Dark Web Profile: Lotus Blossom

Lotus Blossom is a long-running cyber espionage Advanced Persistent Threat (APT) group active since at least 2009 and widely attributed to the People’s Republic of China (PRC). The threat group conducts intelligence-driven operations targeting government agencies, military entities, and strategic industries across the Asia-Pacific region. Operations rely on custom malware, living-off-the-land techniques, and controlled lateral movement to maintain covert access within compromised networks.

The Notepad++ incident brought renewed attention to Lotus Blossom’s activity, demonstrating how the threat group abuses trusted software ecosystems to facilitate espionage campaigns. The event reinforces a consistent pattern of leveraging legitimate tools and established trust relationships to achieve unauthorized, persistent access in targeted environments.

Who is Lotus Blossom Threat Group?

Lotus Blossom is a highly disciplined Advanced Persistent Threat (APT) group, identified as Chinese state-sponsored and active since at least 2009. Tracked globally under various aliases, including Billbug, Spring Dragon, Thrip, Lotus Panda, Bronze Elgin, Raspberry Typhoon, and Red Salamander, the group operates as a sophisticated intelligence-gathering mechanism. While historical operations focused on diplomatic, military, and economic entities within the Asia-Pacific region, Lotus Blossom now pursues high-value targets on a global scale.

The group employs a patient, methodical infiltration strategy instead of aggressive disruption. Initially recognized for spear-phishing campaigns exploiting Microsoft Office vulnerabilities like CVE-2012-0158, the group transitioned toward “Living-off-the-Land” techniques and complex supply chain exploitations. A bespoke lineage of custom malware defines Lotus Blossom’s operations, evolving from the Elise (Trensil) backdoor to Sagerunex, Hannotog, and the advanced Chrysalis implant.

Lotus Blossom demonstrated elite operational capabilities by targeting a national Certificate Authority in 2022. Furthermore, the group solidified a worldwide reach between 2025 and 2026 by manipulating the update infrastructure for Notepad++, a popular text editor used globally. By distributing trojanized update.exe files through this platform, Lotus Blossom bypassed geographic restrictions and utilized the global software supply chain to subvert the primary mechanisms of digital trust.

Lotus Blossom in the Chinese APT Ecosystem

Within the broader landscape of Chinese cyber operations, Lotus Blossom (Billbug) occupies a specialized niche. It is distinct from the large-scale, high-visibility operations of groups like APT10 (Cloud Hopper) or APT41 (Winnti), which often target a wide array of global industries for economic intellectual property.

Lotus Blossom is markedly more disciplined than opportunistic clusters. Its tolerance for long dwell times and its focus on the “mechanisms of trust” (CAs and software updates) suggest a high-tier intelligence unit that is integrated with national strategic planning. The group’s patience is its greatest asset, allowing it to maintain access to sensitive military and diplomatic networks for years, often returning to a target months after initial activity has ceased to harvest updated data.

What Are Lotus Blossom’s Targets?

Lotus Blossom’s targeting strategy is intrinsically linked to China’s regional and global strategic interests. Historically, the group’s focus was almost exclusively on Southeast Asian (SEA) government and military entities, particularly those in the Philippines, Vietnam, and Indonesia. The timing of their campaigns often aligns with regional security summits, such as the ASEAN Defense Ministers’ Meeting, or periods of heightened maritime tension in the South China Sea.

Strategic Targeting Rationale by Sector

The evolution of the group’s victimology reveals a significant second-order insight: Lotus Blossom has transitioned from a purely regional actor to one that supports global Chinese maritime interests. The 2024 spike in attacks against maritime infrastructure in Djibouti—a critical node for international shipping and home to China’s first overseas military base—underscores a shift toward global logistics monitoring. Furthermore, the expansion of activity into South America, Europe, and the United States (as seen in the 2025–2026 Notepad++ campaign) indicates that the group’s mandate now includes global supply chain intelligence, reflecting China’s broader “Belt and Road” strategic reach.

How Does Lotus Blossom Operate?

Lotus Blossom operates as a persistent espionage actor with a structured intrusion lifecycle. Observed campaigns show a consistent pattern of targeted access, custom malware deployment, stealthy lateral movement, and controlled data exfiltration.

