Lotus Panda hits unnamed government with bespoke hacking tools and malware

News
By published

The infamous Chinese group used brand new tools

A hacker wearing a hoodie sitting at a computer, his face hidden.
(Image credit: Shutterstock / Who is Danny)
  • The group struck government, air control, and telco firms in Southeast Asia
  • Victims were not named
  • Lotus Panda used never-before-seen infostealers and loaders

Lotus Panda, a Chinese state-sponsored threat actor, managed to compromise multiple organizations in a number of Southeast-Asian countries, in a campaign that took place between mid-2024 and early 2025.

Cybersecurity researchers from the Symantec Threat Hunter Team said the organizations included government agencies, air traffic control organizations, telecom operators, and a construction company in one country, a news agency in another, and an air freight organization in another. The victim countries, or organizations, were not named.

In the attack, the group used never-before-seen malware, loaders, credential stealers, and reverse SSH tools.

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Chinese cyber-spies

Lotus Panda allegedly abused legitimate executables from antivirus companies Trend Micro and Bitdefender, using them to sideload malicious DLL files which dropped and decrypted second-stage payloads. The threat actor also allegedly updated Sagerunex, a group-exclusive tool that can steal sensitive information and exfiltrate it, encrypted, to a third-party server. We don’t know how the group made the initial breach, though.

Other notable tools used in this campaign are infostealers ChromeKatz and CredentialKatz.

"The attackers deployed the publicly available Zrok peer-to-peer tool, using the sharing function of the tool in order to provide remote access to services that were exposed internally," Symantec said. "Another legitimate tool used was called 'datechanger.exe.' It is capable of changing timestamps for files, presumably to muddy the waters for incident analysts.

Lotus Panda is a known state-sponsored group, sometimes reported as Billbug, Lotus Blossom, Thrip, Spring Dragon, and Bronze Elgin. The group has allegedly been active since 2009, and is focused primarily on cyber-espionage. Its usual targets are government agencies, defense organizations, telcos and the media in Southeast Asia.

There were also reports of Lotus Panda attacks in the United States and Australia, too, which could suggest that the group is looking to expand its reach.

Via The Hacker News

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.