Resources | Picus Security

Lotus Blossom: New Sagerunex Backdoor Variants Are Targeting APAC Governments

Written by Sıla Özeren Hacıoğlu | Mar 28, 2025 6:44:04 AM

Lotus Blossom, also known as Lotus Panda, Billbug, Thrip, and Spring Dragon, is a well-known Chinese Advanced Persistent Threat (APT) group that has remained a persistent and adaptive cyber espionage actor for over a decade. Recently, their operations have come under increased scrutiny due to the deployment of new Sagerunex backdoor variants. These sophisticated tools demonstrate a shift in their tactics, including leveraging third-party cloud services and social media platforms for command-and-control communications. 

In this blog, we will delve into the tactics, techniques, and procedures (TTPs) used by the Lotus Blossom group, explore their recent campaigns involving Sagerunex backdoor variants, and discuss how these operations align with known MITRE ATT&CK tactics.

Attack Kill Chain of Lotus Blossom APT Group Explained

Given the complexity of Lotus Blossom’s attack kill chain, which involves multiple advanced tactics, the following is a high-level overview of their operations. For more information, refer to the following TTP analysis section. 

  1. After gaining initial access to the target network, Lotus Blossom establishes an initial foothold and leverages Windows Management Instrumentation (WMI) for lateral movement across the internal network. 

  2. On compromised machines, the actor deploys tools including RAR archivers, port relays, privilege escalation utilities, custom proxy tools (like Venom), and Chrome cookie stealers to facilitate data collection and command execution. 

  3. They run reconnaissance commands (e.g., tasklist, ipconfig, netstat, dir) to gather system, network, and user information. A key step in the chain involves verifying internet connectivity; if direct access is unavailable, they attempt to leverage existing proxy settings or deploy the Venom proxy tool to relay traffic through other infected hosts. 

  4. Persistence is achieved by installing the Sagerunex backdoor into the Windows Registry and configuring it to run as a service under names mimicking legitimate system components. 

  5. Sagerunex variants then use traditional C2 as well as legitimate services like Dropbox, Twitter, and Zimbra for stealthy communication and data exfiltration.

Analyzing Lotus Blossom Group's Advanced Tactics, Techniques, and Procedures (TTPs)

This section provides a comprehensive analysis of these TTPs, offering insights into how Lotus Panda and their new Sagerunex backdoor variant operate [1], including the malware infection kill chain and the tools they employ.

Initial Access Methods (TA0001)

Lotus Blossom is known for using multiple initial access techniques. In many of their campaigns, they’ve been observed leveraging a mix of social engineering (e.g. spear‐phishing and watering hole attacks), exploiting vulnerabilities in public‐facing applications, and sometimes even acquiring legitimate credentials to breach networks. 

Once they’re in, they deploy their custom Sagerunex malware as a backdoor to maintain persistence and conduct further espionage activities.

Key points can be summarized as below.

  • Social Engineering: Techniques like spear‐phishing (T1566.001) and watering hole attacks (T1189) have been used to lure victims into executing malicious payloads.

  • Exploitation of Public‐Facing Applications: Evidence suggests that Billbug has exploited vulnerabilities in internet‑exposed systems (T1190) to gain a foothold in targeted networks.

  • Credential Abuse: In some cases, attackers have been known to leverage compromised, legitimate login credentials (T1078).

Execution (TA0002)

Command and Scripting Interpreter (T1059) for Discovery

Billbug (a.k.a Lotus Panda) leverages native command-line tools to perform reconnaissance and execute payloads on compromised hosts. The tools employed include:

  • net – Retrieves network and user account information.
  • tasklist – Lists running processes to monitor process activities.
  • quser – Displays user session details.
  • ipconfig – Provides IP configuration information.
  • netstat – Reveals network connections and configurations.
  • dir – Lists directory structures and file details.

After using these commands to gather detailed system information, the attacker assesses whether the compromised machine has internet connectivity, which is critical for coordinating subsequent malicious actions.

Persistence (TA0003)

Registry Run Keys/Startup Folder (T1547.001)

Persistence is the ability of malware to remain active on a system across reboots and logins. In this case, Lotus Blossom achieves persistence by registering their Sagerunex backdoor as a Windows service, making it automatically run every time the system starts.

Each of these reg add commands is used to modify the Windows Registry, a core system database that controls how the OS and software behave.

