Targeting Critical Infrastructure
An espionage-driven cyber threat actor known as “Lotus Blossom” has been actively targeting critical infrastructure across Southeast Asia using a proprietary backdoor Malware Attacks named “Sagerunex.” The group, which has been in operation since 2012, focuses its attacks on government agencies, manufacturing firms, media organizations, and telecommunications networks in Hong Kong, the Philippines, Taiwan, and Vietnam.
According to cybersecurity researchers at Cisco Talos, Lotus Blossom initiates its attack by issuing commands through Windows Management Instrumentation (WMI) to gather information about user accounts, network configurations, and system processes. The group’s true origin remains unclear, though previous reports from cybersecurity firms have suggested a possible connection to state-sponsored cyber activities. However, Cisco Talos has refrained from making direct attributions, only confirming the regional focus of the attacks.
The Sagerunex Malware AttacksChain
Once access is established, Lotus Blossom deploys Sagerunex to infiltrate targeted systems. The Malware Attacks is designed to perform an initial system scan before sending a beacon to its command-and-control (C2) server. If the target device has internet restrictions, the attackers use local settings or the “Venom” proxy tool to establish a connection.
Sagerunex is a remote access tool (RAT) that has evolved from an earlier Malware Attacks known as “Evora.” It is executed directly in memory through dynamic link library (DLL) injection, allowing it to operate stealthily within compromised systems. The malware’s capabilities include stealing Chrome cookies, escalating user privileges, creating proxy relays, and compressing stolen files for exfiltration.
Since 2016, Lotus Blossom has been continuously refining Sagerunex, developing newer versions with enhanced persistence mechanisms. Researchers also observed the group’s use of long-term command shells to maintain control over infected systems for extended periods. Cisco Talos’ latest findings reveal the discovery of two previously undocumented variants of Sagerunex, highlighting the group’s ongoing efforts to enhance its cyber espionage operations.
New Variants and Evasive Tactics
The two newly discovered versions of Sagerunex utilize unconventional communication methods to evade detection. The first variant leverages Dropbox and Twitter APIs for C2 functions, effectively masking its activities by blending in with normal network traffic. The second variant employs the Zimbra API to connect with a legitimate Zimbra mail service, using it as a covert channel for data exfiltration.
Cybersecurity experts note that these tactics demonstrate Lotus Blossom’s adaptability and persistence. By utilizing third-party cloud services as command-and-control channels, the threat actor can maintain its foothold in compromised environments while avoiding traditional detection methods. The discovery of these new malware strains underscores the evolving nature of cyber threats in the region, as well as the need for organizations to remain vigilant against advanced cyber espionage campaigns.
