The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Lotus Panda Uses Sagerunex to Target Multiple Verticals

Mar 10, 2025 2:08:01 PM / by The Hivemind

LOTUSPANDAVerticals Targeted: Government, Telecommunications, Media, Manufacturing 

Executive Summary

Lotus Panda, also known as Lotus Blossom, was observed using Sagerunex to target multiple verticals. 

Key Takeaways

  • Lotus Panda, also known as Lotus Blossom, was observed using Sagerunex to target multiple verticals. 
  • Targets include entities in the government, telecommunications, media, and manufacturing sectors, all located in the APAC region. 
  • Victimology in this campaign appears to indicate a strategic focus on intelligence collection. 
  • Lotus Panda is a China nexus threat actor group known for espionage, with links to PLA Unit 78020.

The Campaign 

Lotus Panda, also known as Lotus Blossom, was observed using Sagerunex to target multiple verticals. Verticals targeted in the campaign include government, telecommunications, media, and manufacturing. Targets were located in the Philippines, Vietnam, Hong Kong, and Taiwan. Cisco Talos reported on this activity. 

In the recent campaign, Lotus Panda used Sagerunex backdoor, augmented by a suite of post-exploitation tools. Cisco Talos researchers attribute these activities to the threat actors with a high degree of confidence, citing consistent tactics, techniques, and procedures (TTPs) and the exclusive deployment of Sagerunex, distinguishing it from other APTs. Victimology in this campaign appears to indicate a strategic focus on intelligence collection. 

Lotus Panda employs a multi-stage infection chain. Initial compromise occurs via spear-phishing emails delivering malicious payloads, often disguised as legitimate documents. Post-exploitation, Sagerunex establishes persistence by injecting itself into the Windows registry, configuring itself as a service with SYSTEM privileges. Sagerunex iterations include variants leveraging Dropbox for command-and-control (C2) via API token-based HTTPS requests and another exploiting Zimbra webmail servers, utilizing HTTP POST requests to exfiltrate data, reflecting adaptive evasion techniques.

The group’s toolkit extends beyond Sagerunex. A Pyinstaller-compiled Chrome cookie dumper, employing Python’s sqlite3 module, targets browser databases to extract session tokens. Additionally, they utilize Impacket’s SMBexec and WMIexec modules for remote command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI) protocols, facilitating lateral movement. Proxy configurations within Sagerunex—hardcoded with IP addresses, usernames, and passwords—route C2 traffic through SOCKS5 or HTTP proxies, enhancing obfuscation. Persistence mechanisms ensure dwell times exceeding months. 

Technical dissection of Sagerunex reveals a modular architecture. Variants share a core codebase with minor deviations, such as Web Proxy Autodiscovery Protocol (WPAD) integration for dynamic proxy resolution via DHCP or DNS. The “Beta” variant retains debug strings, indicating active refinement. Embedded commands include registry manipulation and filesystem operations, executed via cmd.exe. Data exfiltration employs XOR encryption with a static key, applied to payloads before transmission over TLS-encrypted channels. 

Who is Lotus Panda?

Lotus Panda, also known as Naikon, Override Panda, APT30, Spring Dragon, Billbug, Thrip, ST Group, Dragonfish, Bronze Elgin, Lotus Blossom, and Red Salamander, is a China nexus APT group known to target government and military entities in Southeast Asia. Their activity has been traced to PLA Unit 78020. The group has been active since at least 2012 and is known for espionage activity.  

IOCs

PolySwarm has multiple samples associated with this activity.

 

3fb81913c2daf36530c9ae011feebeb5bc61432969598e2dfaa52fc2ce839f20

bf50ed2dd7a721e7c1b13b1eed0f21c3274808d5016310c52b1473530d78f34a

47013e731b37a80e96a3523e042c23e67bfa721d3651e735307f4a1545898b11

8f309ffbaa532294da8d7896cdac3311e6a1ff82e86551453787ee78a94a679e

565fbe3f1f444f79aef375678ebbe2cd08ba55bdbee737b4ed2e6d2f7bcfcc16

240d3040559e6215a8931d9d8670c6eae2c1c42a9a74d260261fda22bcf0817d

b1c782b4a327dadf0d8db016d7556a92bae4b697b10c9282b293e24564bbef32

fe2046e479289b1013eb394f5b3d7a49a419cb98015add3ead0fa87614fe6e38

d67774dde98db6aca8271566fac6f3d0e8e474c40604efeedd5b1276abcc8af5

e0d969b95bd91f58b775d2c9b9190a4f7c5ee8a76d63286227885e071883fdef

fa764df857ed8f0fbf606dcbb92d64f5a72b5c1dd94b3dcb9ea02ff8a02b986b

9e38f67fad7dfd806955c61e8b2d68084c4506227bc8c880cffb28d77612759c

0fd82ff1a4b4f3c55b7faa73621ecb7d11c3cde95631de841cb304a7968804df

b830fe3d5d5462bef92991dd78869a173cb56d823e7776bfa56e09642dd880ed

776b4a7ce11d2cc9a94268c7280b652ad0d0fb33d3188cf58987e6c5c4fbb5fb

001380aa1c1850dd603f9e1315f3b9c450e6da13686a0b6ec5c05991df46ff1a

25df8f277074560cb899314cd649c6d937727c5cce5390a7187a6572dd2e4be1

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -t LotusPanda

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Espionage, China, Lotus Panda, Lotus Blossom, Sagerunex

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More