Let’s go step by step:

1. Create a Persistent Service Using Existing Legitimate Names

reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\tapisrv.dll /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv /v Start /t REG_DWORD /d 2 /f 

  • Target Key: HKLM\SYSTEM\CurrentControlSet\Services\tapisrv

  • What it does:

    • Sets the ServiceDll value to point to the attacker's DLL (tapisrv.dll), which will be loaded by the service.

    • The Start value 2 means Automatic start on system boot.

 Why this is clever: They're using existing Windows service names like tapisrv to blend in and avoid detection.

2. Repeat for More Services (swprv, appmgmt)

reg add HKLM\SYSTEM\CurrentControlSet\Services\swprv\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\swprv.dll /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\swprv\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\system32\swprv.dll /f 

swprv is the "Microsoft Software Shadow Copy Provider" – a real service. They're hijacking it by pointing it to a malicious DLL.

reg add HKLM\SYSTEM\CurrentControlSet\Services\appmgmt\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\swprv.dll /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\appmgmt /v Start /t REG_DWORD /d 2 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\appmgmt\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\system32\appmgmts.dll /f 

appmgmt is another real Windows service ("Application Management"). Again, they redirect it to malicious DLLs.

3. Verification Commands

reg query HKLM\SYSTEM\CurrentControlSet\Services\swprv\Parameters
reg query HKLM\SYSTEM\CurrentControlSet\Services\tapisrv\Parameters
reg query HKLM\SYSTEM\CurrentControlSet\Services\appmgmt\Parameters 

These reg query commands are used to confirm that the modifications were successful and that the services are now loading the attacker’s DLLs.

So, in summary, by hijacking legitimate Windows service entries, Sagerunex ensures it loads on every boot.

Privilege Escalation (TA0004)

Access Token Manipulation (e.g., T1134.002)

The group employs a privilege adjustment tool that retrieves process tokens and adjusts privileges, enabling the adversary to escalate their access within the target system.

The privilege adjustment tool Lotus Blossom used elevates a process’s permissions by acquiring the security token of a more privileged process

Once launched with the required arguments—such as the target process ID, executable name, and any additional parameters—it logs the input values for debugging and constructs a properly formatted command. This command is then used to initiate a new process with elevated privileges. By leveraging this technique, the attacker can bypass standard security restrictions and perform actions that would normally require administrative rights, making it a key step for privilege escalation or persistence in a compromised environment.

Defense Evasion (TA0005)

Obfuscated Files or Information (T1027)

The Sagerunex backdoor uses obfuscation techniques to conceal its true behavior and evade detection by security tools. One such method is the use of VMProtect, a commercial software protection tool that transforms code into complex, virtualized instructions. This makes the malware's logic extremely difficult to analyze, both for reverse engineers and automated security solutions.

By wrapping its core functions in layers of obfuscation, Sagerunex hides its malicious intent, bypasses signature-based detection, and increases the time and effort required for analysis, which is a common tactic among sophisticated threat actors.

Credential Access (TA0006)

Credentials from Web Browsers (T1555.003)

The Lotus Blossom threat actor leverages an open-source Chrome cookie stealer—packaged as a standalone executable using PyInstaller—to extract sensitive data stored in web browsers. This tool targets Chrome’s internal cookie database (Cookies), which stores encrypted session data for websites. It connects to this local SQLite database, reads the relevant fields, decrypts the cookie values, and writes the harvested credentials to a temporary output file. These stolen cookies can contain session tokens, login states, or authentication data, which the attacker can reuse to impersonate users, access private accounts, or move laterally within a network. 

By automating browser credential theft, Lotus Blossom gains a stealthy and efficient foothold in victim environments, often without triggering alarms from traditional security tools.

import sqlite3

def get_cookies_from_chrome(domain):
    sql = "SELECT host_key, name, path, encrypted_value, is_secure, is_persistent, is_httponly FROM cookies"
    conn = sqlite3.connect("Cookies")
    conn.text_factory = lambda x: str(x, "gbk", "ignore")
    cursor = conn.cursor()
    cursor.execute(sql)
    cookie = ""
    f = open("tmcok43.tmp", "a")
    for hostkey, name, path, encrypted_value, is_secure, is_persistent, is_httponly in cursor.fetchall():
        try:
            is_secure = "true" if is_secure == 1 else "false"
            is_httponly = "true" if is_httponly == 1 else "false"
            is_persistent = "1" if is_persistent == 1 else "0"
            value = chrome_decrypt(encrypted_value)
            if value is not None:
                cookie_line = f"{hostkey}\t{is_secure}\t{path}\t{is_httponly}\t{is_persistent}\t{name}\t{value}\n"
                cookie += cookie_line
                f.write(cookie_line)
        except Exception as e:
            print(e)
        finally:
            pass
    f.close()
    return cookie
if __name__ == "__main__":
    domain = "xxx.com"
    cookie = get_cookies_from_chrome(domain)

Discovery (TA0007)

System Information Discovery (T1082)

The threat actor gathers detailed information about the victim system (e.g., hostname, MAC address, IP configuration) by running a series of native commands. (Commands used for discovery are given under the Execution section.)

