Do Son 
The group known as Lotus Panda, believed to be linked to China, has once again drawn the attention of cybersecurity experts following a large-scale campaign that targeted multiple organizations across Southeast Asia. Symantec has tracked the group’s operations from August 2024 through February 2025, with victims including a government ministry, an air traffic control agency, a telecommunications provider, and a construction firm. The attacks spanned several countries in the region, extending even to a news agency and a logistics company in neighboring states.
This current wave of intrusions appears to be a continuation of a previous campaign that began no later than October 2023 and was first publicly disclosed in December 2024. It was evident from the outset that the operation was well-coordinated, prolonged, and driven by distinct geopolitical motivations.
Lotus Panda — also known by aliases such as Billbug, Bronze Elgin, and Spring Dragon — has long specialized in cyber operations targeting governmental and military entities in Southeast Asia. The group is believed to have been active since at least 2009, first gaining widespread notoriety in 2015 when it was linked to the distribution of malicious documents exploiting CVE-2012-0158 (CVSS score: 8.8) in Microsoft Office. These exploits were used to deliver the Elise (Trensil) backdoor, capable of executing commands and manipulating files.
Subsequent campaigns employed CVE-2014-6332 — a critical Microsoft Windows OLE vulnerability (CVSS score: 9.3) — via a malicious email attachment sent to a French Ministry of Foreign Affairs employee in Taiwan. This exploit facilitated the deployment of the Emissary Trojan.
Since then, Lotus Panda’s arsenal has expanded considerably. The latest campaign features custom-developed loaders, remote access trojans, and other bespoke tools. Notably, attackers disguised their payloads as legitimate files from Trend Micro and Bitdefender antivirus suites, using them to launch malicious DLLs. These DLLs decrypted and executed the next stage of infection hidden within local files. The exact method of initial compromise remains unknown.
At the core of the operation is an updated version of the group’s proprietary Sagerunex backdoor — a tool capable of system reconnaissance, data encryption, and exfiltration to external servers. Alongside it, the attackers employed a reverse SSH tunneling utility, and two tailored data harvesters — ChromeKatz and CredentialKatz — designed to extract saved passwords and browser cookies from Google Chrome.
One particularly noteworthy tactic involved the use of Zrok, an open-source peer-to-peer tunneling tool that enabled covert access to internal victim services while concealing data flows. Additionally, the utility datechanger.exe was deployed to manipulate file timestamps, likely in an effort to hinder forensic analysis and obfuscate the attack timeline.
Amidst Lotus Panda’s renewed activity, experts are once again stressing the importance of robust and continuous system monitoring, particularly within sectors of strategic significance. The blend of legitimate software with custom tooling renders such campaigns exceptionally difficult to detect and underscores the need for a holistic approach to cybersecurity defense.
