<— Back

Lotus in Perpetual Bloom: Sustained Espionage in Southeast Asia with Evolving Sagerunex Backdoors

Lotus Blossom is an advanced Chinese-speaking threat actor that has been consistently targeting critical sectors, including government, manufacturing, telecommunications, and media in Philippines, Vietnam, Hong Kong, and Taiwan. While tracking this actor, we have discovered its latest activities that were conducted between 2018 to the end of 2024 and we believe they are still active now. So, what tactics did Lotus Blossom use in these attacks, and most importantly, how can we defend against them?

To answer these questions, we will first discuss how Lotus Blossom was initially infecting networks of target organizations. Following that, we will discuss the advanced persistence methods employed by Lotus Blossom, including installing the Sagerunex backdoor in system registries, the WMI commands that how they do lateral movement, leverage several hacking and open-source tools and operating multiple stages in every campaign. Each stage is carefully executed, indicating a well-planned strategy aimed at achieving long-term objectives. Furthermore, we identified two new Sagerunex variants that mark a significant evolution in their operations. These variants no longer rely on traditional Virtual Private Server (VPS) infrastructure for command-and-control (C2) communications. Instead, they utilize legitimate third-party cloud services such as Dropbox, Twitter, and the Zimbra open-source webmail platform as C2 tunnels, demonstrating enhanced stealth and detection evasion capabilities.

We will then use all the presented information to compare recent attacks of Lotus Blossom with the ones conducted a few years ago and identify common flaws in the actor’s offensive strategy. In turn, finding these flaws will allow us to discuss how to build an efficient defense strategy against further Lotus Blossom attacks.