Lotus Blossom Espionage Group Targets Multiple Industries With Different Versions of Sagerunex and Hacking Tools

    Wednesday, March 5, 2025 In: Threat Research Print

    Date: 03/05/2025

    Severity: High

    Summary

    Lotus Blossom (aka Spring Dragon, Billbug, Thrip) is an espionage group active since 2012. Our assessment links the group's campaigns through shared TTPs, backdoors, and victim profiles. Since at least 2016, Lotus Blossom has used the Sagerunex backdoor, increasingly leveraging persistent command shells and evolving new Sagerunex variants. The group has effectively targeted government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    cebucafe.net

    cebucfg.org

    davaotour.net

    davoport.org

    jf.doyourbestyet.com

    ns1.poorgoddaay.com

    www.acdserv.com

    www.ilovekalias.com

    www.sensor-data.online

    www.serthk.com

    zg.poorgoddaay.com

    IP Address : 

    103.213.245.95

    103.224.80.102

    103.232.223.117

    103.234.97.19

    103.243.131.205

    103.74.192.105

    117.18.5.141

    118.193.240.214

    122.10.118.125

    122.10.91.36

    122.10.91.37

    123.60.167.7

    160.124.251.105

    185.243.42.80

    185.243.43.197

    185.243.43.202

    43.252.161.22

    43.254.217.138

    43.254.218.69

    43.255.104.100

    45.32.127.121

    45.32.127.212

    58.64.193.166

    58.64.193.225

    59.188.254.21

    59.188.254.79

    59.188.69.190

    59.188.77.188

    Hash : 

