Lotus Blossom (G0030): A Persistent Regional Espionage Threat
- Suspected Origin
- China
- Motivation
- Espionage, Information Theft
- Aliases
- DRAGONFISH, Spring Dragon, RADIUM, Raspberry Typhoon, Bilbug, Thrip
- Target Sectors
- Government, Military, Telecommunications, Digital Certificate Issuers, Education, Manufacturing, Media, Aviation, Critical Infrastructure, Financial, IT Services
- Associated Malware
- Sagerunex, Hannotog, Chrysalis, Elise, Emissary, HTran, Venom, Impacket, Cobalt Strike, Metasploit
Overview
Lotus Blossom, also tracked by aliases such as DRAGONFISH, Spring Dragon, RADIUM, Raspberry Typhoon, Bilbug, and Thrip, is a formidable and enduring cyber espionage group. Attributed with moderate to high confidence to China, this state-sponsored threat actor has been actively operating since at least 2009, making them one of the more durable and methodical clusters in the broader Chinese APT ecosystem. Unlike some of their more globally expansive counterparts, Lotus Blossom maintains a primary focus on sustained regional intelligence collection, predominantly targeting entities across Asia, particularly Southeast Asia.
Their motivation is purely espionage-driven, prioritizing access, visibility, and persistence within compromised networks for information theft. There is no credible evidence suggesting financial motives, such as ransomware, extortion, or cryptomining, in their operational history. The group’s target selection reflects their strategic intelligence mandate, encompassing high-profile government and military organizations, digital certificate issuers, telecommunications providers, educational institutions, media organizations, manufacturing firms, and critical infrastructure. Their geographic targeting includes countries like Vietnam, the Philippines, Brunei, Cambodia, Hong Kong, Indonesia, Japan, Laos, Macao, Malaysia, Myanmar, Singapore, Taiwan, and Thailand, with occasional operations observed further afield in places like Australia, El Salvador, and even against individuals associated with European ministries.
Tactics & Techniques
Lotus Blossom’s tradecraft has evolved significantly over more than a decade of operations, demonstrating adaptability and a commitment to refining their methods to evade detection. Initially, spear-phishing campaigns were a primary vector, often leveraging meticulously crafted malicious documents relevant to the target’s role to achieve initial compromise. They have also been observed exploiting public-facing applications for initial access. A notable evolution in their tactics surfaced recently with their shift to sophisticated supply chain compromises, as seen in the Notepad++ incident.
Once inside a network, Lotus Blossom employs a range of techniques for discovery and reconnaissance. They frequently use built-in Windows commands like net to profile local and domain users and accounts, ipconfig and netstat for network information, and dir to examine file systems. Tools like AdFind are utilized for Active Directory queries, while Ping and NBTscan help them identify and map remote systems. For lateral movement and persistence, the group employs Windows Management Instrumentation (WMI), PsExec, and establishes persistence through Windows services and modifications to the Windows Registry, often configuring their backdoors to run automatically. They also leverage dual-use and living-off-the-land tools like Certutil for various operational tasks.
Defense evasion is a core component of their strategy. The group has shown a growing reliance on legitimate third-party services, such as cloud platforms and webmail, to tunnel command-and-control (C2) communications, blending malicious traffic with normal enterprise activity to reduce detection risk. They also exhibit improved operational security and favor low-visibility techniques, including DLL sideloading and NSIS installer abuse, particularly with renamed legitimate binaries. Exfiltration typically involves locally staging compressed data, often using WinRAR or custom archiving tools, before sending it out of the compromised environment.
Notable Campaigns
Lotus Blossom has a long history of targeted operations. Early campaigns, particularly between 2012 and 2015, heavily focused on government and military entities across Southeast Asia, an effort that Palo Alto Networks termed “Operation Lotus Blossom” in June 2015. This campaign alone accounted for over 50 attacks in a three-year span.
More recently, from late 2025 into early 2026, the group was extensively involved in a sophisticated supply-chain compromise targeting the widely used open-source text editor Notepad++. Instead of directly modifying the application’s code, Lotus Blossom infiltrated the upstream distribution infrastructure and selectively redirected update traffic for a small, strategically valuable set of targets. This allowed them to deliver customized installers and low-noise implants through WinGUp, the legitimate Notepad++ updater, making the process appear indistinguishable from routine software updates. This campaign, which saw confirmed victims in Vietnam and the Philippines, underscores the group’s evolving tradecraft and precision-focused approach.
Prior to the Notepad++ campaign, Symantec also attributed a persistent espionage campaign active since at least March 2022 to Lotus Blossom (under its alias Billbug/Thrip), which targeted a digital certificate authority and multiple government and defense agencies in Asia.
Associated Malware & Tools
The group’s toolkit is a blend of custom-developed malware and widely available legitimate or commodity tools. Historically, custom backdoors like Elise and Emissary were prevalent in their early operations. Since at least 2016, Sagerunex has become a defining element of their campaigns, an adaptable backdoor family iterated across multiple variants for long-term persistence. Another backdoor, Hannotog, has also been consistently linked to Lotus Blossom operations.
In their most recent activity, specifically the Notepad++ supply-chain compromise, a previously undocumented custom backdoor named Chrysalis was deployed. Chrysalis is a feature-rich implant, employing structured C2 communications, advanced loader obfuscation, and API hashing techniques, sometimes serving as a replacement or augmentation for Cobalt Strike payloads.
Beyond custom implants, Lotus Blossom extensively utilizes dual-use and publicly available tools to blend in with legitimate network activity. These include AdFind for Active Directory reconnaissance, WinRAR for data compression, and proxy tools like HTran and Venom for C2 traffic and egress. Other tools like Impacket, Mimikatz for credential access, NBTscan, PsExec, and a Python-based cookie stealer have also been observed in their arsenal. The group has also been noted for its use of commodity frameworks such as Metasploit and Cobalt Strike, indicating a readiness to integrate readily available powerful tools alongside their bespoke malware.
Current Status
Lotus Blossom remains an Active and persistent threat group. With an operational history spanning over 15 years, the group continues to demonstrate a high level of discipline and methodological precision in its espionage campaigns. The recent Notepad++ supply-chain compromise, active from late 2025 into early 2026, provides strong evidence of their ongoing activity and evolving capabilities. Their continued focus on strategically important targets within Asia, coupled with their consistent, yet adaptable, tradecraft and tool development, positions them as a significant and enduring threat in the regional cyber espionage landscape. Organizations within their target sectors and geographic regions should maintain a high level of vigilance against Lotus Blossom’s sophisticated and stealthy intrusions. The MITRE ATT&CK knowledge base (G0030) continues to track and update information on this group, reflecting its ongoing relevance to the threat landscape.
Related content
FIN6: From POS Skimming to Ransomware and Enterprise Infiltration
Adversary ProfileCopyKittens: Persistent Iranian Cyber Espionage Group
Adversary ProfileBlue Mockingbird (G0108): Persistent Cryptomining Threat
Adversary ProfileCinnamon Tempest: The Espionage Group Cloaked in Ransomware
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call