A sophisticated cyber-espionage group known as Lotus Blossom is escalating its attacks in the South China Sea, targeting government, media, and telecom organizations. According to a new report from Cisco Talos, the group is using an advanced backdoor malware called Sagerunex. This campaign highlights a persistent and evolving threat focused on intelligence gathering in a region of high geopolitical tension.
A Decade-Old Threat Re-emerges with New Tricks
Lotus Blossom is not a new player in the world of cyber espionage. The group has been active for over a decade, first appearing around 2012. Security researchers track it under several names, including Spring Dragon and Billbug.
While its exact origins are unconfirmed, its activities consistently focus on specific targets. The group has a history of targeting entities in the Philippines, Vietnam, Hong Kong, and Taiwan.
This long-term operation shows the group’s dedication and resources. Lotus Blossom is demonstrating significant persistence and adaptability by continuously updating its tools and techniques to evade modern cybersecurity defenses. Its focus on politically sensitive regions suggests a mission driven by state-level interests.
How the Sagerunex Malware Infiltrates Systems
The primary tool in these recent attacks is Sagerunex, a powerful Remote Access Tool (RAT) that has been in development since at least 2016. It is specifically designed for stealth, often being injected directly into a system’s memory to make it harder for antivirus software to find.
The attack is methodical and unfolds in several stages to ensure deep access and control over the compromised network.
- First, the attackers check if the infected computer has an active internet connection.
- If it does, the Sagerunex malware is deployed to establish a connection with the operators.
- If internet access is restricted, a proxy tool named Venom is used to create a tunnel out of the network.
- Once inside, the malware steals browser cookies, gains higher user privileges, and opens command shells for remote control.
- Finally, it uses compression tools to package stolen data before sending it back to the attackers.
This systematic, multistage attack process allows Lotus Blossom to carefully steal data while remaining hidden for long periods.
Using Trusted Cloud Services for Stealthy Attacks
Recent analysis has uncovered two new versions of Sagerunex that use clever methods to hide their communications. These variants abuse legitimate and widely trusted cloud services to send and receive commands, making their malicious traffic look like normal user activity.
This technique allows the malware to bypass traditional security firewalls, which are often configured to trust traffic from popular platforms. One variant uses Dropbox and Twitter, while the other uses the Zimbra email service.
| Variant Feature | Variant 1 | Variant 2 |
| Communication Method | Dropbox & Twitter APIs | Zimbra Email Service |
| Primary Purpose | Command and Control (C2) | Data Exfiltration |
| Platform Type | Cloud Storage & Social Media | Legitimate Mail Server |
By hiding in plain sight, Lotus Blossom significantly increases its chances of a successful attack.
Implications for Security in the South China Sea
The choice of targets is very telling. By focusing on government agencies, media outlets, and telecommunications companies, the group’s goal is clearly not financial. Instead, this points toward a large-scale intelligence-gathering mission.
These types of operations are often the work of state-backed actors seeking strategic advantages related to political, economic, or military intelligence.
Organizations in the targeted regions must assume they are at high risk. The ongoing development of Sagerunex and other tools proves that Lotus Blossom remains a potent and evolving cyber threat. Adopting advanced threat detection and response strategies is now more critical than ever to defend against these sophisticated attacks.
