The Chinese Cyber Spying Group was monitored when Lotus Panda was attributed to a campaign that violated numerous organizations in the unnamed Southeast Asian country between August 2024 and February 2025.
“The targets included the Ministry of Government, the air traffic control, telecommunications operator and construction company,” “Hunter team for threatening Symantec – Note In a new report that shared with Hacker News. “The attacks included the use of multiple new custom tools, including forklifts, the thefts and the SSH return tool.”
The invasion is also said to be aimed at an information agency located in another country of Southeast Asia, and a freight organization located in another neighboring country.
The cluster threats by the Broadcom cybersecurity department is evaluated as a continuation of the companies that was disclosed In December 2024, the company as a high-profile organization in Southeast Asia since October 2023.
Then last month Cisco Talos united Actor Lotus Panda to Invisions, aimed at the government sector, production, telecommunications and media in the Philippines, Vietnam, Hong Kong and Taiwan with the back known as Sagerunex.
Lotus Panda (aka Bilbug, Bronze Elgin, Lotus Blossom, SP.
It is believed to have been active with at least 2009 attributed Actor threatening a sustainable financial company that exploded Microsoft Office (Cve-2012-0158) To distribute the posterior name ELISE (AKA Trinsil) designed to execute command and read/file record.
The following attacks set by the group weapon Microsoft Windows Ole Link (Cve-2014-6332) using the attachment of backed bubby sent to A E-mail spear-fining Then a person who works at the French Foreign Ministry in Taiwan to deploy another Trojan associated with Eliza Caden.
In the last wave of attacks noticed by Symantec, the attackers used legal executable files from Trend Micro (“tmdbglog.exe”) and Bitdefender (“BDS.exe”) to download malicious Dll files, which act as loading to dismiss and run the next scene.
Bitdefender Binary was also used to download another DLL, though the exact nature of the file is unclear. Another unknown aspect of the company is the initial access vector used to achieve the essence in question.
The attacks paved the way for the updated version of Sagerunex, the exclusively used Lotus Panda. It comes with the possibilities to collect target information about host, encryption and expansion of details on the external server controlled by the attacker.
Also deployed in the attacks are the back tool SSH, and two Chromekatz and Crealientkatz’s theft, which is equipped for siphon passwords and cookies stored in Google Chrome web.
“The attackers have deployed a publicly available Zrok peer tool, using the tool sharing function to provide remote access to the services that have been subjected to internally,” Symantec said. “Another legal instrument has been named” Datecger.exe “. It is able to change temporary tags for files presumably muddy water for incidents.
