Threat Actor Profile
High APT
Description

Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)

Confidence Score
90%
Known Aliases
Lotus Blossom DRAGONFISH Spring Dragon RADIUM Raspberry Typhoon Bilbug Thrip
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (21)
T1074.001 - Local Data Staging
Collection
T1560.001 - Archive via Utility
Collection
T1560.003 - Archive via Custom Method
Collection
T1090.001 - Internal Proxy
Command and Control
T1090.003 - Multi-hop Proxy
Command and Control
T1539 - Steal Web Session Cookie
Credential Access
T1112 - Modify Registry
Defense Evasion
T1134 - Access Token Manipulation
Defense Evasion
T1012 - Query Registry
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1016.001 - Internet Connection Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087.001 - Local Account
Discovery
T1087.002 - Domain Account
Discovery
T1482 - Domain Trust Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1543.003 - Windows Service
Persistence
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Lotus Blossom',
             'DRAGONFISH',
             'Spring Dragon',
             'RADIUM',
             'Raspberry Typhoon',
             'Bilbug',
             'Thrip'],
 'created': '2017-05-31T21:32:01.092Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a '
                'long-standing threat group largely targeting various entities '
                'in Asia since at least 2009. In addition to government and '
                'related targets, [Lotus '
                'Blossom](https://attack.mitre.org/groups/G0030) has also '
                'targeted entities such as digital certificate '
                'issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec '
                'Bilbug 2022)(Citation: Cisco LotusBlossom 2025)',
 'external_references': [{'external_id': 'G0030',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0030'},
                         {'description': '(Citation: Accenture Dragonfish Jan '
                                         '2018)',
                          'source_name': 'DRAGONFISH'},
                         {'description': '(Citation: Cisco LotusBlossom 2025)',
                          'source_name': 'Thrip'},
                         {'description': '(Citation: Lotus Blossom Jun '
                                         '2015)(Citation: Accenture Dragonfish '
                                         'Jan 2018)',
                          'source_name': 'Lotus Blossom'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'RADIUM'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Raspberry Typhoon'},
                         {'description': '(Citation: Spring Dragon Jun '
                                         '2015)(Citation: Accenture Dragonfish '
                                         'Jan 2018)',
                          'source_name': 'Spring Dragon'},
                         {'description': '(Citation: Symantec Bilbug 2022)',
                          'source_name': 'Bilbug'},
                         {'description': 'Accenture Security. (2018, January '
                                         '27). DRAGONFISH DELIVERS NEW FORM OF '
                                         'ELISE MALWARE TARGETING ASEAN '
                                         'DEFENCE MINISTERS’ MEETING AND '
                                         'ASSOCIATES. Retrieved November 17, '
                                         '2024.',
                          'source_name': 'Accenture Dragonfish Jan 2018',
                          'url': 'https://web.archive.org/web/20190508165226/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf'},
                         {'description': 'Baumgartner, K.. (2015, June 17). '
                                         'The Spring Dragon APT. Retrieved '
                                         'February 15, 2016.',
                          'source_name': 'Spring Dragon Jun 2015',
                          'url': 'https://securelist.com/the-spring-dragon-apt/70726/'},
                         {'description': 'Falcone, R., et al.. (2015, June '
                                         '16). Operation Lotus Blossom. '
                                         'Retrieved February 15, 2016.',
                          'source_name': 'Lotus Blossom Jun 2015',
                          'url': 'https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html'},
                         {'description': 'Joey Chen, Cisco Talos. (2025, '
                                         'February 27). Lotus Blossom '
                                         'espionage group targets multiple '
                                         'industries with different versions '
                                         'of Sagerunex and hacking tools. '
                                         'Retrieved March 15, 2025.',
                          'source_name': 'Cisco LotusBlossom 2025',
                          'url': 'https://blog.talosintelligence.com/lotus-blossom-espionage-group/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Symntec Threat Hunter Team. (2022, '
                                         'November 12). Billbug: '
                                         'State-sponsored Actor Targets Cert '
                                         'Authority, Government Agencies in '
                                         'Multiple Asian Countries. Retrieved '
                                         'March 15, 2025.',
                          'source_name': 'Symantec Bilbug 2022',
                          'url': 'https://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority'}],
 'id': 'intrusion-set--88b7dbc2-32d3-4e31-af2f-3fc24e1582d7',
 'modified': '2025-04-23T21:20:58.367Z',
 'name': 'Lotus Blossom',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Prinesha Dobariya'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '4.0'}
Quick Actions
Related TTPs (21)
Local Data Staging
Collection
Archive via Utility
Collection
Archive via Custom Method
Collection
Internal Proxy
Command and Control
Multi-hop Proxy
Command and Control
View All 21 TTPs
Back to Threat Actors
Dashboard Home