S1210: Sagerunex
Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants existing since at least 2016. Variations of Sagerunex leverage non-traditional command and control mechanisms such as various web services.[1][2]
Analyst context for executives and security teams
Sagerunex matters because ATT&CK describes it as a Windows malware family tied to Lotus Blossom operations and built around stealth, discovery, collection, exfiltration, and command-and-control behaviors that can blend into normal web activity or legitimate web services. For leaders, the decision value is not simply “find this malware”; it is validating whether the organization can notice a Windows host that profiles its environment, stages data, and communicates through web protocols or web-service-based channels without relying on a single malware signature.
Executive priority
Prioritize Sagerunex as a readiness test for espionage-style intrusion detection and response, especially where sensitive government, certificate, identity, or regulated data would create business or trust impact if collected or exfiltrated. Because ATT&CK provides no official detection guidance for this object, executives should ask whether SOC coverage is behavior-based across endpoint, identity, and network telemetry rather than dependent on known indicators. This is also relevant to audit and compliance evidence: teams should be able to show logging and investigation capability for discovery, privilege/stealth behaviors, local data staging, archive creation, and outbound C2/exfiltration over web channels.
Technical view
ATT&CK lists Sagerunex as Windows malware and links it to behaviors including System Network Configuration Discovery, Process Discovery, System Information Discovery, DLL Injection, Access Token Manipulation, Native API use, obfuscation/packing/encoding, execution guardrails, local data staging, archive creation, C2 over web protocols, proxy use, web-service communication, asymmetric cryptography, and exfiltration over a C2 channel. SOC and IR teams should validate detections as a chain: suspicious Windows process behavior and memory/injection indicators, discovery commands or API-driven host profiling, unusual token/security-context activity, creation of staged or archived data, and outbound web traffic patterns that do not match normal user or application behavior. Relationship context to Lotus Blossom should inform threat intelligence enrichment, but local evidence is required before making attribution claims.
Likely telemetry
- Windows endpoint process creation, parent/child process, command-line, module load, and file creation events
- Endpoint detection telemetry for DLL injection, native API abuse patterns, token/security-context manipulation, and memory execution anomalies
- Windows security events relevant to privilege use, process ownership, and access token behavior
- Host discovery evidence such as network configuration, system information, and process enumeration activity
- File-system telemetry for encoded/encrypted artifacts, packed executables, local staging directories, and archive creation via utilities
Detection direction
- Do not rely only on static malware signatures; ATT&CK relationships emphasize obfuscation, packing, encoded files, deobfuscation, and guardrails that can reduce signature reliability.
- Correlate endpoint discovery behaviors with later collection and outbound web activity; individual commands or API calls may be legitimate, but the sequence is higher value.
- Tune for Windows process injection and access token manipulation with attention to false positives from security tools, administration utilities, and enterprise management software.
- Baseline normal web-service and HTTP/S usage so proxying, unusual web-protocol C2, or one-way/bidirectional web-service communication has context.
- Look for local staging and archive creation before outbound transfer; this can provide earlier evidence than confirmed exfiltration.
Mitigation priorities
- Start with visibility: confirm Windows endpoint, network egress, proxy, DNS, and web gateway telemetry is retained and searchable across the full suspected intrusion timeline.
- Harden and monitor identity/security-context controls relevant to token manipulation and privilege escalation paths on Windows systems.
- Reduce unnecessary outbound web access and require proxy/web gateway controls where feasible, while preserving logs needed to investigate web-protocol and web-service C2.
- Apply application control, endpoint protection, and script/utility governance to reduce execution of packed, encoded, or unauthorized binaries and archive utilities used for staging.
- Segment sensitive systems and data stores so discovery and local staging on one Windows host does not easily become broader collection or exfiltration risk.
Analyst notes and limits
The supplied ATT&CK object identifies Sagerunex as a Windows malware family associated with Lotus Blossom operations, with variants since at least 2016 and non-traditional C2 using web services. The strongest defensive value comes from the linked techniques: discovery, stealth, privilege-related process behavior, collection, command and control, and exfiltration. The relationship to Lotus Blossom is useful for threat intelligence context, especially given the related group description noting targeting of entities in Asia and digital certificate issuers, but this take avoids asserting current activity or organization-specific exposure.
Official ATT&CK detection guidance is not provided for Sagerunex, and the object’s tactics are not specified directly. Several related techniques list platforms beyond Windows, but the malware object itself is supplied as Windows; any non-Windows coverage decisions should be based on local risk and the individual technique pages, not on this malware platform field alone. External references are listed, but this summary does not add claims beyond the supplied ATT&CK fields and relationships.
Sagerunex
Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants existing since at least 2016. Variations of Sagerunex leverage non-traditional command and control mechanisms such as various web services.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090 | Proxy | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1106 | Native API | |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1027.002 | Software Packing Sub-technique | |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1134 | Access Token Manipulation | |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | |
| Enterprise | T1480 | Execution Guardrails | |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique |
Groups, software, and campaigns
G0030: Lotus Blossom
Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 627020cf9b5b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Bilbug 2022
Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.
Open source URL -
[2]
Cisco LotusBlossom 2025
Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
Open source URL -
[3]
mitre-attack S1210Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.