Chinese APT Lotus Panda Deploys New Sagerunex Backdoor Variants to Target Governments

05.03.2025

The Chinese APT group Lotus Panda has been actively targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan using updated versions of the Sagerunex backdoor. Also known by other names such as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, this cyber espionage group has been operating since at least 2009 and was first publicly identified by Symantec in 2018.

According to Cisco Talos researcher Joey Chen, Lotus Panda has been using the Sagerunex malware since at least 2016, increasingly focusing on long-term persistence through command shells while continuously developing new variants. The group’s latest attacks introduce two new beta versions of Sagerunex that take advantage of legitimate services, including cloud storage platforms and webmail services, as command-and-control channels to evade detection. Debugging elements in the source code suggest these variants are still under development.

The method of initial access remains unclear, but the group has previously relied on spear-phishing emails and compromised websites to infiltrate target systems. Once deployed, the Sagerunex backdoor collects and encrypts system data before transmitting it to a remote server under the attackers’ control. A webmail-based version of Sagerunex not only gathers victim data but also allows attackers to send commands through compromised email accounts, storing responses in draft or trash folders as encrypted archives.

Beyond Sagerunex, the group employs various tools, including malware designed to steal browser credentials, an open-source proxy tool for obfuscating traffic, privilege escalation utilities, and custom software to compress and encrypt stolen information. The attackers also conduct reconnaissance by running system commands to map the network environment. If internet access is restricted, they either use existing proxy settings or deploy additional proxy tools to establish a connection between isolated machines and internet-facing systems.

These ongoing activities highlight Lotus Panda’s adaptability, as it continuously refines its techniques to avoid detection and maintain persistence within compromised networks. By exploiting legitimate online services for command-and-control operations, the group demonstrates a sophisticated approach to cyber espionage across various industries in Asia.