Thrip

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Thrip, also known as Billbug or Lotus Blossom, is a Chinese-affiliated Advanced Persistent Threat (APT) group that has been active since 2009. The group is primarily focused on espionage activities and targets entities in the communications, geospatial imaging, and defense sectors, both in the United States and Southeast Asia. Thrip's recent operations involved compromising a digital certificate authority in an Asian country, likely using the stolen certificates to sign malware deployed against government agencies over the last six months. The group employs a blend of custom malware such as Infostealer.Catchamas and "living off the land" tactics - using legitimate tools already present on the system for malicious purposes - in their operations. Despite attempts at camouflage, Thrip's cover was blown due to its use of PsExec, a Microsoft Sysinternals tool often used by administrators but also utilized by attackers for lateral movement within networks. This blend of techniques makes Thrip a complex and persistent threat actor, capable of significant cyber-espionage campaigns. Protection against Thrip's activities includes file-based protection, while customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence (MATI) service have received detailed reports on Thrip's methods and how to detect and thwart them. Additionally, the Malware Analysis Appliance can detect activity associated with Thrip. As Thrip continues to evolve its tactics, it remains crucial for organizations to maintain robust cybersecurity measures and stay updated on the latest threat intelligence.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Billbug
1
None
Lotus Blossom
1
Lotus Blossom, also known as Billbug and Thrip, is a threat actor that has been active since 2009, engaging in persistent cyber espionage campaigns primarily targeting government and military organizations in Southeast Asia. The group is notorious for its use of sophisticated delivery techniques and
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Espionage
PsExec
Asian
Government
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Thrip Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Asian government agencies and certificate authorities
CERT-EU
10 months ago
Cybersecurity threatscape of Asia: 2022–2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
MITRE
a year ago
Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies