Security Experts:

Connect with us

Hi, what are you looking for?



‘Lotus Blossom’ Cyber-espionage Campaign Stretches Back 3 Years: Palo Alto Networks

Researchers at Palo Alto Networks have identified a cyber-espionage operation targeting government and military organizations in Southeast Asia.

Researchers at Palo Alto Networks have identified a cyber-espionage operation targeting government and military organizations in Southeast Asia.

The group responsible for the campaign has been nicknamed ‘Lotus Blossom’, and given its targets and persistence, is likely state-sponsored, according to Palo Alto Networks. More than 50 different attacks have been linked to the campaign, which has gone on for the past three years.

“The group relies on spear phishing attacks to infect its users, often using a malicious office document and decoy file containing content relevant to the target’s occupation or interests,” according to a report from Palo Alto Networks’ Unit 42 team. “The spear phishing attachment typically includes exploit code for a well-known Microsoft Office vulnerability, CVE-2012-0158, which is used to install the Trojan on the system and then display the decoy file, tricking the user into thinking the file opened correctly.”

The attackers used a backdoor Trojan named Elise after the sports car made by Group Lotus PLC of the United Kingdom. The tool appears to be unique to the group, and has morphed over time.

“A popular theme for the decoy documents was personnel rosters, largely claiming to be for specific military or government offices,” according to the research. “Another theme was the use of attractive pictures of Asian women that were sourced from the Internet. Some of the information contained in the decoys could be found on the Internet; however, it is worth noting none of the military or government themed decoys could be found. In particular, the decoys used against the Philippines were exclusively military and government themed, with the bulk purporting to be related to the Navy.”

“As we were unable to find any of the decoys online, and they purport to contain sensitive information, we have not included images of them, in case the information is legitimate,” Palo Alto Networks researchers noted in the paper. “One document is even stamped “Secret.””

The targets of the campaign were found in Vietnam, Philippines, Taiwan, Hong Kong and Indonesia.

“The Trojan backdoor and vulnerability exploits used in Operation Lotus Blossom aren’t cutting-edge by today’s standards, but these types of attacks can be detrimental if they are successful and give attackers access to sensitive data,” said Ryan Olson, intelligence director of Unit 42, in a statement. “The fact that older vulnerabilities are still being used tells us that until organizations adopt a prevention-based mindset and take steps to improve cyber hygiene, cyberattackers will continue to use legacy methods because they still work well.”

Written By

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...