Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications

The Lotus Blossom hacker group, also known as Spring Dragon, Billbug, or Thrip, has been identified leveraging legitimate cloud services like Dropbox, Twitter, and Zimbra for command-and-control (C2) communications in their cyber espionage campaigns.

Cisco Talos researchers attribute these sophisticated operations to the group with high confidence, citing the use of a custom backdoor family called Sagerunex.

Active since at least 2012, Lotus Blossom continues to target sectors such as government, manufacturing, telecommunications, and media across regions including the Philippines, Vietnam, Hong Kong, and Taiwan.

Multi-Variant Malware and Evasion Tactics

The Sagerunex backdoor has evolved into multiple variants designed to evade detection and maintain persistence in compromised environments.

Earlier versions relied on traditional Virtual Private Servers (VPS) for C2 operations. However, recent campaigns exhibit a shift toward third-party cloud services.

By utilizing Dropbox APIs, Twitter tokens, and Zimbra webmail APIs as C2 tunnels, the group effectively blends malicious traffic with legitimate service usage, complicating detection efforts.

For example:

• Dropbox and Twitter Variants: These variants use APIs to establish C2 channels. After initial checks, they retrieve tokens to communicate with the C2 infrastructure. Collected data is encrypted and uploaded to Dropbox or transmitted via Twitter status updates.
• Zimbra Variant: This version leverages Zimbra’s webmail service for both data exfiltration and command execution. Host information is encrypted into files attached to draft emails in compromised accounts.

These techniques highlight the group’s adaptability in exploiting widely used platforms to bypass traditional security mechanisms.

Persistence and Reconnaissance

Lotus Blossom employs advanced methods to maintain long-term access within targeted networks.

The Sagerunex backdoor is injected directly into memory and configured to run as a service through system registry modifications.

Commands such as “netstat,” “ipconfig,” and “tasklist” are executed for reconnaissance, gathering detailed information about user accounts, processes, and network configurations.

Additionally, the group uses tools like:

• Chrome Cookie Stealers: To harvest browser credentials.
• Venom Proxy Tools: Customized for relaying connections.
• Archiving Tools: For compressing and encrypting stolen files.
• Port Relay Tools: To facilitate external communication from isolated systems.

These tactics enable the group to operate undetected for extended periods while conducting espionage activities.

Cisco Talos’ analysis links these campaigns to Lotus Blossom based on consistent tactics, techniques, and procedures (TTPs), as well as victim profiles.

The Sagerunex backdoor family remains central to their operations. Despite developing distinct variants over time, core functionalities such as time-check logic for execution delays remain consistent across all versions.

The use of legitimate cloud services for malicious purposes underscores the challenges organizations face in distinguishing between benign and harmful activity.

This development calls for enhanced monitoring of cloud-based traffic and robust endpoint protection solutions to mitigate risks posed by advanced persistent threats like Lotus Blossom.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free