S0081: Elise
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.[1][2]
Analyst context for executives and security teams
Elise matters because ATT&CK identifies it as a custom Windows backdoor associated with Lotus Blossom, with related behaviors covering discovery, persistence, defense evasion, command-and-control, tool transfer, and local data staging. For leaders, the decision value is not the malware name alone; it is whether Windows endpoint, registry, service, process, file, and web-traffic telemetry can show how a backdoor established persistence, blended in, communicated, and prepared data or tooling for follow-on activity.
Executive priority
Treat Elise as a validation case for Windows intrusion readiness against a custom backdoor rather than as a standalone signature problem. Priority questions: can the organization prove coverage for suspicious Windows service or Run key persistence, rundll32/DLL-based execution, discovery activity, abnormal web-based C2, encoded or encrypted traffic patterns, and evidence cleanup such as file deletion or timestomping? These controls support incident scoping, audit evidence, resilience planning, and prioritization of endpoint and network visibility investments.
Technical view
ATT&CK lists Elise as Windows malware and relates it to Lotus Blossom. The relationship set maps Elise to discovery techniques including system service, network configuration, process, system information, file/directory, and local account discovery; persistence through Windows services and Registry Run keys/startup folder; stealth through encoded/encrypted files, resource-name masquerading, DLL injection, rundll32 abuse, file deletion, and timestomping; C2 over web protocols with standard encoding and symmetric cryptography; ingress tool transfer; and local data staging. SOC and IR teams should validate correlated Windows host telemetry and network telemetry across these behaviors instead of relying on one malware indicator.
Likely telemetry
- Windows process creation and command-line telemetry, especially discovery utilities and rundll32 execution
- Windows service creation/modification events and related registry changes
- Registry Run key and Startup Folder modification events
- DLL load, remote thread, or process injection-relevant endpoint telemetry where available
- File creation, deletion, rename, path, and timestamp metadata, including evidence of timestomping or files placed in trusted-looking locations
Detection direction
- Because ATT&CK provides no official detection text for Elise, build detections from the related techniques and validate them in the local Windows environment.
- Correlate persistence events with nearby discovery commands, file placement, rundll32 execution, DLL activity, and outbound web traffic; isolated events may be administrative or benign.
- Tune for common false positives from legitimate software installation, system administration, inventory tools, backup agents, and endpoint management platforms that create services, query processes, or enumerate configuration.
- Review allowlists around rundll32.exe and trusted Windows directories; the related techniques indicate that legitimate names and locations may be abused to reduce visibility.
- Validate retention and integrity of file metadata and endpoint logs, since file deletion and timestomping can weaken post-incident reconstruction.
Mitigation priorities
- Prioritize Windows endpoint visibility and logging for service changes, Run key changes, process execution, DLL loading, and file metadata changes.
- Restrict unnecessary privilege to create or modify Windows services and persistence locations; review administrative access paths that can enable these changes.
- Apply application control or execution policy where feasible to reduce unauthorized DLL, rundll32, and unexpected binary execution from user-writable or suspicious paths.
- Harden egress controls and monitor outbound web-protocol traffic so unusual C2-like communications are reviewable, not lost in normal HTTP/S volume.
- Maintain incident response playbooks for backdoor cases that include persistence review, discovery activity reconstruction, network containment, staged-data search, and timeline validation for deleted or timestomped files.
Analyst notes and limits
The most useful defensive framing is behavior-based: Elise is described as a custom backdoor, and the supplied relationships show a broad Windows intrusion pattern spanning persistence, stealth, discovery, C2, transfer, and staging. The Lotus Blossom relationship is relevant for intelligence context, especially because the related group is described as long-standing and targeting entities in Asia, including government-related targets and digital certificate issuers, but attribution requires separate evidence.
The ATT&CK object does not provide official detection guidance, tactics are not specified on the malware object itself, and aliases/labels are not supplied. Technique relationships indicate behaviors associated with Elise but do not prove that every sample or incident will exhibit all behaviors. Local telemetry, asset role, baseline activity, and incident evidence are required to determine exposure or detection coverage.
Elise
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.CitationLotus Blossom Jun 2015 |
| Enterprise | T1105 | Ingress Tool Transfer | Elise can download additional files from the C2 server for execution.CitationAccenture Dragonfish Jan 2018 |
| Enterprise | T1082 | System Information Discovery | Elise executes |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Elise encrypts exfiltrated data with RC4.CitationLotus Blossom Jun 2015 |
| Enterprise | T1007 | System Service Discovery | Elise executes |
| Enterprise | T1543.003 | Windows Service Sub-technique | Elise configures itself as a service.CitationLotus Blossom Jun 2015 |
| Enterprise | T1016 | System Network Configuration Discovery | Elise executes |
| Enterprise | T1218.011 | Rundll32 Sub-technique | After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.CitationLotus Blossom Jun 2015 |
| Enterprise | T1057 | Process Discovery | Elise enumerates processes via the |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Elise encrypts several of its files, including configuration files.CitationLotus Blossom Jun 2015 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Elise performs timestomping of a CAB file it creates.CitationLotus Blossom Jun 2015 |
| Enterprise | T1083 | File and Directory Discovery | A variant of Elise executes |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Elise creates a file in |
| Enterprise | T1070.004 | File Deletion Sub-technique | Elise is capable of launching a remote shell on the host to delete itself.CitationAccenture Dragonfish Jan 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Elise communicates over HTTP or HTTPS for C2.CitationLotus Blossom Jun 2015 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Elise exfiltrates data using cookie values that are Base64-encoded.CitationLotus Blossom Jun 2015 |
| Enterprise | T1087.001 | Local Account Sub-technique | Elise executes |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Elise injects DLL files into iexplore.exe.CitationLotus Blossom Jun 2015CitationAccenture Dragonfish Jan 2018 |
Groups, software, and campaigns
G0030: Lotus Blossom
Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 5b753848d64e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lotus Blossom Jun 2015
Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
Open source URL -
[2]
Accenture Dragonfish Jan 2018
Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024.
Open source URL -
[3]
BKDR_ESILE
(Citation: Lotus Blossom Jun 2015)
-
[4]
Elise
(Citation: Accenture Dragonfish Jan 2018)
-
[5]
Page
(Citation: Lotus Blossom Jun 2015)
-
[6]
mitre-attack S0081Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.