Connect with us

Hi, what are you looking for?



Chinese Cyberespionage Group ‘Billbug’ Targets Certificate Authority

A Chinese state-sponsored cyberespionage group tracked as Billbug has been observed targeting a certificate authority in Asia, along with other entities, Symantec reports.

A Chinese state-sponsored cyberespionage group tracked as Billbug has been observed targeting a certificate authority in Asia, along with other entities, Symantec reports.

Also tracked as Lotus Blossom and Thrip, Billbug is an advanced persistent threat (APT) actor mainly targeting entities in Southeast Asia and the United States. It’s believed to have been active since at least 2009.

Starting March 2022, the group has been targeting multiple entities in Asia, including a certificate authority, a government organization, and defense agencies.

“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic,” Symantec notes.

According to the security company, however, there is no evidence to suggest that the threat actor has managed to successfully compromise digital certificates.

As part of the observed attacks, the APT used multiple public tools and custom malware, including AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Stowaway Proxy Tool, Tracert, Winmail, and WinRAR, as well as the Hannotog and Sagerunex backdoors identified in 2019.

The Hannotog backdoor, Symantec explains, can update firewall settings, create a service for persistence, stop running services, upload encrypted data, harvest system information, and download files to the machine.

Advertisement. Scroll to continue reading.

The Sagerunex backdoor, which uses multiple methods of communication with the command and control (C&C) server, supports commands to list running proxies, execute programs, steal files or drop files, and get configured file paths.

“While we do not see data being exfiltrated in this campaign, Billbug is widely regarded as being an espionage actor, indicating that data theft is the most likely motivation in this campaign. The victims in this campaign – government agencies and a certificate authority – also point to an espionage and data-theft motive,” Symantec notes.

The cybersecurity firm also points out that the threat actor likely targeted government victims for espionage purposes, and likely hit the certificate authority to steal legitimate digital certificates.

“This is potentially very dangerous, as if Billbug is able to sign its malware with a valid digital certificate it may be able to bypass security detections on victim machines. The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” Symantec concludes.

Related: New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers

Related: Chinese Cyberespionage Group ‘Witchetty’ Updates Toolset in Recent Attacks

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.