G0030: Lotus Blossom
Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.[1][2][3]
Analyst context for executives and security teams
Lotus Blossom matters because ATT&CK describes it as a long-standing group targeting entities in Asia since at least 2009, including government-related organizations and digital certificate issuers. For leaders, the practical issue is not only malware names; it is whether the organization can recognize post-compromise discovery, Windows administration tool abuse, internal reconnaissance, proxying, registry changes, and data staging before an incident becomes a broader operational or trust problem.
Executive priority
Prioritize this object where the business has exposure to Asia-based operations, government-adjacent work, certificate or trust services, or environments where Windows identity and endpoint telemetry are critical to resilience. Ask whether SOC and IR teams can prove visibility into Active Directory enumeration, WMI execution, registry modification, internal network mapping, and unusual command-and-control proxy behavior. This is also useful for audit and readiness discussions because many related behaviors rely on legitimate administrative utilities, making control evidence and logging quality more important than malware-only prevention.
Technical view
ATT&CK provides no official detection text and no group-level platform list, but the relationships point defenders toward Windows-heavy tradecraft and discovery-focused activity. Related software includes Elise, Emissary, Sagerunex, and Hannotog, plus common or dual-use tools such as ping, certutil, Impacket, AdFind, and NBTscan. Related techniques include registry query and modification, WMI execution, account and network discovery, remote system and service discovery, local data staging, access token manipulation, and internal or multi-hop proxying. SOC validation should therefore focus on behavior chains: enumeration followed by administrative execution, registry changes, staging activity, and network egress or proxy patterns, rather than relying only on static indicators or malware family names.
Likely telemetry
- Endpoint process creation with command line arguments for WMI, certutil, ping, AdFind-like LDAP queries, NBTscan-like activity, and other administrative utilities
- Windows Registry auditing or EDR telemetry for registry queries and modifications
- Windows event logs and EDR events related to WMI execution and remote administrative activity
- Active Directory, LDAP, and domain controller logs showing account, group, and directory enumeration
- Network flow, DNS, proxy, firewall, and web gateway logs for internal reconnaissance, unusual egress, and proxy or multi-hop patterns
Detection direction
- Validate detections for sequences of discovery commands across hosts, not just single commands that may be common in administration.
- Tune allowlists carefully for legitimate IT use of WMI, certutil, ping, AdFind, Impacket, and scanning utilities; false positives are likely without user, host role, time, and change-ticket context.
- Correlate registry modification with process lineage, account context, and persistence or defense-impairment hypotheses rather than treating every registry change as malicious.
- Monitor Active Directory enumeration from unusual workstations, service accounts, or newly accessed hosts, especially when followed by remote execution or internal network mapping.
- Look for internal proxy behavior and unusual east-west traffic paths; source attribution may be obscured by multi-hop proxying, so preserve network flow and proxy logs long enough for IR reconstruction.
Mitigation priorities
- Establish baseline logging first: endpoint process telemetry, WMI events, registry visibility, AD query visibility, and network flow/proxy records.
- Reduce unnecessary administrative tool exposure and monitor sanctioned use of dual-use utilities rather than attempting blanket blocking that may disrupt operations.
- Harden identity and administrative access paths with least privilege, privileged account monitoring, and review of service account use, especially around WMI and directory enumeration.
- Segment sensitive systems and certificate or trust-service infrastructure so discovery and internal proxying are more detectable and less useful to an intruder.
- Prepare IR playbooks for discovery-heavy intrusions: scope account enumeration, remote execution, registry changes, local staging, and internal proxy routes before containment decisions.
Analyst notes and limits
The supplied ATT&CK data supports a conservative readiness-focused take: Lotus Blossom is long-running, has multiple aliases, has targeted Asia-based entities and digital certificate issuers, and is linked to several malware families and dual-use tools. The strongest defensive value is validating coverage for the related techniques and software, especially Windows endpoint, identity, directory, and network telemetry.
The group object has no official ATT&CK detection text, no specified group-level platforms or tactics, and the relationship descriptions are partial. Local exposure, active targeting, malware presence, and detection coverage cannot be inferred from this object alone; organizations need their own telemetry, asset context, and intelligence requirements to prioritize response.
