An advanced cyber-espionage group known as Lotus Blossom is ramping up operations in the South China Sea region, using a stealthy new backdoor malware dubbed Sagerunex. Targeting governments, media, and telecommunications organizations, the group continues to refine its methods, according to a recent analysis by Cisco Talos.
A Decade-Long Threat Still Evolving
Lotus Blossom isn’t new. It’s been active since at least 2012, frequently resurfacing with new techniques and updated malware. Researchers have tracked its operations under various names, including Spring Dragon, Billbug, and Thrip.
Its origins remain unclear. While some cybersecurity firms have linked it to China, Cisco Talos stops short of direct attribution. What is certain, however, is its focus on entities in the Philippines, Vietnam, Hong Kong, and Taiwan—regions of geopolitical tension.
The group’s hallmark is a systematic, multistage attack. It starts with reconnaissance, gathering information on user accounts, networks, and processes through Windows Management Instrumentation (WMI). Once inside a system, it methodically deploys tools for persistence, data theft, and remote control.
How Lotus Blossom’s Malware Works
One of its primary weapons, Sagerunex, has been under development since 2016. It’s a sophisticated remote access tool (RAT) designed to be injected into memory, making detection difficult.
Key steps in the attack process include:
- Checking if the infected system has internet access.
- Deploying Sagerunex if a connection is available.
- If access is blocked, setting up a proxy tunnel using a tool called Venom.
- Stealing browser cookies, escalating privileges, and setting up command shells.
- Using compression tools to bundle and exfiltrate stolen data.
New Variants Designed for Stealth
Recent research has revealed two previously unknown versions of Sagerunex. These variants use unconventional command-and-control (C2) methods, leveraging legitimate cloud services to avoid detection.
- One variant uses Dropbox and Twitter APIs to communicate with its operators.
- Another variant relies on the Zimbra email service to exfiltrate data via a legitimate mail server.
By using these widely trusted platforms, Lotus Blossom increases its chances of bypassing traditional cybersecurity defenses.
What This Means for Regional Security
The focus on government agencies, media, and telecom firms suggests a broader intelligence-gathering mission rather than direct financial gain. These types of attacks often signal state-backed cyber-espionage, though definitive attribution remains elusive.
With its ongoing development of Sagerunex and other tools, Lotus Blossom is demonstrating long-term persistence and adaptability. Organizations in targeted regions must remain vigilant, adopting advanced threat detection and response strategies to counter this evolving cyber threat.
