S1210: Sagerunex
Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants existing since at least 2016. Variations of Sagerunex leverage non-traditional command and control mechanisms such as various web services.[1][2]
Analyst context for executives and security teams
Sagerunex matters because ATT&CK describes it as a Windows malware family tied to Lotus Blossom operations and built around stealth, discovery, collection, exfiltration, and command-and-control behaviors that can blend into normal web activity or legitimate web services. For leaders, the decision value is not simply “find this malware”; it is validating whether the organization can notice a Windows host that profiles its environment, stages data, and communicates through web protocols or web-service-based channels without relying on a single malware signature.
Executive priority
Prioritize Sagerunex as a readiness test for espionage-style intrusion detection and response, especially where sensitive government, certificate, identity, or regulated data would create business or trust impact if collected or exfiltrated. Because ATT&CK provides no official detection guidance for this object, executives should ask whether SOC coverage is behavior-based across endpoint, identity, and network telemetry rather than dependent on known indicators. This is also relevant to audit and compliance evidence: teams should be able to show logging and investigation capability for discovery, privilege/stealth behaviors, local data staging, archive creation, and outbound C2/exfiltration over web channels.
Technical view
ATT&CK lists Sagerunex as Windows malware and links it to behaviors including System Network Configuration Discovery, Process Discovery, System Information Discovery, DLL Injection, Access Token Manipulation, Native API use, obfuscation/packing/encoding, execution guardrails, local data staging, archive creation, C2 over web protocols, proxy use, web-service communication, asymmetric cryptography, and exfiltration over a C2 channel. SOC and IR teams should validate detections as a chain: suspicious Windows process behavior and memory/injection indicators, discovery commands or API-driven host profiling, unusual token/security-context activity, creation of staged or archived data, and outbound web traffic patterns that do not match normal user or application behavior. Relationship context to Lotus Blossom should inform threat intelligence enrichment, but local evidence is required before making attribution claims.
Likely telemetry
- Windows endpoint process creation, parent/child process, command-line, module load, and file creation events
- Endpoint detection telemetry for DLL injection, native API abuse patterns, token/security-context manipulation, and memory execution anomalies
- Windows security events relevant to privilege use, process ownership, and access token behavior
- Host discovery evidence such as network configuration, system information, and process enumeration activity
- File-system telemetry for encoded/encrypted artifacts, packed executables, local staging directories, and archive creation via utilities
Detection direction
- Do not rely only on static malware signatures; ATT&CK relationships emphasize obfuscation, packing, encoded files, deobfuscation, and guardrails that can reduce signature reliability.
- Correlate endpoint discovery behaviors with later collection and outbound web activity; individual commands or API calls may be legitimate, but the sequence is higher value.
- Tune for Windows process injection and access token manipulation with attention to false positives from security tools, administration utilities, and enterprise management software.
- Baseline normal web-service and HTTP/S usage so proxying, unusual web-protocol C2, or one-way/bidirectional web-service communication has context.
- Look for local staging and archive creation before outbound transfer; this can provide earlier evidence than confirmed exfiltration.
Mitigation priorities
- Start with visibility: confirm Windows endpoint, network egress, proxy, DNS, and web gateway telemetry is retained and searchable across the full suspected intrusion timeline.
- Harden and monitor identity/security-context controls relevant to token manipulation and privilege escalation paths on Windows systems.
- Reduce unnecessary outbound web access and require proxy/web gateway controls where feasible, while preserving logs needed to investigate web-protocol and web-service C2.
- Apply application control, endpoint protection, and script/utility governance to reduce execution of packed, encoded, or unauthorized binaries and archive utilities used for staging.
- Segment sensitive systems and data stores so discovery and local staging on one Windows host does not easily become broader collection or exfiltration risk.
Analyst notes and limits
The supplied ATT&CK object identifies Sagerunex as a Windows malware family associated with Lotus Blossom operations, with variants since at least 2016 and non-traditional C2 using web services. The strongest defensive value comes from the linked techniques: discovery, stealth, privilege-related process behavior, collection, command and control, and exfiltration. The relationship to Lotus Blossom is useful for threat intelligence context, especially given the related group description noting targeting of entities in Asia and digital certificate issuers, but this take avoids asserting current activity or organization-specific exposure.
Official ATT&CK detection guidance is not provided for Sagerunex, and the object’s tactics are not specified directly. Several related techniques list platforms beyond Windows, but the malware object itself is supplied as Windows; any non-Windows coverage decisions should be based on local risk and the individual technique pages, not on this malware platform field alone. External references are listed, but this summary does not add claims beyond the supplied ATT&CK fields and relationships.
Sagerunex
Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants existing since at least 2016. Variations of Sagerunex leverage non-traditional command and control mechanisms such as various web services.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090 | Proxy | Sagerunex uses several proxy configuration settings to ensure connectivity.CitationCisco LotusBlossom 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Sagerunex encrypts collected system data then exfiltrates via existing command and control channels.CitationCisco LotusBlossom 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | Sagerunex will gather system information such as MAC and IP addresses.CitationCisco LotusBlossom 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Sagerunex communicates via HTTPS, at times using a hard-coded User Agent of `Mozilla/5.0 (compatible; MSIE 7.0; Win32)`.CitationSymantec Bilbug 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Sagerunex can be passed a reference to an XOR-encrypted configuration file at runtime.CitationSymantec Bilbug 2022 |
| Enterprise | T1106 | Native API | Sagerunex calls the `WaitForSingleObject` API function as part of time-check logic.CitationCisco LotusBlossom 2025 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Sagerunex is designed to be dynamic link library (DLL) injected into an infected endpoint and executed directly in memory.CitationCisco LotusBlossom 2025 |
| Enterprise | T1057 | Process Discovery | Sagerunex identifies the `explorer.exe` process on the executing system.CitationSymantec Bilbug 2022 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Sagerunex has used VMProtect to pack and obscure itself.CitationCisco LotusBlossom 2025 |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | Sagerunex has used web services such as Twitter for command and control purposes.CitationCisco LotusBlossom 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Sagerunex uses a custom decryption routine to unpack itself during installation.CitationCisco LotusBlossom 2025 |
| Enterprise | T1082 | System Information Discovery | Sagerunex gathers information from the infected system such as hostname.CitationCisco LotusBlossom 2025 |
| Enterprise | T1134 | Access Token Manipulation | Sagerunex finds the `explorer.exe` process after execution and uses it to change the token of its executing thread.CitationSymantec Bilbug 2022 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Sagerunex uses HTTPS for command and control communication.CitationSymantec Bilbug 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | |
| Enterprise | T1480 | Execution Guardrails | Sagerunex uses a "servicemain" function to verify its environment to ensure it can only be executed as a service, as well as the existence of a configuration file in a specified directory.CitationCisco LotusBlossom 2025 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Sagerunex has archived collected materials in RAR format.CitationCisco LotusBlossom 2025 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Sagerunex has used virtual private servers (VPS) for command and control traffic as well as third-party cloud services in more recent variants.CitationCisco LotusBlossom 2025 |
Groups, software, and campaigns
G0030: Lotus Blossom
Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 627020cf9b5b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Bilbug 2022
Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
Open source URL -
[2]
Cisco LotusBlossom 2025
Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
Open source URL -
[3]
mitre-attack S1210Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.