Lotus Blossom

Lotus Blossom, also known as Billbug and Thrip, is a threat actor that has been active since 2009, engaging in persistent cyber espionage campaigns primarily targeting government and military organizations in Southeast Asia. The group is notorious for its use of sophisticated delivery techniques and exploits, including the Emissary Trojan and the Elise backdoor, both of which have been utilized extensively in their operations. The threat actor notably attempted to exploit CVE-2014-6332 by using a slightly modified version of the proof-of-concept (POC) code to install the Emissary Trojan, a tactic closely associated with Operation Lotus Blossom. Operation Lotus Blossom was a significant attack campaign that involved the use of official-looking decoy documents, often not available online, to trick victims into downloading malicious payloads. The Emissary Trojan used in this operation is related to the Elise malware, which is characterized by its unique beaconing pattern: "GET /%x/page_%02d%02d%02d%02d.html". This pattern was documented in the Lotus Blossom report and has since been exploited by other advanced persistent threats (APTs), such as the Spring Dragon APT, to deliver malicious VBS exploits. In November 2014, another APT abused the same site used by Lotus Blossom to deliver a Lurid variant payload exploiting CVE-2014-6332. Furthermore, in June 2012, the same group served a malicious PDF exploit (CVE-2010-2883) from this site under the guise of "Zawgyi Unicode Keyboard.pdf". These instances underscore the persistent and evolving threat posed by Lotus Blossom and similar threat actors, highlighting the need for robust cybersecurity measures to counteract these sophisticated and continually adapting tactics.