Security Experts:

Connect with us

Hi, what are you looking for?



Over 600 Malware Samples Linked to Chinese Cyberspy Group

A China-linked cyber espionage group tracked by security firms as Lotus Blossom, Elise, Esile and Spring Dragon has used more than 600 malware samples in its attacks over the past years, according to Kaspersky Lab.

A China-linked cyber espionage group tracked by security firms as Lotus Blossom, Elise, Esile and Spring Dragon has used more than 600 malware samples in its attacks over the past years, according to Kaspersky Lab.

Spring Dragon has been around since at least 2012, but there is some evidence suggesting that it may have been active since 2007. The state-sponsored threat group has mainly targeted military and government organizations in Southeast Asia.

Kaspersky Lab learned recently from a research partner in Taiwan of new attacks launched by the group. Data collected by the security firm indicates that the APT actor has also targeted political parties, universities and other educational institutions, and companies in the telecommunications sector.

The cyberspies appear to focus on countries around the South China Sea, including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.

The threat actor has been using a wide range of tools, including backdoors that can download other files to the compromised machine, upload files to a remote server, and execute files and commands. Kaspersky Lab has identified a total of more than 600 malware samples used over the past years.

According to the security firm, the malware leverages a command and control (C&C) infrastructure of more than 200 unique IP addresses and domains, with each sample using hardcoded campaign codes and custom C&C addresses.

The C&C servers used by Spring Dragon are located in several countries, but roughly two-thirds are located in Hong Kong and the United States. Some servers have also been spotted in Germany, China and Japan.

Based on malware compilation timestamps, which Kaspersky believes have not been altered, the attackers appear to be located in the GMT+8 timezone, which corresponds to China, Indonesia, Malaysia, Mongolia, Singapore, Taiwan, the Philippines and Western Australia.

The malware compilation timestamps also suggest that the members of the group either work in two shifts, or Spring Dragon malware has been compiled by two different groups, one of which may be located in Europe.

“The number of malware samples which we managed to collect (over 600) for the group surpassed many others, and suggests an operation on a massive scale. It’s possible that this malware toolkit is offered in specialist public or private forums to any buyers, although, to date, we haven’t seen this,” explained Kaspersky’s Noushin Shabab.

Related: China-Linked Spies Use Recent Zero-Day to Target Financial Firms

Related: China-based Hackers Target Managed Service Providers

Related: China-Linked Hackers Target U.S. Trade Group

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.