Elise

Elise is a malicious software (malware) that is part of the LStudio malware group, which also includes the Emissary Trojan. Both Elise and Emissary share code overlap and utilize a custom algorithm to decrypt their configurations, using the "srand" function to set a seed value for the "rand" function. However, they differ in their use of the seed value; Emissary uses 1024, while Elise employs 2012. The Elise malware was notably used in Operation Lotus Blossom, an attack campaign targeting Southeast Asia, often with official-looking decoy documents. Operation Lotus Blossom involved Elise being bundled with a Flash installer, redirecting users and eventually communicating with specific IP addresses. It sent out typical Elise GET requests, as documented in the Lotus Blossom paper. This operation saw other Advanced Persistent Threats (APTs) abusing the same site to deliver malicious exploits. For instance, in November 2014, a Lurid variant payload was delivered, and in June 2012, a malicious PDF exploit was served from this site. These attacks typically contained several backdoor components, including an Elise "wincex.dll". The Spring Dragon APT, active for several years, has been noted for its interesting delivery techniques. A report by Palo Alto Networks revealed data on this crew under the label "the Lotus Blossom Operation," likely named after the debug string present in much of the Elise codebase since at least 2012. CBS News cybersecurity expert Chris Krebs has emphasized the need for a more robust approach to address such cyberattacks, highlighting the persistent and evolving threat posed by malware like Elise.