Lotus Blossom
Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | Lotus Blossom has used commands such as `ipconfig` and `netstat` to gather network information on compromised hosts.CitationCisco LotusBlossom 2025 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Lotus Blossom has configured tools such as Sagerunex to run as Windows services.CitationCisco LotusBlossom 2025 |
| Enterprise | T1087.002 | Domain Account Sub-technique | Lotus Blossom has used `net` commands and tools such as AdFind to profile domain accounts associated with victim machines and make Active Directory queries.CitationCisco LotusBlossom 2025CitationSymantec Bilbug 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Lotus Blossom has locally staged compressed and archived data for follow-on exfiltration.CitationCisco LotusBlossom 2025 |
| Enterprise | T1134 | Access Token Manipulation | Lotus Blossom has retrieved process tokens for processes to adjust the privileges of the launch process or other items.CitationCisco LotusBlossom 2025 |
| Enterprise | T1087.001 | Local Account Sub-technique | Lotus Blossom has used commands such as `net` to profile local system users.CitationCisco LotusBlossom 2025 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Lotus Blossom has used publicly available tools such as the Venom proxy tool to proxy traffic out of victim environments.CitationCisco LotusBlossom 2025 |
| Enterprise | T1539 | Steal Web Session Cookie | Lotus Blossom has used publicly-available tools to steal cookies from browsers such as Chrome.CitationCisco LotusBlossom 2025 |
| Enterprise | T1112 | Modify Registry | Lotus Blossom has installed tools such as Sagerunex by writing them to the Windows registry.CitationCisco LotusBlossom 2025 |
| Enterprise | T1049 | System Network Connections Discovery | Lotus Blossom has used commands such as `netstat` to identify system network connections.CitationCisco LotusBlossom 2025 |
| Enterprise | T1047 | Windows Management Instrumentation | Lotus Blossom has used WMI to enable lateral movement.CitationCisco LotusBlossom 2025 |
| Enterprise | T1482 | Domain Trust Discovery | Lotus Blossom has used tools such as AdFind to make Active Directory queries.CitationSymantec Bilbug 2022 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | Lotus Blossom has performed checks to determine if a victim machine is able to access the Internet.CitationCisco LotusBlossom 2025 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Lotus Blossom has used tools such as the publicly available HTran tool for proxying traffic in victim environments.CitationCisco LotusBlossom 2025 |
| Enterprise | T1588.002 | Tool Sub-technique | Lotus Blossom has used publicly-available tools such as a Python-based cookie stealer for Chrome browsers, Impacket, and the Venom proxy tool.CitationCisco LotusBlossom 2025 |
| Enterprise | T1018 | Remote System Discovery | Lotus Blossom has used Ping to identify remote systems.CitationSymantec Bilbug 2022 |
| Enterprise | T1083 | File and Directory Discovery | Lotus Blossom has used commands such as `dir` to examine the local filesystem of victim machines.CitationCisco LotusBlossom 2025 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Lotus Blossom has used custom tools to compress and archive data on victim systems.CitationCisco LotusBlossom 2025 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Lotus Blossom has used WinRAR for compressing data in RAR format.CitationCisco LotusBlossom 2025CitationSymantec Bilbug 2022 |
| Enterprise | T1046 | Network Service Discovery | Lotus Blossom has used port scanners to enumerate services on remote hosts.CitationSymantec Bilbug 2022 |
| Enterprise | T1012 | Query Registry | Lotus Blossom has run commands such as `reg query HKLM\SYSTEM\CurrentControlSet\Services\[service name]\Parameters` to verify if installed implants are running as a service.CitationCisco LotusBlossom 2025 |
Groups, software, and campaigns
S0552: AdFind
S0097: Ping
S0357: Impacket
S0082: Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.[1]
S0081: Elise
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.[1][2]
S1211: Hannotog
Hannotog is a type of backdoor malware uniquely assoicated with Lotus Blossom operations since at least 2022.[1]
S0590: NBTscan
S1210: Sagerunex
Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants existing since at least 2016. Variations of Sagerunex leverage non-traditional command and control mechanisms such as various web services.[1][2]
S0160: certutil
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.0 | Current bundle | 4b877ae53b8c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lotus Blossom Jun 2015
Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
Open source URL -
[2]
Symantec Bilbug 2022
Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
Open source URL -
[3]
Cisco LotusBlossom 2025
Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
Open source URL -
[4]
Accenture Dragonfish Jan 2018
Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
Open source URL -
[5]
Bilbug
(Citation: Symantec Bilbug 2022)
-
[6]
DRAGONFISH
(Citation: Accenture Dragonfish Jan 2018)
-
[7]
Lotus Blossom
(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)
-
[8]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[9]
RADIUM
(Citation: Microsoft Threat Actor Naming July 2023)
-
[10]
Raspberry Typhoon
(Citation: Microsoft Threat Actor Naming July 2023)
-
[11]
Spring Dragon
(Citation: Spring Dragon Jun 2015)(Citation: Accenture Dragonfish Jan 2018)
-
[12]
Spring Dragon Jun 2015
Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.
Open source URL -
[13]
Thrip
(Citation: Cisco LotusBlossom 2025)
-
[14]
mitre-attack G0030Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.