Intel Name: Lotus blossom espionage group targets multiple industries with different versions of sagerunex and hacking tools
Date of Scan: March 5, 2025
Impact: High
Summary: Lotus Blossom (aka Spring Dragon, Billbug, Thrip) is an espionage group active since 2012. Our assessment links the group’s campaigns through shared TTPs, backdoors, and victim profiles. Since at least 2016, Lotus Blossom has used the Sagerunex backdoor, increasingly leveraging persistent command shells and evolving new Sagerunex variants. The group has effectively targeted government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan.
