The cyber espionage group known as Billbug, also tracked under aliases Lotus Blossom, Lotus Panda, Bronze Elgin, and formerly Thrip, has been linked in to an intrusion campaign targeting critical organizations across Southeast Asia. This campaign was going on from August 2024 to February 2025 and compromised entities at least in three different countries, signalling a major escalation in the group’s cyber activities.
Cisco Talos reported that this group infiltrated a government ministry, an air traffic control authority, a telecommunications operator, and a construction company—all located within a single Southeast Asian nation.
New Tools, Familiar Tactics
The campaign featured a combination of newly developed malware and classic cyberespionage techniques. Researchers observed the use of multiple custom-built tools, including two distinct credential stealer ChromeKatz and CredentialKatz designed to steal passwords and cookies from Google Chrome.
A reverse SSH tool capable of accepting incoming connections on port 22 was also deployed, likely to enable covert access to compromised systems.
A standout technique in the campaign was DLL sideloading—a method where attackers abuse legitimate software to run malicious code. Billbug operatives used executables from established security vendors Trend Micro and Bitdefender to load their malware.
In one instance, the legitimate Trend Micro binary tmdbglog.exe was used to sideload a malicious loader, tmdglog.dll, which then decrypted and executed a payload hidden in a temporary system log file. Similarly, Bitdefender’s bds.exe binary was exploited to load log.dll, a separate malicious loader that decrypted a payload from winnt.config and injected it into the Windows systray.exe process.
Return of the Sagerunex Backdoor
A new variant of Sagerunex, a custom backdoor exclusive to Billbug, was also deployed in this operation. The malware establishes persistence by modifying the Windows registry and is designed for stealthy, long-term access. This aligns with findings from Cisco in February 2025, which documented similar variants used in persistent cyber-espionage campaigns.
The attackers also used the publicly available Zrok tool to provide peer-to-peer remote access to internal systems, and a utility named datechanger.exe to alter file timestamps to hinder forensic analysis and blur the timeline of their activities
Attribution
This latest campaign appears to be a continuation of activity first documented by Symantec in December 2024. At the time, analysts attributed the intrusions to Chinese threat actors but were unable to pinpoint a specific group. The presence of indicators of compromise (IOCs) in the recent campaign has led Cisco Talos to link the activity definitively to Billbug.
Billbug has operated since at least 2009, with a long-standing focus on Southeast Asia. The group first gained international attention in 2015 following a report by Palo Alto Networks linking it to more than 50 cyberattacks. Since then, the group has targeted a wide range of sectors including government, military, telecommunications, education, and media across countries such as Indonesia, Malaysia, the Philippines, and Vietnam.
Source: hxxps[://]www[.]security[.]com/threat-intelligence/billbug-china-espionage
Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity news
