Lotus Panda, a suspected Chinese hacking crew, poses a significant threat to various sectors including government and telecommunications in Asia. Utilizing the Sagerunex backdoor since 2016, the group exhibits increased sophistication with long-term command shells and new malware variants. Their recent activities include the targeting of government and defense agencies, exploiting both known and new variants to deploy malware via familiar services like Dropbox. The exact methods of intrusion remain unclear, but their past tactics include spear-phishing and watering hole attacks, indicating a persistent and evolving threat.
"Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite," noted Cisco Talos researcher Joey Chen.
The exact initial access vector used to breach the entities in the latest set of intrusions is not known, although it has a history of conducting spear-phishing and watering hole attacks.
The activity is noteworthy for the use of two new "beta" variants of the malware, which leverage legitimate services like Dropbox, X, and Zimbra as command-and-control tunnels to evade detection.
The backdoor is designed to gather target host information, encrypt it, and exfiltrate the details to a remote server under the attacker's control.
Collection
[
|
...
]