Lateral Movement (TA0008)

Remote Services (T1021)

The group frequently leverages tools like Impacket to execute remote commands and move laterally across the network, thereby extending their foothold within the compromised environment.

Collection (TA0009)

Lotus Blossom leveraged a custom archiving tool designed to compress and encrypt sensitive files, enabling stealthy data theft while maintaining operational security. This tool supported targeted file and folder selection, allowing the attacker to exfiltrate specific artifacts such as Chrome and Firefox browser cookie directories, which are valuable for credential theft and session hijacking. 

The archiving process involved outputting the stolen data to a predefined file path, likely in a publicly accessible location such as the C:\Users\Public\Pictures folder—an evasion technique frequently observed in their campaigns. 

This activity aligns with MITRE ATT&CK technique T1560.001 (Archive via Utility) and facilitates follow-on actions such as credential reuse or lateral movement using session tokens.

Command and Control (TA0011)

Application Layer Protocol: Web Protocols (T1071.001)

Sagerunex backdoor variants demonstrate the use of sophisticated C2 evasion techniques by abusing legitimate web-based platforms as covert communication channels. 

Instead of relying on traditional C2 infrastructure, newer versions of Sagerunex communicate via Dropbox, Twitter (X), and the Zimbra open-source webmail platform, using these trusted services to blend in with normal traffic and bypass network defenses.

For instance, the Dropbox variant encrypts and uploads stolen data as .rar files, while Twitter-based variants parse command strings from status updates. The Zimbra version goes a step further by embedding exfiltrated data in draft emails and retrieving commands from inbox content, illustrating how Lotus Blossom weaponizes everyday communication platforms to maintain stealth and persistence.

Encrypted Channel (T1573)

Sagerunex backdoor variants employ encrypted communication channels to securely interact with their command and control (C2) infrastructure. This encryption not only safeguards sensitive data such as exfiltrated files and host metadata during transit but also serves as an evasion tactic against network-based intrusion detection systems (NIDS) and traffic inspection tools. 

Whether communicating with traditional VPS-based C2s or abusing cloud services like Dropbox, Twitter (X), or Zimbra, the backdoor ensures that payloads, commands, and beacons are obfuscated through encryption—often via customized routines or HTTPS-based APIs—making traffic appear benign and further complicating threat hunting efforts.

Proxy: External Proxy (T1090.002)

Customized Venom Proxy Tool

Lotus Blossom utilized a customized version of the Venom proxy tool to enable external proxy communications between infected hosts and their command and control infrastructure. 

Originally developed in Go for legitimate use by penetration testers, the threat actor modified Venom’s source code—most notably within the agent_dispatcher module—to hardcode destination IP addresses directly into each operational function. This ensured that all traffic was funneled to attacker-controlled servers, eliminating the need for dynamic configuration and increasing reliability in contested environments. 

Key functions embedded in the tool include AgentClient and AgentServer for session management, handleShellCmd for remote shell execution, handleUploadCmd for file delivery, handleSocks5Cmd to create SOCKS5 proxy tunnels, and handleLForwardCmd for local port forwarding:

  • AgentClient / AgentServer: Handles the client-server communication setup.
  • InitAgentHandler: Initializes the agent's behavior when it connects.
  • handleSyncCmd: Synchronizes commands or state between client and server.
  • handleListenCmd: Allows the tool to start listening on a specific port.
  • handleConnectCmd: Connects to a remote host or service.
  • handleUploadCmd: Uploads files to the infected machine.
  • handleShellCmd: Opens a remote shell for command execution.
  • handleSocks5Cmd: Establishes a SOCKS5 proxy tunnel.
  • handleLForwardCmd: Sets up local port forwarding.