• Initial Access: Early operations relied heavily on spear-phishing emails delivering weaponized Office documents, often exploiting vulnerabilities such as CVE-2012-0158. The group also conducted watering hole attacks by compromising trusted regional websites. In more recent activity, Lotus Blossom demonstrated a shift toward higher-impact entry vectors. The Notepad++ supply chain compromise illustrates this evolution. Instead of targeting users directly, the group tampered with a legitimate software update channel, allowing malware to be distributed through a trusted mechanism. This indicates a willingness to move beyond phishing into infrastructure-level compromise.

• Establishing Foothold and Persistence: After gaining access, the group deploys custom backdoors such as Elise or Sagerunex. Persistence is typically achieved through Windows services or registry-based autorun entries. In the Notepad++ incident, the attackers used DLL sideloading to load a malicious component through a legitimate updater process. This method allowed the Chrysalis backdoor to execute while appearing operationally normal. Service name masquerading, encrypted payloads, and timestamp manipulation remain common persistence techniques.
• Privilege Escalation and Lateral Movement: Lotus Blossom frequently adopts a living-off-the-land strategy. Tools such as WMI, PsExec, and PowerShell are used to move laterally. Active Directory reconnaissance with AdFind and credential harvesting via utilities like Mimikatz have been documented. By relying on legitimate administrative utilities, the group reduces its standalone malware footprint and blends malicious behavior into expected enterprise activity.
• Reconnaissance: Operators systematically profile compromised environments before escalation. Standard Windows commands are used to map network topology, identify domain relationships, and locate high-value assets. In campaigns involving satellite communications and certificate authority environments, this reconnaissance phase preceded targeted movement toward sensitive infrastructure.
• Command-and-Control and Traffic Routing: Custom backdoors maintain communication through both traditional HTTP/S channels and alternative routes. More recent Sagerunex variants leverage legitimate web services and cloud platforms to mask command traffic. Proxy chaining tools and custom relays have also been observed, enabling control over segmented environments.
• Data Collection and Exfiltration: As an espionage-focused actor, Lotus Blossom prioritizes structured data theft. Stolen data is often archived before transfer. In supply chain scenarios such as the Notepad++ compromise, implants were designed for long-term persistence rather than rapid smash-and-grab activity, suggesting strategic intelligence collection over time.
• Operational Security: The group consistently demonstrates awareness of detection controls. In-memory execution, selective deployment of custom malware, abuse of legitimate tools, and blending of malicious traffic into normal workflows extend dwell time and complicate forensic attribution.

Lotus Blossom’s TTPs reflect an adaptive and disciplined espionage campaign model. The transition from document-based phishing to supply chain compromise highlights increasing sophistication while preserving a consistent objective: sustained intelligence collection.

What Are Lotus Blossom’s Most Notable Campaigns?

Over more than a decade of activity, Lotus Blossom, also tracked as Billbug and Spring Dragon, has been linked to multiple sustained espionage campaigns across Asia and beyond. These operations reveal a consistent pattern: long-term persistence, strategic sector targeting, and gradual technical evolution rather than disruptive smash-and-grab attacks.

• Operation Lotus Blossom (2012–2015): Publicly exposed by Unit 42 in 2015, this campaign focused on government and military organizations across Southeast Asia, particularly countries surrounding the South China Sea. The group relied heavily on spear-phishing emails carrying weaponized documents that deployed the Elise backdoor. Investigations revealed long dwell times inside compromised networks and a disciplined command-and-control structure. This operation established the group’s core playbook and demonstrated that activity had been ongoing for years prior to public attribution.

