A sophisticated cyber-espionage campaign attributed to the China-linked Billbug group (aka Lotus Blossom, Lotus Panda, or Bronze Elgin) has compromised multiple high-profile organizations across Southeast Asia between August 2024 and February 2025, according to recent threat intelligence report from Symantec.
The campaign targeted a range of critical sectors within an unnamed Southeast Asian country, including a government ministry, an air traffic control organization, a telecommunications provider, and a major construction company. In addition, Billbug expanded its operations beyond national borders, launching attacks against a news agency in a neighboring Southeast Asian country and an air freight organization based in another.
Billbug has been active since at least 2009, with a consistent operational focus on Southeast Asia. It first gained attention in 2015 when Palo Alto Networks linked the group to over 50 attacks over a three-year period. Those campaigns primarily leveraged spear-phishing emails and fake documents to deliver the custom Trensil (also known as Elise) Trojan.
The latest wave of attacks appears to be a continuation of activity first disclosed by Symantec in December 2024. The earlier report detailed Billbug operations targeting high-profile organizations across the region. Evidence shows that the campaign is likely the work of the Chinese threat actor, however, Symantec has yet to link the attacks to any known hacker group.
The attackers employed a suite of newly developed tools during the campaign, including ChromeKatz, a tool capable of extracting both credentials and cookies from the Chrome web browser; CredentialKatz, a tool designed to harvest stored credentials from Chrome; the Reverse SSH Tool custom utility that listens for SSH connections on port 22; Zrok, publicly available peer-to-peer tool, used here for internal service exposure via its sharing functionality.
Researchers have also observed the threat actor using DLL sideloading techniques, where the attackers abused legitimate software from cybersecurity vendors Trend Micro and Bitdefender. By sideloading malicious DLL files such as multiple variants of log.dll and a file named sqlresourceloader.dll through these legitimate binaries, the attackers were able to stealthily deploy malware while evading detection.
In addition, the threat actor has deployed a new variant of the Sagerunex backdoor, a tool exclusive to Billbug that allows for deep persistence within compromised networks.
