Blog

“Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company,” the Symantec Threat Hunter Team said in a new report shared with The Hacker News. “The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool.”

The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom’s cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023.

Then last month, Cisco Talos connected the Lotus Panda actor to intrusions aimed at government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with a backdoor known as Sagerunex. Lotus Panda (aka Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip) has a history of orchestrating cyber attacks against governments and military organizations in Southeast Asia.

Believed to be active since at least 2009, the group came under the spotlight for the first time in June 2015 when Palo Alto Networks attributed the threat actor to a persistent spear-phishing campaign. This campaign exploited a Microsoft Office flaw (CVE-2012-0158) to distribute a backdoor dubbed Elise (aka Trensil) that’s designed to execute commands and read/write files.

Subsequent attacks mounted by the group have weaponized a Microsoft Windows OLE flaw (CVE-2014-6332) via a booby-trapped attachment. This attachment was sent in a spear-phishing email to an individual then working for the French Ministry of Foreign Affairs in Taiwan to deploy another trojan related to Elise codenamed Emissary.

In the latest wave of attacks spotted by Symantec, the attackers have leveraged legitimate executables from Trend Micro (“tmdbglog.exe”) and Bitdefender (“bds.exe”) to sideload malicious DLL files. These files act as loaders to decrypt and launch a next-stage payload embedded within a locally stored file.

The Bitdefender binary has also been used to sideload another DLL, although the exact nature of the file is unclear. Another unknown aspect of the campaign is the initial access vector used to reach the entities in question. The attacks paved the way for an updated version of Sagerunex, a tool exclusively used by Lotus Panda.

It comes with capabilities to harvest target host information, encrypt it, and exfiltrate the details to an external server under the attacker’s control. Also deployed in the attacks are a reverse SSH tool, and two credential stealers ChromeKatz and CredentialKatz that are equipped to siphon passwords and cookies stored in the Google Chrome web browser.

“The attackers deployed the publicly available Zrok peer-to-peer tool, using the sharing function of the tool in order to provide remote access to services that were exposed internally,” Symantec said. “Another legitimate tool used was called ‘datechanger.exe.’ It is capable of changing timestamps for files, presumably to muddy the waters for incident analysts.”

The disclosure comes about seven months after the tech giant said it completed updates to Microsoft Entra ID and MS for both public and United States government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service.

“Each of these improvements helps mitigate the attack vectors that we suspect the actor used in the 2023 Storm-0558 attack on Microsoft,” Charlie Bell, Executive Vice President for Microsoft Security, said in a post shared with The Hacker News ahead of publication.

Microsoft also noted that 90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated by a hardened identity Software Development Kit (SDK) and that 92% of employee productivity accounts are now using phishing-resistant multifactor authentication (MFA) to mitigate risk from advanced cyber attacks.

Besides isolating production systems and enforcing a two-year retention policy for security logs, the company also said it’s protecting 81% of production code branches using MFA through proof-of-presence checks.

“To reduce the risk of lateral movement, we are piloting a project to move customer support workflows and scenarios into a dedicated tenant,” it added. “Security baselines are enforced across all types of Microsoft tenants, and a new tenant provisioning system automatically registers new tenants in our security emergency response system.”

The changes are part of its Secure Future Initiative (SFI), which the company characterized as the “largest cybersecurity engineering project in history and most extensive effort of its kind at Microsoft.”

The SFI gained traction last year in response to a report from the U.S. Cyber Safety Review Board (CSRB), which criticized the tech giant for a series of avoidable errors that led to the breach of nearly two dozen companies across Europe and the U.S. by a China-based nation-state group called Storm-0558 in 2023.

Microsoft, in July 2023, revealed that a validation error in its source code allowed for Azure Active Directory (Azure AD) or Entra ID tokens to be forged by Storm-0558 using an MSA consumer signing key to infiltrate several organizations and gain unauthorized email access for subsequent exfiltration of mailbox data.

Late last year, the company also launched a Windows Resiliency Initiative to improve security and reliability and avoid causing system disruptions like what happened during the infamous CrowdStrike update incident in July 2024.

This includes a feature called Quick Machine Recovery, which enables IT administrators to run specific fixes on Windows PCs even in situations when the machines are unable to boot. It’s built into the Windows Recovery Environment (WinRE).

“Unlike traditional repair options that rely on user intervention, it activates automatically when the system detects failure,” Patch My PC’s Rudy Ooms said late last month. “The whole cloud remediation process is pretty straightforward: it checks if flags/settings like CloudRemediation, AutoRemediation, and optionally HeadlessMode are set. If the environment meets the conditions (such as an available network and required plugin), Windows silently initiates recovery.”