This tailored version of Venom was critical for maintaining control over systems in segmented or proxy-restricted networks, and it played a persistent role in the later stages of the attack chain, especially for bridging communication between isolated internal assets and external exfiltration points.

Exfiltration (TA0010)

Exfiltration Over C2 Channel (T1041)

After collecting valuable information—such as browser cookies, credentials, and host metadata—and optionally compressing and encrypting it using custom archiving tools or RAR utilities, the data is transmitted through the same covert C2 pathways previously established by Sagerunex. 

These include trusted third-party platforms such as Dropbox, where archived payloads are uploaded as files; Twitter (X), where command responses or data may be encoded within status updates; and Zimbra webmail, where exfiltrated content is stealthily attached to draft or trash emails.

By piggybacking on legitimate web services for exfiltration, the actor effectively bypasses many traditional network defenses, blending malicious activity with normal user traffic and making detection significantly more difficult.

How Does Picus Help Against the Lotus Panda Threat Group Campaigns?

We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.  

Picus Threat Library includes the following threats for the Lotus Panda threat group and their Sagerunex backdoor.

Threat ID

Threat Name

Attack Module

36215

Sagerunex Backdoor Malware Download Threat

Network Infiltration

86470

Sagerunex Backdoor Malware Email Threat

Email Infiltration

30443

Lotus Blossom Threat Group Campaign Malware Email Threat

Email Infiltration

43925

Lotus Blossom Threat Group Campaign Malware Download Threat

Network Infiltration

Defense Strategies Against the Billbug Threat Group's Attacks

To mitigate the impact of Lotus Blossom attack campaigns, organizations should adopt a layered defense approach:

Deploy Advanced Endpoint Detection and Response (EDR) Solutions

Given Lotus Blossom’s use of living-off-the-land commands, custom malware loaders, and stealthy persistence mechanisms—such as modifying legitimate service registry keys and hijacking trusted cloud platforms for C2—traditional antivirus solutions are unlikely to detect these threats. To effectively counter such advanced tactics, organizations should invest in modern Endpoint Detection and Response (EDR) platforms that offer behavior-based detection, real-time telemetry, and automated response capabilities. 

Robust EDR tools can identify suspicious behaviors like unusual registry modifications, encrypted communications with third-party services (e.g., Dropbox, Zimbra), and unauthorized proxy tool deployments such as the customized Venom variant.

Early detection of these techniques allows for immediate containment, investigation, and remediation before attackers achieve lateral movement or data exfiltration. Deploying EDR across critical systems is essential for disrupting multi-stage espionage campaigns like those carried out by Lotus Blossom.

Continuously Test and Validate Security Controls

In light of Lotus Blossom’s evolving tactics—ranging from initial access via unknown vectors to lateral movement using WMI and stealthy backdoor deployment via Windows services—organizations must move beyond passive defense. Implementing Breach and Attack Simulation (BAS) platforms, such as Picus Security Control Validation (SCV), enables security teams to emulate realistic, multi-stage attack scenarios that mirror the tactics, techniques, and procedures (TTPs) observed in Lotus Blossom campaigns. 

By continuously testing your environment against these scenarios, BAS tools can expose blind spots, validate existing controls, and generate actionable insights to improve detection and response capabilities—helping you stay one step ahead of sophisticated adversaries.

Implement Network Segmentation and a Zero Trust Model

Segment your network to limit lateral movement in the event of a breach. Embrace a Zero Trust security model that continuously verifies every user and device, ensuring that even if an attacker gains access, the damage is contained within a limited segment of your network.

Develop and Regularly Test an Incident Response Plan

In the face of sophisticated and long-dwell threats like those posed by Lotus Blossom, having a well-defined and thoroughly tested incident response (IR) plan is critical. Given the group’s stealthy tactics—such as registry-based persistence, encrypted communications over trusted platforms, and use of customized proxy tools—organizations must be prepared to detect, contain, and investigate threats that may persist undetected for extended periods. 

Your IR plan should outline clear roles and responsibilities, communication protocols, and step-by-step procedures for responding to advanced persistent threats (APTs). Regular tabletop exercises and simulations based on real-world TTPs (e.g., credential theft, WMI-based lateral movement, and cloud service abuse) will ensure your team is equipped to act quickly and decisively when a breach is discovered.

References

[1] J. Chen, “Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools,” Cisco Talos Blog, Feb. 27, 2025. Available: https://blog.talosintelligence.com/lotus-blossom-espionage-group/. [Accessed: Mar. 24, 2025]