    3fb81913c2daf36530c9ae011feebeb5bc61432969598e2dfaa52fc2ce839f20

788945d484b4e7da7adb438db52c35dd033869c5f43f027a5b6903b7b1dbbd7b

bf50ed2dd7a721e7c1b13b1eed0f21c3274808d5016310c52b1473530d78f34a

47013e731b37a80e96a3523e042c23e67bfa721d3651e735307f4a1545898b11

3d262950bf89995dce56f2c8db16938d37be5564d5e2b011ea49fe2f523f980a

79cd6380b2cf7ca1b3e3ba386ebbd7df0104e33ac74cdb5e886fd8be207bd961

f4dd0a6594d50012b6b2e3fd578e40a2aa91dae2c2454d04df5c8c9898774da6

8f309ffbaa532294da8d7896cdac3311e6a1ff82e86551453787ee78a94a679e

565fbe3f1f444f79aef375678ebbe2cd08ba55bdbee737b4ed2e6d2f7bcfcc16

f88cea311efbd3aaf896dd9527b137ad2bbd29332917b5aadd4c2693b45f893f

42b8b464147160c2f4c2722dfc222749e67384824bbbb140385271895b138c7b

ccd1f9844b00059f6e35fdff577ac93048f4d99b18162d3c56cfeb2d72b93ae4

2b59b03e9232b83b8914ed07c6426dd53d17cfb2eba01ab13d4c6cb00466a42e

240d3040559e6215a8931d9d8670c6eae2c1c42a9a74d260261fda22bcf0817d

e8f482dc47250eaedf8b839cdb4fd9ebffe59d47c7b48d61ad51d942fd35fa18

0f383b8f68f3b3c3a18ec778a1150563801b8716c7114432ff51a28fff2963b4

b1c782b4a327dadf0d8db016d7556a92bae4b697b10c9282b293e24564bbef32

5544a68a2b391c88a02f1f581ea1dde9c5cf8aeb41bb55269989528303580846

dfdd6847579ec6d9630feeda1f5bcbf009d270cd461d30781719a9c218f33d9e

fe2046e479289b1013eb394f5b3d7a49a419cb98015add3ead0fa87614fe6e38

d67774dde98db6aca8271566fac6f3d0e8e474c40604efeedd5b1276abcc8af5

e0d969b95bd91f58b775d2c9b9190a4f7c5ee8a76d63286227885e071883fdef

fa764df857ed8f0fbf606dcbb92d64f5a72b5c1dd94b3dcb9ea02ff8a02b986b

9e38f67fad7dfd806955c61e8b2d68084c4506227bc8c880cffb28d77612759c

23012d0e71e40913967a511475b55690e34afcad72ca819b82c885a0df8aea79

0fd82ff1a4b4f3c55b7faa73621ecb7d11c3cde95631de841cb304a7968804df

b830fe3d5d5462bef92991dd78869a173cb56d823e7776bfa56e09642dd880ed

776b4a7ce11d2cc9a94268c7280b652ad0d0fb33d3188cf58987e6c5c4fbb5fb

001380aa1c1850dd603f9e1315f3b9c450e6da13686a0b6ec5c05991df46ff1a

25df8f277074560cb899314cd649c6d937727c5cce5390a7187a6572dd2e4be1

1cb12045c55bf2669c3573fc79f1335355defe09af64ac2f9ca495eb5f7af528

ff5a789d0df1b28a183d7f256d3d4f649a16ae4679ef803d28cd9f7443416310

1ce0367f66a3ee2e461ccb42ae7794622aa9fb3bf9bd8926e85260ed768fb17b

54a41f888a10e454705c5b4328c13415b0ffea3708e3e101d965883761945c67

e3292e944f3deb871d9d3c2fc28a0255ad900f067f074039dde86a55dcc7b67c

176a34345bbd4eaf96e47bb60c866847de7cdaf315fe376427f4651c09f98e88

710c73d806457e576a9987be60ed8676af610b7910928f9fa57fbc58f5f45d52

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls :

    userdomainname like "cebucfg.org" or url like "cebucfg.org" or userdomainname like "cebucafe.net" or url like "cebucafe.net" or userdomainname like "www.acdserv.com" or url like "www.acdserv.com" or userdomainname like "jf.doyourbestyet.com" or url like "jf.doyourbestyet.com" or userdomainname like "davoport.org" or url like "davoport.org" or userdomainname like "ns1.poorgoddaay.com" or url like "ns1.poorgoddaay.com" or userdomainname like "zg.poorgoddaay.com" or url like "zg.poorgoddaay.com" or userdomainname like "www.serthk.com" or url like "www.serthk.com" or userdomainname like "davaotour.net" or url like "davaotour.net" or userdomainname like "www.ilovekalias.com" or url like "www.ilovekalias.com" or userdomainname like "www.sensor-data.online" or url like "www.sensor-data.online"

    IP Address :

    dstipaddress IN ("58.64.193.166","103.234.97.19","45.32.127.212","160.124.251.105","185.243.43.202","103.243.131.205","122.10.91.36","45.32.127.121","59.188.69.190","103.213.245.95","123.60.167.7","122.10.91.37","59.188.77.188","58.64.193.225","103.74.192.105","43.254.217.138","185.243.43.197","103.224.80.102","103.232.223.117","117.18.5.141","118.193.240.214","122.10.118.125","185.243.42.80","43.252.161.22","43.254.218.69","43.255.104.100","59.188.254.21","59.188.254.79") or ipaddress IN ("58.64.193.166","103.234.97.19","45.32.127.212","160.124.251.105","185.243.43.202","103.243.131.205","122.10.91.36","45.32.127.121","59.188.69.190","103.213.245.95","123.60.167.7","122.10.91.37","59.188.77.188","58.64.193.225","103.74.192.105","43.254.217.138","185.243.43.197","103.224.80.102","103.232.223.117","117.18.5.141","118.193.240.214","122.10.118.125","185.243.42.80","43.252.161.22","43.254.218.69","43.255.104.100","59.188.254.21","59.188.254.79") or publicipaddress IN ("58.64.193.166","103.234.97.19","45.32.127.212","160.124.251.105","185.243.43.202","103.243.131.205","122.10.91.36","45.32.127.121","59.188.69.190","103.213.245.95","123.60.167.7","122.10.91.37","59.188.77.188","58.64.193.225","103.74.192.105","43.254.217.138","185.243.43.197","103.224.80.102","103.232.223.117","117.18.5.141","118.193.240.214","122.10.118.125","185.243.42.80","43.252.161.22","43.254.218.69","43.255.104.100","59.188.254.21","59.188.254.79") or srcipaddress IN ("58.64.193.166","103.234.97.19","45.32.127.212","160.124.251.105","185.243.43.202","103.243.131.205","122.10.91.36","45.32.127.121","59.188.69.190","103.213.245.95","123.60.167.7","122.10.91.37","59.188.77.188","58.64.193.225","103.74.192.105","43.254.217.138","185.243.43.197","103.224.80.102","103.232.223.117","117.18.5.141","118.193.240.214","122.10.118.125","185.243.42.80","43.252.161.22","43.254.218.69","43.255.104.100","59.188.254.21","59.188.254.79")

