Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools

In early March 2025, cybersecurity researchers at Cisco Talos identified new variants of the Sagerunex backdoor actively deployed by the suspected Chinese state-sponsored threat actor Lotus Blossom (Billbug/Bronze Elgin/Spring Dragon/Thrip), aiming to gain persistent access and exfiltrate sensitive information from organizations in the telecommunications, government, manufacturing, and media sectors across the Philippines, Vietnam, Hong Kong, and Taiwan, potentially compromising critical infrastructure and national security interests in these regions.

Key Tactics and Techniques:

Cloud-Based Command-and-Control (C2): Uses legitimate cloud services like Dropbox, Twitter, and Zimbra for its C2 communication. This tactic helps the malware blend in with normal network traffic, making it harder for security tools to detect.

Persistence Mechanisms: Sagerunex is designed to be a dynamic link library (DLL) injected into an infected endpoint and executed directly in memory, also installs itself in the system registry and configures itself to run as a service. This ensures that it remains active even after system reboots.

Data Exfiltration: Collects sensitive information from infected systems, encrypts it, and transmits it to remote servers controlled by the attackers.

Spear-Phishing and Watering Hole Attacks: The malware is often delivered through targeted phishing emails or compromised websites that are frequented by the intended victims.

Credential Harvesting: Employs tools to steal credentials stored in web browsers, such as cookies and saved passwords.

Network Reconnaissance: The malware executes commands like netstat and ipconfig to gather information about the network environment.

Mitigation Recommendations:

Monitor Outgoing Traffic: Pay attention to where your computers are sending information, especially to unusual patterns, high volumes of traffic, or communication with suspicious accounts or APIs.

Deploy and Maintain Endpoint Detection and Response (EDR) Solutions: EDR tools provide comprehensive visibility into endpoint activity, enabling the detection of suspicious behaviours.

Control Web Access: Maintain and block known phishing malicious link and scam sites.

Patch Management: Keep software and systems updated to close vulnerabilities that Sagerunex exploits.

Network Segmentation: Reduce the attack surface and limit potential lateral movement within networks.

User Education: Conduct regular training to raise awareness about phishing and other social engineering tactics.

Develop and Maintain an Incident Response Plan: Establish a comprehensive incident response plan that outlines the procedures for detecting, containment, eradicating, and recovering from security incidents, including potential Sagerunex infections.