Spyware campaign operators known as Lotus Panda have launched a wave of cyberattacks across Southeast Asia. Active between August 2024 and February 2025, the group infiltrated government and private organizations.
Targets included a ministry, air traffic control, telecoms, and even a construction firm. A separate news agency and air freight company in nearby countries were also affected.
According to a report, the hackers deployed new custom malware. This included credential stealers, malicious loaders, and a reverse SSH access tool. The goal was to gather sensitive data and maintain remote access without detection.
Persistent Threat with Deep Roots
Lotus Panda is not new to the cyber threat landscape. The group has been active since at least 2009. Over the years, it has gone by other names, such as Billbug, Spring Dragon, and Thrip.
In earlier operations, they exploited known Microsoft vulnerabilities to plant remote access trojans. For example, in 2015, they used a Microsoft Office flaw to deliver malware that could read and write files on infected systems.
Since then, their methods have evolved. For instance, they now sideload malware using legitimate software tools to bypass detection. In the recent campaign, attackers used tools from popular antivirus programs to load malicious DLLs.
Sophisticated Malware Tools and Techniques
Researchers found that one of the main tools used was Sagerunex, a backdoor tool unique to Lotus Panda. It collects system data, encrypts it, and sends it to attacker-controlled servers.
The hackers also used CredentialKatz and ChromeKatz to steal passwords and browser cookies. These tools focus on extracting sensitive data from Google Chrome.
Moreover, the group used a peer-to-peer tool called Zrok to establish remote access to internal systems. Another program called datechanger.exe was used to alter file timestamps. This likely helped them cover their tracks and confuse forensic investigators.
How to Protect Against Similar Attacks
Organizations can defend against spyware campaigns by taking a few critical steps:
- Regularly update systems and patch known vulnerabilities.
- Use endpoint detection and response (EDR) tools.
- Monitor for unusual software behavior, even from trusted applications.
- Limit administrative privileges across internal systems.
- Train staff to recognize phishing and social engineering tactics.
Therefore, a proactive security strategy, combined with user education, can reduce the risk of falling victim to sophisticated cyber campaigns like this.
Sleep well, we got you covered.
