Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications

The Lotus Blossom hacker group, also known as Spring Dragon, Billbug, or Thrip, has been identified leveraging legitimate cloud services like Dropbox, Twitter, and Zimbra for command-and-control (C2) communications in their cyber espionage campaigns.

Cisco Talos researchers attribute these sophisticated operations to the group with high confidence, citing the use of a custom backdoor family called Sagerunex.

Active since at least 2012, Lotus Blossom continues to target sectors such as government, manufacturing, telecommunications, and media across regions including the Philippines, Vietnam, Hong Kong, and Taiwan.

Multi-Variant Malware and Evasion Tactics

The Sagerunex backdoor has evolved into multiple variants designed to evade detection and maintain persistence in compromised environments.

Earlier versions relied on traditional Virtual Private Servers (VPS) for C2 operations. However, recent campaigns exhibit a shift toward third-party cloud services.

By utilizing Dropbox APIs, Twitter tokens, and Zimbra webmail APIs as C2 tunnels, the group effectively blends malicious traffic with legitimate service usage, complicating detection efforts.

For example:

• Dropbox and Twitter Variants: These variants use APIs to establish C2 channels. After initial checks, they retrieve tokens to communicate with the C2 infrastructure. Collected data is encrypted and uploaded to Dropbox or transmitted via Twitter status updates.
• Zimbra Variant: This version leverages Zimbra’s webmail service for both data exfiltration and command execution. Host information is encrypted into files attached to draft emails in compromised accounts.

These techniques highlight the group’s adaptability in exploiting widely used platforms to bypass traditional security mechanisms.

Persistence and Reconnaissance

Lotus Blossom employs advanced methods to maintain long-term access within targeted networks.

The Sagerunex backdoor is injected directly into memory and configured to run as a service through system registry modifications.

Commands such as “netstat,” “ipconfig,” and “tasklist” are executed for reconnaissance, gathering detailed information about user accounts, processes, and network configurations.

Additionally, the group uses tools like:

• Chrome Cookie Stealers: To harvest browser credentials.
• Venom Proxy Tools: Customized for relaying connections.
• Archiving Tools: For compressing and encrypting stolen files.
• Port Relay Tools: To facilitate external communication from isolated systems.

These tactics enable the group to operate undetected for extended periods while conducting espionage activities.

Cisco Talos’ analysis links these campaigns to Lotus Blossom based on consistent tactics, techniques, and procedures (TTPs), as well as victim profiles.

The Sagerunex backdoor family remains central to their operations. Despite developing distinct variants over time, core functionalities such as time-check logic for execution delays remain consistent across all versions.

The use of legitimate cloud services for malicious purposes underscores the challenges organizations face in distinguishing between benign and harmful activity.

This development calls for enhanced monitoring of cloud-based traffic and robust endpoint protection solutions to mitigate risks posed by advanced persistent threats like Lotus Blossom.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!