Dark Web Profile: Lotus Blossom

Lotus Blossom is a long-running, China-attributed APT that evolved from spear-phishing and watering-hole campaigns into sophisticated supply-chain compromises and targeted espionage using custom implants like Elise, Sagerunex, Hannotog, and Chrysalis. The group’s Notepad++ update-channel compromise and prior attacks against diplomatic, military, and maritime infrastructure demonstrate a “low-and-slow” intelligence collection approach emphasizing DLL sideloading, living-off-the-land techniques, and clandestine persistence. #LotusBlossom #Chrysalis

Keypoints

Lotus Blossom (also tracked as Billbug/Spring Dragon/Thrip) is a Chinese state‑linked APT active since at least 2009 that focuses on long‑term intelligence collection rather than disruptive operations.
The group evolved from Office‑document spear‑phishing (e.g., exploits like CVE‑2012‑0158) and watering‑hole campaigns to sophisticated supply‑chain intrusion tactics, notably compromising Notepad++ update infrastructure in 2025–2026.
Custom implants—Elise, Emissary, Sagerunex, Hannotog, and the Chrysalis backdoor—are central to the actor’s persistence and modular C2 capabilities, often delivered via DLL sideloading or service-based installers.
Lotus Blossom extensively abuses legitimate administrative utilities (PowerShell, WMI, PsExec, AdFind, Mimikatz) to move laterally, harvest credentials, and blend activity into normal enterprise behavior.
Targets include government, military, telecommunications, manufacturing, critical infrastructure, and maritime/logistics entities across Southeast Asia and increasingly globally (Djibouti, Europe, Americas, USA).
Mitigations emphasize software integrity checks, supply‑chain monitoring, MFA, constrained native tool usage, registry/service auditing, network segmentation, and threat‑hunting aligned to the actor’s ATT&CK profile.

MITRE Techniques

[T1566.001] Spearphishing Attachment – Lotus Blossom used targeted phishing documents to gain initial access: ‘spear‑phishing emails delivering weaponized Office documents…’
[T1189] Drive‑by Compromise (Watering Hole) – The group compromised trusted regional websites to deliver malware: ‘watering hole attacks by compromising trusted regional websites.’
[T1195] Supply Chain Compromise – Operators tampered with software update infrastructure to deliver implants: ‘tampered with a legitimate software update channel… compromised the Notepad++ update infrastructure.’
[T1574.001] DLL Search Order Hijacking (DLL sideloading) – Attackers loaded malicious components through legitimate updaters via DLL sideloading: ‘used DLL sideloading to load a malicious component through a legitimate updater process.’
[T1543.003] Create or Modify System Process: Windows Service – Persistence and loaders were deployed as services: ‘Installed as a service… persistence is typically achieved through Windows services.’
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Registry autorun entries were used for persistence: ‘registry-based autorun entries.’
[T1047] Windows Management Instrumentation (WMI) – WMI was used as a living‑off‑the‑land lateral movement mechanism: ‘Tools such as WMI… are used to move laterally.’
[T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell was abused to execute and move laterally: ‘PowerShell are used to move laterally.’
[T1021] Remote Services (PsExec) – PsExec was used for remote execution and lateral movement: ‘Tools such as… PsExec… are used to move laterally.’
[T1087] Account Discovery / Active Directory Discovery – Active Directory reconnaissance was performed with utilities like AdFind: ‘Active Directory reconnaissance with AdFind…’
[T1003] OS Credential Dumping – Credential harvesting via Mimikatz and similar utilities was observed: ‘credential harvesting via utilities like Mimikatz have been documented.’
[T1055] Process Injection / In‑memory Execution – In‑memory techniques and process injection reduced forensic artifacts: ‘in‑memory execution… process injection.’
[T1071.001] Application Layer Protocol: Web Protocols (HTTP/S) – Backdoors communicated over HTTP/S and legitimate web services: ‘Custom backdoors maintain communication through both traditional HTTP/S channels…’
[T1090] Proxy – Proxy chaining and custom relays were used to obfuscate routing: ‘Proxy chaining tools and custom relays have also been observed.’
[T1027.002] Obfuscated Files or Information: Encrypted Files – Attackers used encrypted payloads to hide implant contents: ‘encrypted payloads… remain common persistence techniques.’
[T1070.006] Indicator Removal on Host: Timestomping – Timestamp manipulation was used to hinder forensic timelines: ‘timestamp manipulation remain common persistence techniques.’
[T1218.011] Signed Binary Proxy Execution: rundll32.exe – Legitimate binaries like rundll32 were used to execute malicious modules: ‘Emissary… was often executed through legitimate Windows binaries such as rundll32.’

Indicators of Compromise

[CVE ] Exploited vulnerabilities used as initial access vectors – CVE-2025-15556, CVE-2012-0158, and 7 more CVEs (e.g., CVE-2018-0802, CVE-2017-11882).
[Malware / Backdoor ] Actor implants and loaders observed in campaigns – Chrysalis, Sagerunex (and Elise, Hannotog).
[File names / paths ] Example binaries and debug artifacts tied to tooling – trojanized update.exe (Notepad++ updater), debug path ‘d:lstudioprojectslotuselisereleaseeliseDLL.pdb’.
[Binaries / Loaders ] Legitimate executables abused to run payloads – rundll32, WinGUp updater (Notepad++ update mechanism).
[Tools / Utilities ] Dual‑use admin utilities frequently observed during intrusions – AdFind, PsExec (lateral movement), PowerShell, Mimikatz (credential harvesting).
[Affected software / services ] Compromised platforms or high‑value targets used in campaigns – Notepad++ update channel, a regional Certificate Authority (targeting attempt in 2022).

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print