A notorious Chinese-linked hacking group, known in cybersecurity circles as Lotus Panda, has once again been tied to a wave of cyberattacks that hit several Southeast Asian government and private sector organizations, according to fresh findings from Broadcom’s Symantec Threat Hunter Team.
The months-long intrusion campaign, which ran from August 2024 through February 2025, targeted various institutions, including a government ministry, air traffic control, a telecom provider, and a construction firm. The hackers also breached a news agency and an air freight company.
“The activity appears to be a continuation of a campaign first documented by Symantec in December 2024, where multiple high-profile organizations in Southeast Asian countries were targeted,” said the Symantec Threat Hunter Team. “While it was clear that Chinese actors were behind the attacks, attribution to a single actor could not be determined.
“However, a recent blog by Cisco Talos detailing recent Billbug activity contained indicators of compromise (IOCs) used in this campaign, indicating that it was the work of Billbug.”
Malware hidden in plain sight
What’s particularly alarming about this campaign is the attackers’ use of legitimate antivirus software to carry out their crimes. They used known files from Trend Micro and Bitdefender to sneak in malicious software — a technique called DLL sideloading.
One of the tools used was a Trend Micro file, tmdbglog.exe, which was abused to load a malicious DLL named tmdglog.dll. According to Symantec, this DLL would decrypt and execute the contents of a file named TmDebug.log, then track progress through a temporary file, VT001.tmp.
Similarly, the hackers misused Bitdefender’s bds.exe to sideload a harmful file called log.dll. This DLL decrypted another file, winnt.config, and injected its payload into a Windows system process, systray.exe.
These aren’t the only tools in Lotus Panda’s arsenal. The group introduced two brand-new tools specifically made to steal credentials from Google Chrome:
- ChromeKatz: Capable of stealing both login details and cookies.
- CredentialKatz: Focuses solely on stealing saved usernames and passwords.
The attackers also deployed a reverse SSH tool, which listens for incoming SSH connections and allows remote access into compromised systems. This tool gave attackers a backdoor into sensitive networks.
Another disturbing addition was Sagerunex, a custom backdoor exclusive to the group. This version, first seen in 2019, has been updated to ensure it starts automatically by modifying the Windows registry.
To muddy forensic efforts, the hackers slipped in a timestamp‑tampering utility. “Another legitimate tool used was called datechanger.exe. It is capable of changing timestamps for files, presumably to muddy the waters for incident analysts,” the report notes.
A long trail of intrusion
Lotus Panda — also known as Billbug, Bronze Elgin, Spring Dragon, and Thrip — has been active since at least 2009. Their targets have consistently included government agencies, military operations, telecoms, and digital certificate authorities.
In 2015, Palo Alto Networks exposed its operations, linking it to over 50 attacks in three years. In subsequent years, Symantec traced it across various high-profile attacks, including one in 2022, where it breached a digital certificate authority. This incident could have allowed it to sign malware and bypass web security.
Expert recommendations
Symantec’s Threat Hunter Team recommends organizations check for the IOCs listed in their report and check their Protection Bulletin for the latest security updates and mitigation strategies.
