Security researchers have identified the Chinese threat actor Lotus Panda (also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip) targeting government, manufacturing, telecommunications, and media sectors across Southeast Asia with enhanced versions of their Sagerunex backdoor.

According to Cisco Talos researcher Joey Chen, “Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite.”

The group, active since at least 2009, has recently focused attacks on entities in the Philippines, Vietnam, Hong Kong, and Taiwan. While the initial access vector remains unidentified, the group has historically relied on spear-phishing and watering hole attacks.

## New “Beta” Variants

The latest campaign features two new “beta” variants of Sagerunex, named for debug strings found in their source code. These variants leverage legitimate services as command-and-control channels:

– Dropbox and X (Twitter) versions (used 2018-2022)
– Zimbra webmail version (active since 2019)

The Zimbra variant is particularly sophisticated, allowing attackers to both collect victim information and issue control commands through email content. After executing commands, the malware packages results as RAR archives and stores them in the mailbox’s draft and trash folders.

## Additional Attack Tools

The threat actor’s arsenal includes:
– Chrome browser cookie stealer
– Venom proxy utility
– Privilege adjustment tools
– Custom data compression and encryption software

When facing restricted internet environments, Lotus Panda employs two strategies: utilizing the target’s proxy settings or deploying the Venom proxy tool to connect isolated machines to internet-accessible systems.

The group conducts reconnaissance using standard commands like net, tasklist, ipconfig, and netstat to gather information about compromised environments.