The Lotus Panda cyber espionage group, believed to be linked to China, has been attributed to a recent campaign that compromised multiple organizations across Southeast Asia between August 2024 and February 2025. Targets included a government ministry, air traffic control organization, telecom operator, and a construction company, according to a new report from the Symantec Threat Hunter Team.
The attackers utilized a range of custom tools, including loaders, credential stealers, and a reverse SSH tool to execute their campaign. In addition to the primary target organizations, Lotus Panda is also reported to have targeted a news agency in another Southeast Asian country and an air freight organization in a neighboring nation.
Continuation of Long-Standing Espionage Campaign
This latest wave of attacks is considered a continuation of a previously disclosed campaign, originally identified by Broadcom’s cybersecurity division in December 2024. These ongoing attacks have been targeting high-profile entities in Southeast Asia since at least October 2023. Cisco Talos also recently linked the group to intrusions in the Philippines, Vietnam, Hong Kong, and Taiwan, where the attackers deployed a backdoor known as Sagerunex.
The Lotus Panda group, also referred to as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, has been involved in cyberattacks against government and military organizations in Southeast Asia for over a decade. The group first gained attention in June 2015 when Palo Alto Networks attributed it to a spear-phishing campaign that exploited a Microsoft Office vulnerability (CVE-2012-0158), using a backdoor called Elise (also known as Trensil) to execute commands and manipulate files.
Recent Techniques and Tools
In this new campaign, Lotus Panda has leveraged legitimate executables from security software vendors Trend Micro (“tmdbglog.exe”) and Bitdefender (“bds.exe”) to sideload malicious DLL files, which act as loaders to decrypt and deploy additional payloads. The Bitdefender executable, in particular, has been used to sideload another DLL, though the specific function of this file remains unclear.
Additionally, Sagerunex, an updated version of a tool previously exclusive to Lotus Panda, has been employed to harvest target host information, encrypt it, and exfiltrate the data to external servers under the attackers’ control.
The group has also deployed a reverse SSH tool and two credential stealers—ChromeKatz and CredentialKatz—which are designed to extract passwords and cookies from the Google Chrome browser. The attackers further used the publicly available Zrok peer-to-peer tool to gain remote access to services exposed internally by their victims.
To complicate incident analysis and delay response efforts, Lotus Panda also deployed a legitimate tool called datechanger.exe, which can modify timestamps on files, making it more difficult for security analysts to track the attackers’ movements.
