S1211: Hannotog
Hannotog is a type of backdoor malware uniquely assoicated with Lotus Blossom operations since at least 2022.[1]
Analyst context for executives and security teams
Hannotog matters because MITRE identifies it as Windows backdoor malware associated with Lotus Blossom operations and links it to behaviors that can support persistence, command execution, tool transfer, command-and-control, firewall tampering, service disruption, and automated exfiltration. For leaders, the decision value is not the malware name alone; it is whether Windows endpoint, service, firewall, command-line, and network telemetry would let the organization recognize and investigate this behavior before it affects sensitive data or operations.
Executive priority
Prioritize Hannotog as a validation case for Windows backdoor readiness, especially in environments where government, certificate authority, or Asia-related targeting context is relevant to risk planning. Executives should ask whether SOC and IR teams can prove coverage for suspicious Windows service creation or modification, command shell abuse, non-standard network ports, inbound tool transfer, firewall changes, and automated data movement. This supports business continuity, incident decision-making, audit evidence for monitoring controls, and prioritization of identity, endpoint, and network logging investments.
Technical view
MITRE provides no dedicated detection text for Hannotog, so defenders should build coverage from the linked ATT&CK relationships. Validate Windows detections around cmd.exe execution patterns, new or modified Windows services, service stops, and firewall configuration changes. Correlate host events with network evidence for non-standard port use, external file transfer into the environment, command-and-control-like sessions, and automated outbound data movement. Because the malware object is Windows-scoped, testing should focus first on Windows endpoint and network telemetry while using the related techniques to guide analytic coverage.
Likely telemetry
- Windows process creation events, especially command shell execution
- Windows service creation, modification, start, stop, and recovery configuration events
- Windows Registry or service configuration data related to service persistence
- Host firewall policy, rule, and profile change logs
- Endpoint security alerts for backdoor-like execution, persistence, or defense impairment
Detection direction
- Treat Hannotog as a behavior-led detection problem because official ATT&CK detection guidance is not provided.
- Correlate Windows command shell activity with service creation or modification to reduce false positives from routine administration.
- Review service stop events in context; many are legitimate, but unexpected stops of important services during suspicious sessions should be escalated.
- Tune for firewall rule or profile changes made outside approved administration workflows.
- Look for protocol and port mismatches or unusual non-standard ports, but baseline business applications first to avoid noisy alerts.
Mitigation priorities
- Ensure Windows endpoint logging and centralized collection are enabled before relying on detections for this malware family.
- Harden and monitor Windows service creation and modification paths, including administrative change control.
- Restrict and review command shell usage where feasible, especially on servers and high-value workstations.
- Protect host firewall configuration from unauthorized modification and alert on policy drift.
- Apply network egress controls and monitor non-standard protocol and port use.
Analyst notes and limits
The strongest defensive value comes from mapping Hannotog to its related behaviors: Windows Command Shell, Windows Service persistence, Ingress Tool Transfer, Non-Standard Port, Disable or Modify System Firewall, Service Stop, and Automated Exfiltration. These relationships give SOC and IR teams concrete validation points even though the malware entry itself is brief.
The supplied ATT&CK object has no official detection text, no aliases, no explicit tactics on the malware object, and limited malware-specific technical detail. Relationship descriptions are partially truncated in the supplied data. Local telemetry, baselines, and asset criticality are required to determine actual exposure or detection coverage. This summary does not claim active exploitation or guaranteed detection.
Hannotog
Hannotog is a type of backdoor malware uniquely assoicated with Lotus Blossom operations since at least 2022.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1571 | Non-Standard Port | Hannotog uses non-standard listening ports, such as UDP 5900, for command and control purposes.CitationSymantec Bilbug 2022 |
| Enterprise | T1489 | Service Stop | Hannotog can stop Windows services.CitationSymantec Bilbug 2022 |
| Enterprise | T1020 | Automated Exfiltration | Hannotog can upload encyrpted data for exfiltration.CitationSymantec Bilbug 2022 |
| Enterprise | T1686 | Disable or Modify System Firewall | Hannotog can modify local firewall settings via `netsh` commands to open a listening UDP port.CitationSymantec Bilbug 2022 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Hannotog creates a new service for persistence.CitationSymantec Bilbug 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Hannotog can execute various `cmd.exe /c %s` commands.CitationSymantec Bilbug 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Hannotog can download additional files to the victim machine.CitationSymantec Bilbug 2022 |
Groups, software, and campaigns
G0030: Lotus Blossom
Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | efd47d72154f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Bilbug 2022
Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
Open source URL -
[2]
mitre-attack S1211Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.