• Spring Dragon Activity (2013–2016): During the same period, Kaspersky documented overlapping campaigns under the name Spring Dragon. In addition to phishing, the group deployed watering hole techniques, compromising regional websites and distributing trojanized software installers. One documented case involved a compromised Myanmar forum that delivered malware through a fake font installer. Operators also leveraged freshly disclosed vulnerabilities at high speed, incorporating public exploits shortly after release. Targeting remained concentrated on Vietnam, Taiwan, the Philippines, and Myanmar, primarily within government and defense-related environments.
• European Diplomatic Targeting (2015): An intrusion investigated by Palo Alto Networks in 2015 involved the compromise of a French diplomatic official. Malware tooling and infrastructure overlapped with earlier Southeast Asian operations. The use of localized decoy documents indicated operational flexibility and suggested tasking beyond a strictly regional mandate. This case signaled that Lotus Blossom could extend targeting when aligned with broader strategic intelligence objectives.
• Thrip Campaign and Satellite Sector Intrusions (2017–2018): Symantec’s disclosure of the Thrip campaign marked a notable shift in targeting sophistication. Operators infiltrated satellite communications providers, telecom firms, geospatial imaging companies, and defense contractors. In at least one case, systems involved in satellite operations were accessed. The group relied heavily on legitimate administrative tools such as PsExec and PowerShell, reducing reliance on custom malware. This campaign raised concerns that access may have extended beyond intelligence collection into potential operational pre-positioning.
• Certificate Authority Compromise Attempt (2022): In 2022, Lotus Blossom targeted multiple government networks alongside a digital certificate authority in Asia. Compromising a certificate authority represents a high-impact objective, as it could enable fraudulent certificate issuance or facilitate advanced interception techniques. Although public reporting did not confirm certificate abuse, the intrusion attempt demonstrated an escalation in strategic ambition. Custom backdoors, including Hannotog and Sagerunex, were observed, alongside extensive use of native Windows utilities for lateral movement and persistence.
• Notepad++ Supply Chain Operation (2025-2026): One of the group’s most recent attributed campaigns involved the compromise of a Notepad++ update channel. Over several months in 2025, targeted users received a trojanized update that deployed a previously undocumented backdoor referred to as Chrysalis. Analysis linked the infrastructure and tradecraft to Lotus Blossom with high confidence. The operation leveraged DLL sideloading techniques and appeared selectively targeted, indicating deliberate scoping rather than mass distribution. This marked a significant evolution toward supply chain intrusion tactics.

Across these campaigns, a consistent pattern emerges. Lotus Blossom demonstrates long-term operational discipline, adapts techniques gradually, and maintains a persistent focus on geopolitical intelligence collection. The transition from spear-phishing and watering holes to satellite infrastructure targeting and supply chain compromise reflects maturation rather than reinvention. Activity through 2025 indicates that the group remains operational and strategically relevant.

The progression of these campaigns illustrates why isolated incident reporting is insufficient when tracking long-running threat actors. Lotus Blossom’s shift from spear-phishing to satellite sector intrusions and ultimately to supply chain compromise reflects gradual capability expansion rather than abrupt reinvention. Understanding that evolution requires correlating campaigns, malware reuse, infrastructure overlap, and sector targeting patterns across years.

This is where structured Threat Actor Intelligence becomes operationally relevant. Instead of viewing Elise, Sagerunex, or Chrysalis as separate artifacts, continuous tracking connects tooling to campaigns, campaigns to sectors, and sectors to strategic intent. Context transforms scattered technical findings into an actor-centric threat model.

Which Malware and Tools Does Lotus Blossom Use?

Lotus Blossom combines proprietary backdoors with legitimate administrative utilities. This layered tooling model allows persistent access through custom implants while masking lateral movement within normal system activity.

• Elise: One of the group’s earliest known backdoors, Elise was deployed through spear-phishing campaigns between 2012 and 2015. Executed as a DLL, it supported remote command execution, file transfer, and system reconnaissance. Registry persistence, process injection, and HTTP-based command channels were common characteristics.
• Emissary: Observed alongside Elise, Emissary functioned as a similar remote access implant and was often executed through legitimate Windows binaries such as rundll32. Its appearance after public exposure of earlier campaigns suggests active tool refinement.
• Sagerunex: In recent operations, Sagerunex has become the group’s primary backdoor framework. Installed as a service, it supports modular command execution and multiple communication methods. Newer variants leverage legitimate platforms such as cloud storage or email services for command-and-control, increasing stealth and reducing detection likelihood.
• Hannotog: Frequently used as a loader, Hannotog prepares victim systems by creating services, modifying firewall rules, and deploying secondary payloads such as Sagerunex. The combination of both tools is a recurring pattern in attributed campaigns.
• Chrysalis: Identified in the 2025 Notepad++ supply chain compromise, Chrysalis represents a more advanced implant delivered through DLL sideloading. It operates in memory, uses custom cryptography, and appears designed for persistent, long-term espionage.

