Summary:
Lotus Panda, a suspected China-nexus APT group active since at least 2012, has intensified its targeting of government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. Cisco Talos observed Lotus Panda deploying updated versions of its Sagerunex backdoor, including new "beta" variants, demonstrating a focus on long-term persistence and evasion. Sagerunex is the primary payload delivered in these cyberattacks and is exclusively linked to Lotus blossom APT. These new variants abuse legitimate services such as Dropbox, X (formerly Twitter), and Zimbra as command-and-control (C2) channels, leveraging their legitimacy and effectively blending in with normal network traffic. The Sagerunex backdoor is designed to gather sensitive host information, encrypt it, and exfiltrate it to attacker-controlled servers. Lotus Panda employs various other malware in the attack chain for reconnaissance, credential theft using cookie stealers, privilege escalation, and data encryption, showcasing a comprehensive approach to compromising targets. The initial access vector in this attack chain is unknown, but the attacker has been observed leveraging WMI, infrastructure built-in to the Windows OS, for lateral movement.

Security Officer Comments:
The surge in long-term persistence and espionage activity of Lotus Blossom operations, and particularly its adaptation to legitimate cloud services like Dropbox for C2, underscores the persistent threat posed by established cyber espionage groups and the importance of dismantling their infrastructure. The use of legitimate services also highlights their defense evasion capabilities. Their focus on critical infrastructure and information sectors highlights the strategic nature of their operations. The reliance on Sagerunex, a tool unique to this group, provides a strong attribution indicator, reinforcing an understanding of their tactics based on their history. The evolution of their C2 infrastructure to blend in with legitimate traffic demonstrates a sophisticated understanding of network defenses, requiring advanced detection and analysis techniques. The use of widely trusted platforms like Zimbra and Twitter for clandestine communications poses a significant challenge necessitating a shift towards more behavioral-based detection to identify and mitigate these threats. Furthermore, the longevity of Lotus Blossom's operations suggests a well-resourced adversary, emphasizing the need for ongoing vigilance and proactive threat hunting.

Suggested Corrections:
IOCs are available here.

Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://thehackernews.com/2025/03/chinese-apt-lotus-panda-targets.html

https://blog.talosintelligence.com/lotus-blossom-espionage-group/