CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
A China-linked cyber espionage group known as Lotus Panda, also referred to as Billbug, has been actively targeting organizations in Southeast Asia. The campaign, which ran from August 2024 to February 2025, compromised entities within a single Southeast Asian country. Targeted sectors included government, critical infrastructure, and media, highlighting the group's broad espionage objectives. The attacks leveraged novel tools, including loaders, credential stealers, and a reverse SSH tool, showcasing the group's advanced capabilities and adaptability.
The intrusions involved the deployment of legitimate software from Trend Micro and Bitdefender to facilitate malicious DLL sideloading. Specifically, attackers misused Trend Micro's "tmdbglog.exe" and Bitdefender's "bds.exe" to load malicious DLL files, a technique known as DLL sideloading. These DLLs then decrypted and executed further payloads, allowing the attackers to gain a foothold in the targeted systems. The use of trusted software to deliver malware demonstrates a sophisticated approach aimed at evading detection.
Aside from using sideloading techniques, Lotus Panda also employed custom tools, including ChromeKatz and CredentialKatz stealers, along with a reverse SSH tool. The group is known for using the Sagerunex backdoor, which was detected in previous attacks against Asian organizations. These findings highlight the evolving tactics of state-sponsored threat actors and the persistent cyber pressure faced by nations in Southeast Asia. The attacks targeted a government ministry, an air traffic control organization, a telecommunications provider, a construction company, a news agency, and an air freight organization.
ImgSrc: blogger.googleu
References :
The intrusions involved the deployment of legitimate software from Trend Micro and Bitdefender to facilitate malicious DLL sideloading. Specifically, attackers misused Trend Micro's "tmdbglog.exe" and Bitdefender's "bds.exe" to load malicious DLL files, a technique known as DLL sideloading. These DLLs then decrypted and executed further payloads, allowing the attackers to gain a foothold in the targeted systems. The use of trusted software to deliver malware demonstrates a sophisticated approach aimed at evading detection.
Aside from using sideloading techniques, Lotus Panda also employed custom tools, including ChromeKatz and CredentialKatz stealers, along with a reverse SSH tool. The group is known for using the Sagerunex backdoor, which was detected in previous attacks against Asian organizations. These findings highlight the evolving tactics of state-sponsored threat actors and the persistent cyber pressure faced by nations in Southeast Asia. The attacks targeted a government ministry, an air traffic control organization, a telecommunications provider, a construction company, a news agency, and an air freight organization.
ImgSrc: blogger.googleu
Share:
References :
- www.scworld.com: Southeast Asia subjected to Lotus Panda attack campaign
- The Hacker News: Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware
- eSecurity Planet: Lotus Panda Hackers Strike Southeast Asian Governments With Browser Stealers, Sideloaded Malware
- www.esecurityplanet.com: Lotus Panda Hackers Strike Southeast Asian Governments With Browser Stealers, Sideloaded Malware
- Industrial Cyber: Billbug espionage group targets government, critical sectors in coordinated Southeast Asia cyber intrusion campaign
- Broadcom Software Blogs: 🚩 Lotus Panda Targets SE Asian Governments Using DLL Sideloading and Browser Stealers
Classification:
- HashTags: #LotusPanda #cyberespionage #SoutheastAsia
- Company: Symantec
- Target: Southeast Asia
- Attacker: Lotus Panda
- Product: Browser
- Feature: Browser Stealing
- Type: Espionage
- Severity: Major