to enable swift action in the event of a security breach.
By adopting a proactive and layered security approach, organizations can enhance their resilience against the evolving tactics of groups like Lotus Panda and safeguard sensitive information from unauthorized access.