    Hash : 

    sha256hash IN ("b830fe3d5d5462bef92991dd78869a173cb56d823e7776bfa56e09642dd880ed","dfdd6847579ec6d9630feeda1f5bcbf009d270cd461d30781719a9c218f33d9e","23012d0e71e40913967a511475b55690e34afcad72ca819b82c885a0df8aea79","3fb81913c2daf36530c9ae011feebeb5bc61432969598e2dfaa52fc2ce839f20","bf50ed2dd7a721e7c1b13b1eed0f21c3274808d5016310c52b1473530d78f34a","1cb12045c55bf2669c3573fc79f1335355defe09af64ac2f9ca495eb5f7af528","5544a68a2b391c88a02f1f581ea1dde9c5cf8aeb41bb55269989528303580846","1ce0367f66a3ee2e461ccb42ae7794622aa9fb3bf9bd8926e85260ed768fb17b","25df8f277074560cb899314cd649c6d937727c5cce5390a7187a6572dd2e4be1","8f309ffbaa532294da8d7896cdac3311e6a1ff82e86551453787ee78a94a679e","fe2046e479289b1013eb394f5b3d7a49a419cb98015add3ead0fa87614fe6e38","ff5a789d0df1b28a183d7f256d3d4f649a16ae4679ef803d28cd9f7443416310","565fbe3f1f444f79aef375678ebbe2cd08ba55bdbee737b4ed2e6d2f7bcfcc16","e3292e944f3deb871d9d3c2fc28a0255ad900f067f074039dde86a55dcc7b67c","0fd82ff1a4b4f3c55b7faa73621ecb7d11c3cde95631de841cb304a7968804df","d67774dde98db6aca8271566fac6f3d0e8e474c40604efeedd5b1276abcc8af5","47013e731b37a80e96a3523e042c23e67bfa721d3651e735307f4a1545898b11","710c73d806457e576a9987be60ed8676af610b7910928f9fa57fbc58f5f45d52","176a34345bbd4eaf96e47bb60c866847de7cdaf315fe376427f4651c09f98e88","e8f482dc47250eaedf8b839cdb4fd9ebffe59d47c7b48d61ad51d942fd35fa18","240d3040559e6215a8931d9d8670c6eae2c1c42a9a74d260261fda22bcf0817d","9e38f67fad7dfd806955c61e8b2d68084c4506227bc8c880cffb28d77612759c","788945d484b4e7da7adb438db52c35dd033869c5f43f027a5b6903b7b1dbbd7b","2b59b03e9232b83b8914ed07c6426dd53d17cfb2eba01ab13d4c6cb00466a42e","3d262950bf89995dce56f2c8db16938d37be5564d5e2b011ea49fe2f523f980a","79cd6380b2cf7ca1b3e3ba386ebbd7df0104e33ac74cdb5e886fd8be207bd961","f4dd0a6594d50012b6b2e3fd578e40a2aa91dae2c2454d04df5c8c9898774da6","42b8b464147160c2f4c2722dfc222749e67384824bbbb140385271895b138c7b","ccd1f9844b00059f6e35fdff577ac93048f4d99b18162d3c56cfeb2d72b93ae4","f88cea311efbd3aaf896dd9527b137ad2bbd29332917b5aadd4c2693b45f893f","0f383b8f68f3b3c3a18ec778a1150563801b8716c7114432ff51a28fff2963b4","b1c782b4a327dadf0d8db016d7556a92bae4b697b10c9282b293e24564bbef32","e0d969b95bd91f58b775d2c9b9190a4f7c5ee8a76d63286227885e071883fdef","fa764df857ed8f0fbf606dcbb92d64f5a72b5c1dd94b3dcb9ea02ff8a02b986b","776b4a7ce11d2cc9a94268c7280b652ad0d0fb33d3188cf58987e6c5c4fbb5fb","001380aa1c1850dd603f9e1315f3b9c450e6da13686a0b6ec5c05991df46ff1a","54a41f888a10e454705c5b4328c13415b0ffea3708e3e101d965883761945c67")

    Reference:    

    https://blog.talosintelligence.com/lotus-blossom-espionage-group/


    Tags

    MalwareSagerunexBackdoorPhilippinesVietnamHong KongTaiwanGovernment Services and FacilitiesCommunications

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.