Beyond custom malware, Lotus Blossom relies heavily on dual-use tools such as AdFind, PsExec, PowerShell, Mimikatz, WinRAR, and certutil. By integrating legitimate utilities into its workflow, the group minimizes its standalone malware footprint and complicates behavioral detection.

Which CVEs Have Been Exploited by the Lotus Blossom APT group?

The following Common Vulnerabilities and Exposures (CVEs) have been identified as part of the Lotus Blossom (Billbug, Spring Dragon, Thrip) group’s toolkit across various campaigns:

• CVE-2025-15556: Exploited between June and December 2025 to compromise the official hosting infrastructure of the text editor Notepad++. By leveraging a lack of integrity verification in the WinGUp updater, the group selectively delivered the feature-rich Chrysalis backdoor to government and telecommunications targets in Southeast Asia.
• CVE-2018-0802 and CVE-2017-11882: Critical memory corruption vulnerabilities in the legacy Microsoft Office Equation Editor (EQNEDT32.EXE) used extensively during “Spring Dragon” campaigns to deliver Elise and Emissary Trojan payloads to government and manufacturing sectors.
• CVE-2016-1019: A critical Adobe Flash Player vulnerability exploited through watering hole attacks and spoofed Flash installer sites to deliver the Elise backdoor to government targets in the Asia-Pacific region.
• CVE-2014-6332: A Windows OLE Automation Array remote code execution vulnerability used in targeted spear-phishing. A notable campaign in November 2015 targeted a French diplomat in Taipei using a conference invitation lure to silently install the Emissary Trojan.
• CVE-2014-4114: A Windows OLE package manager vulnerability (known as the “Sandworm” flaw) integrated into the group’s “Operation Lotus Blossom” spear-phishing campaigns targeting regional government and military offices in countries like Vietnam and the Philippines.
• CVE-2012-0158: A foundational vulnerability in Microsoft Office ActiveX controls used for several years. In 2016, the group used fake invitations to a Jakarta Cybersecurity Summit to deploy version 6.4 of the Emissary Trojan to high-value attendees.
• CVE-2010-2883: An Adobe Acrobat and Reader font processing flaw exploited in 2012 to target organizations in Myanmar via malicious PDF files masquerading as Unicode keyboard instructions.
• CVE-2009-4324 and CVE-2010-0188: Legacy Adobe Reader and Acrobat vulnerabilities exploited during the group’s initial detection phase to establish long-term persistence in regional government and military networks.

What Are the Mitigation Tactics Against Lotus Blossom?

Lotus Blossom prioritizes identity theft, supply chain subversion, and covert persistence. Defenses should focus on software integrity and visibility into low-noise activity.

• Block Initial Access: Enforce MFA and patch internet-facing assets. Monitor for unauthorized software update redirections, as seen in the Notepad++ campaign.
• Protect Identities: Monitor for Access Token Manipulation and abnormal cloud authentication patterns that could signal Chrysalis activity.
• Harden Phishing Defenses: Deploy advanced sandboxing to detect weaponized documents and “watering hole” links used to deliver group payloads.
• Restrict Native Tool Abuse: Constrain PowerShell, WMI, and AdFind to prevent the group from blending into legitimate administrative tasks.
• Detect Persistence Early: Watch for unauthorized Windows Service creation and registry changes masquerading as system components.
• Neutralize DLL Side-Loading: Audit for legitimate binaries executing from atypical paths, especially when accompanied by malicious DLLs loading Sagerunex or Chrysalis.
• Limit Lateral Movement: Segment networks and restrict RDP/SMB access to stop methodical movement toward sensitive data.
• Monitor Command-and-Control: Inspect outbound traffic for communication with cloud APIs used by Sagerunex to mask C2 patterns within normal web traffic.
• Apply Threat Intelligence: Track Lotus Blossom infrastructure and TTPsto identify exposed credentials or early targeting signals.
• Validate Readiness: Conduct threat-hunting exercises mapped to Lotus Blossom’s MITRE ATT&CK profile to detect long-term dwell scenarios.

What Are the MITRE ATT&CK TTPs of Lotus Blossom?