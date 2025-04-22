Numerous organizations in a Southeast Asian country including a government agency, a telecommunications firm, a construction company, and an air traffic control entity as well as a news agency and an air freight organization in two other neighboring countries have been targeted by China-nexus cyberespionage operation Lotus Panda in attacks involving several novel tools from August to February, according to The Hacker News.
Intrusions by Lotus Panda, also known as Billbug, Lotus Blossom, Bronze Elgin, Thrip, and Spring Dragon, commenced with the deployment of legitimate Trend Micro and Bitdefender executables to facilitate malicious DLL sideloading that eventually resulted in the delivery of a new Sagerunex malware variant, which enables host data gathering, encryption, and exfiltration, a report from the Symantec Threat Hunter Team revealed. Aside from launching the ChromeKatz and CredentialKatz stealers and a reverse SSH tool, Lotus Panda also went on to distribute legitimate Zrok and datachanger.exe tools to allow remote access and hinder incident analysis, respectively. Such findings follow a Cisco Talos report detailing Lotus Panda attacks against multiple Asian organizations with the Sagerunex backdoor.
