- The group hit government companies, air control and telecommunications in Southeast Asia
- The victims were not named
- Lotus Panda used infants and loaders never seen before
Lotus Panda, an actor of threats sponsored by the Chinese state, managed to compromise multiple organizations in several Southeast Asian countries, in a campaign that took place between mid -2024 and early 2025.
Cybersecurity researchers of the Symantec threat hunter team said that organizations included government agencies, air traffic control organizations, telecommunications operators and a construction company in one country, a news agency in another and an air loading organization on another. Victims, or organizations were not named.
In the attack, the group used malware never seen before, loaders, credential robbers and inverse SSH tools.
Chinese cyber-were
Lotus Panda supposedly abused the legitimate executables of the Antivirus Trend Micro and Bitdefender companies, using them to mark malicious DLL files that fell and deciphered the useful charges of the second stage. The threat actor also supposedly updated Sagerunex, an exclusive group tool that can steal confidential information and exfilt, encrypted, to a third -party server. However, we do not know how the group made the initial violation.
Other notable tools used in this campaign are infants of infants of Chromekatz and Credentialkatz infants.
“The attackers deployed the ZROK pairs tool publicly available, using the tool exchange function to provide remote access to the services that were exposed internally,” said Symantec. “Another legitimate tool used was called ‘Datachanger.exe’. It is able to change the time marks for the files, presumably to cloudwater for incident analysts.
Lotus Panda is a group known by the State, sometimes informed as Billbug, Lotus Blossom, Thrip, Spring Dragon and Bronze Elgin. The group has supposedly been active since 2009, and focuses mainly on cyberdispone. Its usual objectives are government agencies, defense organizations, telecommunications and the media in Southeast Asia.
There were also reports of Panda de Loto attacks in the United States and Australia, which could suggest that the group is looking to expand its scope.
Through The hacker news
