New research from Symantec revealed that the China-linked espionage group Billbug, also known as Lotus Blossom, Lotus Panda, and Bronze Elgin, compromised multiple organizations within a single Southeast Asian country as part of a sustained intrusion campaign running from August 2024 to February 2025. These findings underscore the evolving tactics of state-sponsored threat actors and the ongoing cyber pressure facing nations in the region. The attacks involved using multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool.
Symantec mentioned that the activity appears to continue a campaign initially documented last December, where multiple high-profile organizations in Southeast Asian countries were targeted. While it was clear that Chinese actors were behind the attacks, attribution to a single actor could not be determined. The targets included a government ministry, an air traffic control organization, a telecommunications provider, and a construction company, highlighting the espionage group’s interest in both state institutions and critical infrastructure. The group also staged an intrusion against a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country.
However, a recent blog by Cisco Talos detailing recent Billbug activity contained indicators of compromise (IOCs) used in this campaign, indicating that it was the work of Billbug.
Released Monday, the Symantec post noted that in several of the intrusions, the attackers used legitimate software from Trend Micro and Bitdefender to load malicious loaders, using the technique known as DLL sideloading. “One of the legitimate executables used for sideloading was a Trend Micro binary named tmdbglog[dot]exe. This was used to sideload a malicious DLL named tmdglog[dot]dll. Analysis of tmdglog[dot]dll revealed that it was a loader that read, decrypted, and executed the contents of the file C:\Windows\temp\TmDebug.log. It then logged the execution progress to C:\Windows\Temp\VT001.tmp.”
Another legitimate executable used was a Bitdefender binary named bds[dot]exe. This was used to sideload a malicious DLL named log[dot]dll. Analysis of log[dot]dll concluded that it was another loader that read and decrypted the contents of the file winnt[dot]config. It then started the process C:\Windows\system32\systray[dot]exe and injected the decrypted contents into it.
The post also mentioned that several variants of log[dot]dll were used in the campaign, but only one was retrieved for analysis. “The same Bitdefender binary was also used to sideload a file named sqlresourceloader.dll, which was also not retrieved. It is unknown if this is related to the loader analyzed or a different tool,” it added.
Moreover, the attackers also used a new variant of the Sagerunex backdoor, a custom tool that is exclusively used by Billbug. The variant appears to be related to variants of Sagerunex documented by Cisco in February this year. As documented by Cisco, the attackers created a persistence mechanism by modifying the registry to ensure that it would run as a service.
The researchers said that among the new tools deployed were two designed to steal credentials from the Chrome web browser. Deployed tools included – ChromeKatz, capable of stealing credentials and cookies stored in Chrome; CredentialKatz, capable of stealing credentials stored in Chrome; and Reverse SSH Tool, a custom tool capable of listening for SSH connections on Port 22.
Active since at least 2009, Billbug (also known as Thrip, Lotus Blossom, and Lotus Panda) is a China-linked espionage group primarily targeting governments and military organizations in Southeast Asia. The group gained public attention in 2015 through a Palo Alto report linking it to over 50 attacks, often using spear-phishing and lure documents to deliver the Trensil (aka Elise) Trojan.
In 2018, Symantec documented an attack on a major telecom operator, uncovering the Infostealer[dot]Catchamas malware. This led to the identification of further attacks across the communications, geospatial, and defense sectors in both the U.S. and Southeast Asia.
By 2019, Billbug was linked to campaigns using two new backdoors, Hannotog and Sagerunex, targeting at least 12 organizations across Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam. The group expanded its focus beyond military entities to include maritime communications, media, and education sectors.
Symantec now tracks all related activity under the Billbug name.
“Billbug remained active in subsequent years. In November 2022, Symantec published new research on the group, highlighting an attack on a digital certificate authority in an Asian country,” the post added. “The targeting of a certificate authority was notable because the attackers could have accessed certificates and used them to sign malware, helping them to evade detection. Compromised certificates could also potentially be used to intercept HTTPS traffic.”
