June 26, 2026
By esentry Team

Threat Actor: Lotus Blossom (aka Lotus Panda, Billbug)

Actor Profiling
Threat Actor: Lotus Blossom (aka Lotus Panda, Billbug)

Active Since: 2009

Target: Government and military targets in South Asia.

TTPs

Initial Access

T1190 – Exploit Public-Facing Application

Accessed via exposed internet-facing systems.

T1566 – Phishing

Targeted phishing emails to deliver malicious payloads.

T1078 – Valid Accounts

Used stolen credentials to log in as legitimate users.

Execution

T1059 – Command and Scripting Interpreter  

T1204 – User Execution (phishing-triggered payload execution)

T1129 – Shared Modules

Malicious DLLs were loaded through legitimate executables.

Persistence

T1547.001 – Registry Run Keys

Modified Windows Registry to maintain execution during startup.

T1543.003 – Windows Service

Ran malware as a service for long-term access.

Defense Evasion

T1574.002 – DLL Side-Loading

Hijacked legitimate executables (Trend Micro, Bitdefender) to load malicious DLLs.

T1070.006 – Timestamp

Manipulated file timestamps using tools like Datechanger.exe.

T1036 – Masquerading

Blended malicious activity with trusted vendor binaries.

Credential Access

T1555.003 – Credentials from Web Browsers

ChromeKatz / CredentialKatz extracted saved passwords and cookies from Chrome.

T1003 – OS Credential Dumping

Lateral Movement

T1021 – Remote Services

Used stolen credentials to move across systems.

Command and Control (C2)

T1572 – Protocol Tunneling

Used Zrok peer-to-peer tunneling to expose internal systems.

T1090 – Proxy

Tunneled internal traffic externally.

T1571 – Non-Standard Port  

T1090.001 – Internal Proxy  

T1071.004 – Application Layer Protocol: SSH

Deployed Custom reverse SSH over port 22 for remote control.

Recommendations

Strengthen Email Security: Implement advanced email filtering solutions capable of detecting and blocking phishing attempts, especially those involving spoofed domains and deceptive content. Enable DMARC, SPF, and DKIM to validate sender authenticity.

Deploy Advanced Endpoint Protection: Utilize Endpoint Detection and Response (EDR) tools to monitor suspicious activities, such as DLL sideloading and unauthorized registry modifications, which are tactics employed by Sagerunex. ​Ensure that all endpoints have up-to-date antivirus and anti-malware solutions to detect and prevent known threats.

Credential Protection: Enforce strong password policies, multi-factor authentication (MFA), and monitor for the use of credential dumping tools like ChromeKatz and CredentialKatz.

Enhance Network Monitoring: Implement continuous monitoring for unusual network traffic and suspicious activity, especially around port 22 and the use of tunneling tools like Zrok, which may indicate covert access or exfiltration attempts.

Patch Management: Ensure that all public-facing applications and systems are regularly scanned for vulnerabilities and patched promptly to prevent exploitation by threat actors.

Analysis of Malware Sample

A malware sample linked to Lotus Blossom in the Notepad++ was analysed

The file contained an executable file named "BluetoothService.exe" which is a renamed legitimate Bitdefender Submission Wizard abused for DLL sideloading. It also included a file called "BluetoothService" that is an encrypted shellcode, and a malicious DLL sideloaded by BluetoothService.exe.

Bitdefender Submission Wizard was used to sideload "log.dll" for decrypting and executing additional payload.

The BluetoothService.exe contained different folders

The. rsrc folder was available, the other files were not supported. Upon opening, it contained different folders.

The txt file showed the actual file name, pointing to Bitdefender