S0082: Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.[1]
Analyst context for executives and security teams
Emissary matters because it represents a Windows Trojan with documented links in ATT&CK to Lotus Blossom and a broad set of behaviors defenders should be ready to validate: discovery, persistence, command execution, DLL-based evasion, web-based command-and-control, encrypted communications, and tool transfer. For leaders, the practical issue is not just this malware name; it is whether the organization can prove it would see a Windows host being profiled, persisted, remotely controlled, and modified in ways that often precede broader intrusion activity.
Executive priority
Prioritize Emissary as a coverage-validation use case for Windows endpoint visibility, identity and Active Directory readiness, and SOC/IR evidence quality. The ATT&CK relationships point to behaviors that can affect business continuity if they enable persistence, privilege escalation, command-and-control, or follow-on tooling. Security leaders should ask whether teams can produce audit-ready evidence for service creation, Run key persistence, suspicious rundll32/DLL activity, command shell use, local group and Group Policy discovery, and unusual web-based outbound traffic from endpoints.
Technical view
ATT&CK lists Emissary as Windows malware and relates it to techniques including System Service Discovery, System Network Configuration Discovery, Binary Padding, Encrypted/Encoded File, DLL Injection, Windows Command Shell, Local Groups discovery, Web Protocols for C2, System Information Discovery, Ingress Tool Transfer, Rundll32, Windows Service persistence, Registry Run Keys/Startup Folder, Symmetric Cryptography, and Group Policy Discovery. SOC and IR teams should validate Windows endpoint detections around discovery commands, service and registry persistence, rundll32 execution of DLLs, process injection indicators, and command shell activity. Network teams should validate visibility into outbound HTTP/S-like traffic patterns and file transfer indicators, while recognizing that encryption or encoding may limit content inspection.
Likely telemetry
- Windows process creation events, including cmd.exe, rundll32.exe, service-control utilities, and discovery commands
- Windows service creation or modification events and related registry changes
- Registry Run key and Startup Folder modification telemetry
- Endpoint detection telemetry for DLL loading, suspicious module activity, and possible process injection
- Local group, system information, network configuration, and Group Policy discovery command evidence
Detection direction
- Use the related ATT&CK techniques as a behavior chain rather than relying on the Emissary name or file hashes alone.
- Correlate Windows discovery activity with later persistence, rundll32/DLL execution, outbound web traffic, or tool transfer events to reduce false positives from legitimate administration.
- Tune carefully for administrative tools such as cmd.exe, service utilities, registry modification, and rundll32.exe because these have legitimate uses but become higher risk when chained with unusual parent processes, paths, users, or network destinations.
- Validate that endpoint tooling can handle large or padded binaries and does not depend solely on static signatures or hashes.
- Confirm that encrypted or encoded files and encrypted C2 reduce content-based detection, making endpoint behavior, proxy metadata, and correlation more important.
Mitigation priorities
- Start with Windows endpoint hardening and monitoring for persistence paths: services, Run keys, Startup Folder entries, and DLL execution patterns.
- Limit unnecessary local administrative rights and review local group membership visibility because related behavior includes local group discovery and potential privilege-escalation paths.
- Strengthen egress monitoring and proxy controls for endpoint web traffic, especially where unusual destinations or transfer patterns appear after host discovery activity.
- Ensure incident response playbooks collect process, registry, service, file, and network artifacts needed to reconstruct this behavior chain.
- Use application control or execution control where feasible for high-risk script, shell, rundll32, and DLL-loading patterns, while testing for operational impact.
Analyst notes and limits
The supplied ATT&CK object identifies Emissary as a Windows Trojan used by Lotus Blossom and notes code overlap with Elise as part of LStudio. The most useful defensive value comes from the related techniques: they describe what to validate across endpoint, identity, and network telemetry. This take intentionally avoids asserting current activity, specific victims, or guaranteed detection coverage beyond the supplied fields.
Official detection guidance is not provided for this malware object. ATT&CK tactics are not specified directly on the malware object, so tactic framing is derived only from related technique context. The source material supports Windows as the malware platform; broader platforms listed on some related techniques should not be interpreted as Emissary platform support without additional evidence. Local logs, baselines, and control configuration are required to determine actual exposure and coverage.
Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Variants of Emissary have added Run Registry keys to establish persistence.CitationEmissary Trojan Feb 2016 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.CitationLotus Blossom Dec 2015CitationEmissary Trojan Feb 2016 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Emissary injects its DLL file into a newly spawned Internet Explorer process.CitationLotus Blossom Dec 2015 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.CitationEmissary Trojan Feb 2016 |
| Enterprise | T1016 | System Network Configuration Discovery | Emissary has the capability to execute the command |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Emissary has the capability to create a remote shell and execute specified commands.CitationLotus Blossom Dec 2015 |
| Enterprise | T1082 | System Information Discovery | Emissary has the capability to execute ver and systeminfo commands.CitationEmissary Trojan Feb 2016 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Emissary uses HTTP or HTTPS for C2.CitationLotus Blossom Dec 2015 |
| Enterprise | T1105 | Ingress Tool Transfer | Emissary has the capability to download files from the C2 server.CitationLotus Blossom Dec 2015 |
| Enterprise | T1615 | Group Policy Discovery | Emissary has the capability to execute |
| Enterprise | T1069.001 | Local Groups Sub-technique | Emissary has the capability to execute the command |
| Enterprise | T1007 | System Service Discovery | Emissary has the capability to execute the command |
| Enterprise | T1027.001 | Binary Padding Sub-technique | A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.CitationEmissary Trojan Feb 2016 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Emissary is capable of configuring itself as a service.CitationEmissary Trojan Feb 2016 |
Groups, software, and campaigns
G0030: Lotus Blossom
Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 2e3b46d583f9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lotus Blossom Dec 2015
Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
Open source URL -
[2]
Emissary
(Citation: Lotus Blossom Dec 2015)
-
[3]
mitre-attack S0082Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.