Home/ Threat Actors/ Lotus Blossom

🌐Lotus Blossom

🌐 Lotus Blossom is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 21 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0030) ↗

14Use cases

0Articles

21Techniques

0IOCs

About this actor (MITRE)

[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, [Lotus Blossom](https://attack.mitre.org/groups/G0030) has also targeted entities such as digital certificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)

Known aliases

Lotus BlossomDRAGONFISHSpring DragonRADIUMRaspberry TyphoonBilbugThrip

Top techniques

T1012 · Query Registry T1016 · System Network Configuration Discovery T1016.001 · Internet Connection Discovery

All other tracked techniques

T1018 · Remote System Discovery T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1074.001 · Local Data Staging T1083 · File and Directory Discovery T1087.001 · Local Account T1087.002 · Domain Account T1090.001 · Internal Proxy T1090.003 · Multi-hop Proxy T1112 · Modify Registry T1134 · Access Token Manipulation T1482 · Domain Trust Discovery T1539 · Steal Web Session Cookie T1543.003 · Windows Service T1560.001 · Archive via Utility T1560.003 · Archive via Custom Method T1588.002 · Tool

Detection use cases (14)

Lotus Blossom / Bilbug Sagerunex backdoor C2 to legitimate cloud services from injected svchost.exe AI · profile SΣ Lotus Blossom on-host recon burst followed by WinRAR staging (Bilbug discovery → collection chain) AI · profile S 1Password activity from Tor exit node MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Application user activity from Tor MITRE match Google Workspace access from Tor exit node MITRE match Infostealer — non-browser process accessing browser cookie/login DBs MITRE match Service install for persistence — sc.exe / new service registry write MITRE match 7zip CommandLine To SMB Share Path MITRE match AdsiSearcher Account Discovery MITRE match Advanced IP or Port Scanner Execution MITRE match Anomalous usage of 7zip MITRE match