Wednesday, May 7, 2025
HomeCyber AttackChinese Hackers Leverage Reverse SSH Tool in New Wave of Attacks on...

Chinese Hackers Leverage Reverse SSH Tool in New Wave of Attacks on Organizations

Published on

SIEM as a Service

Follow Us on Google News

The Chinese hacker group known as Billbug, or Lotus Blossom, targeted high-profile organizations across Southeast Asia.

The attackers, who were previously documented by Symantec and later Cisco Talos, employed a variety of new custom tools, alongside novel techniques like DLL sideloading, to infiltrate and persist within their victims’ networks.

New Weapons in the Arsenal

Billbug’s arsenal included a range of malware specifically designed to evade detection and exfiltrate sensitive data.

- Advertisement - Google News

Among these was a new variant of the Sagerunex backdoor (SHA256: 4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805e), which was used to establish persistence by manipulating registry settings to run as a service.

This backdoor is known for its flexibility, allowing attackers to execute commands and steal data as intended.

A significant addition to their toolkit was a reverse SSH tool (SHA256: 461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9ced) capable of opening an SSH connection on port 22, thereby providing remote access from internal networks to the internet.

This tool was particularly useful for maintaining control over the compromised systems discreetly.

Advanced Credential Stealing

The hackers also deployed ChromeKatz and CredentialKatz to harvest credentials from the Chrome browser.

These tools, with multiple variants, were designed to extract both credentials and cookies, facilitating further network infiltration.

To bypass security measures, Billbug utilized DLL sideloading, a technique where they used legitimate software to load malicious DLLs.

An example includes the manipulation of a Trend Micro binary named tmdbglog.exe to sideload a malicious DLL called tmdglog.dll, which then executed encrypted contents from C:\Windows\temp\TmDebug.log.

Similarly, a Bitdefender binary named bds.exe was exploited to load a malicious DLL named log.dll, which attempted to run code hidden within winnt.config.

The campaign not only compromised a government ministry, an air traffic control organization, a telecoms operator, and a construction company in one Southeast Asian country but also staged intrusions into a news agency in another country and an air freight organization in a neighboring nation.

These attacks highlight the group’s broad strategic interests, targeting sectors vital for national security and economic stability.

For organizations looking to safeguard against such intrusions, regular updates to security protocols are essential.

Symantec has released a Protection Bulletin detailing the latest protection measures against this threat actor.

Additionally, monitoring for and blocking the Indicators of Compromise (IOCs) can help in identifying and thwarting potential attacks.

This sophisticated campaign underscores the evolving cyber espionage capabilities of state-linked actors and the persistent threat they pose to organizations worldwide, prompting a need for heightened vigilance and robust cybersecurity measures.

Indicators of Compromise (IOCs)

SHA256Tool
4b430e9e43611aa67263f03fd42207c8ad06267d9b971db876b6e62c19a0805eSagerunex Backdoor
2e1c25bf7e2ce2d554fca51291eaeb90c1b7c374410e7656a48af1c0afa34db4ChromeKatz
6efb16aa4fd785f80914e110a4e78d3d430b18cbdd6ebd5e81f904dd58baae61ChromeKatz
ea87d504aff24f7daf026008fa1043cb38077eccec9c15bbe24919fc413ec7c7ChromeKatz
e3869a6b82e4cf54cc25c46f2324c4bd2411222fd19054d114e7ebd32ca32cd1CredentialKatz
29d31cfc4746493730cda891cf88c84f4d2e5c630f61b861acc31f4904c5b16dCredentialKatz
461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9cedReverse SSH Tool
b337a3b55e9f6d72e22fe55aba4105805bb0cf121087a3f6c79850705593d904Date Changer
54f0eaf2c0a3f79c5f95ef5d0c4c9ff30a727ccd08575e97cce278577d106f6bLoader
b75a161caab0a90ef5ce57b889534b5809af3ce2f566af79da9184eaa41135bdLoader
becbfc26aef38e669907a5e454655dc9699085ca9a4e5f6ccd3fe12cde5e0594Suspected Loader

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...