- The group struck the government, air control and telecommunications companies in Southeast Asia
- The victims were not appointed
- Lotus Panda used infosterors and chargers without sight
Lotus Panda, an actor of threat sponsored by the Chinese state, has managed to compromise several organizations in a certain number of countries in the Southeast Asian, in a campaign that took place between mid-2024 and the beginning of 2025.
Cybersecurity researchers from the Hunterc Threat Hunter team said that organizations included government agencies, air traffic control organizations, telecommunications operators and a construction company in one country, a news agency in another and an air freight organization in another. The victims, or organizations, have not been appointed.
In the attack, the group used malware, chargers, identification thieves and inverted SSH tools.
Chinese cyber-spaces
Lotus Panda is said to have abused legitimate executables of the Trend Micro and Bitdefender antivirus societies, using them to load the malicious DLL files which have abandoned and deciphered the useful second -stage loads. The threat actor would also have updated Sagerunex, an exclusive group of group that can steal sensitive information and exfiltrate it, encrypted, to a third -party server. However, we do not know how the group made the initial violation.
The other notable tools used in this campaign are Chromekatz and Credentialkatz infosteralists.
“The attackers deployed the Zrok Peer-to-Peer tool accessible to the public, using the tool sharing function in order to provide remote access to internal services,” said Symantec. “Another legitimate tool used was called” Datechanger.exe “. It is able to modify the horodatages for files, probably to blur water for incident analysts.
Lotus Panda is a group known by the State, sometimes reported like Billbug, Lotus Blossom, Thrip, Spring Dragon and Bronze Elgin. The group would have been active since 2009 and focuses mainly on cyber-espionage. Its usual objectives are government agencies, defense organizations, telecommunications operators and the media in Southeast Asia.
Lotus panda attacks have also been reported in the United States and Australia, which could suggest that the group seeks to extend its scope.
Via The Hacker News
