Lotus Panda Expands Cyber Espionage Operations with Upgraded Sagerunex Backdoor

A Chinese state-backed hacking group, known as Lotus Panda (aka Billbug, Lotus Blossom, Bronze Elgin, Spring Dragon, and Thrip), has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan using enhanced variants of the Sagerunex backdoor, according to Cisco Talos researcher Joey Chen.

  Asia Cyber affairs News   Mar 6, 2025  Add to Reading List
Lotus Panda Expands Cyber Espionage Operations with Upgraded Sagerunex Backdoor

Chinese state-backed hacking group, known as Lotus Panda (aka Billbug, Lotus Blossom, Bronze Elgin, Spring Dragon, and Thrip), has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan using enhanced variants of the Sagerunex backdoor, according to Cisco Talos researcher Joey Chen.

Evolving Tactics and Malware Enhancements

  • Active Since 2009 – Lotus Panda has been conducting cyber espionage for over a decade, with its activities first exposed by Symantec in 2018.
  • Sagerunex Usage Since 2016 – The group has consistently used Sagerunex, refining it over time for long-term persistence.
  • Unclear Initial Access Method – Likely techniques include spear-phishing and watering hole attacks.

New "Beta" Variants Leveraging Legitimate Services

  • The latest Sagerunex variants utilize Dropbox, X (formerly Twitter), and Zimbra as command-and-control (C2) channels to evade detection.
  • The Zimbra version enables both data exfiltration and command execution, with the malware fetching instructions from an infected Zimbra mailbox.
  • Encrypted stolen data is packaged into RAR files and stored in draft or trash folders for retrieval.

Additional Tools & Reconnaissance

  • Credential Theft – A custom Chrome cookie stealer extracts stored passwords.
  • Venom Proxy Utility – Used to bypass network restrictions and connect isolated machines to internet-facing systems.
  • Privilege Escalation & Data Encryption – Custom software facilitates unauthorized access and secure exfiltration of stolen information.
  • Network Reconnaissance – Commands like net, tasklist, ipconfig, and netstat are used to map the target environment.

Adapting to Network Restrictions

If internet access is restricted, Lotus Panda employs two strategies:

  1. Using the victim's proxy settings to establish an external connection.
  2. Deploying the Venom proxy tool to bridge the isolated network with accessible systems.

Expanding Threat & Ongoing Espionage

The continuous evolution of Sagerunex, alongside the use of legitimate services for C2 communication, underscores Lotus Panda's adaptability in executing long-term cyber espionage campaigns across Asia.