Sagerunex
Sagerunex is a Windows backdoor/remote access tool used in long-running cyber-espionage operations attributed with high confidence to the Lotus Blossom threat actor, also tracked as Lotus Panda, Billbug, Spring Dragon, and Thrip. Reporting states Lotus Blossom has used Sagerunex since at least 2016 and that it became the group’s primary backdoor framework for nearly a decade. Cisco Talos assessed Sagerunex is used exclusively by Lotus Blossom and described it as an evolution of the older Billbug tool Evora.
Sagerunex is installed and run as a Windows service, with variants using a servicemain function to verify they are executing as a service and that a configuration file exists at a specified path. It supports modular command execution and multiple communication methods. Talos described it as DLL-injected and executed directly in memory. The malware uses HTTPS for command-and-control communications, supports several proxy configuration settings to ensure connectivity, and has used both traditional VPS infrastructure and legitimate third-party services for C2. More recent variants were reported using cloud or web services including Dropbox, Twitter, and Zimbra webmail as C2 tunnels. Variants also implement time-based execution delay logic and custom operating time windows.
For stealth and evasion, Sagerunex has used VMProtect packing/obfuscation. It performs environment checks before beaconing, including checks for configuration files and other execution prerequisites. It attempts to remain discreet through token impersonation: after execution it locates explorer.exe and uses it to change the token of its executing thread. The malware has also been described as using proxy configuration, token impersonation, and custom operating windows to reduce visibility.
For collection and exfiltration, Sagerunex encrypts collected system data and exfiltrates it over existing C2 channels. Collected materials have been archived in RAR format prior to exfiltration. Campaign reporting associates Sagerunex-enabled intrusions with post-compromise activity against government, manufacturing, telecommunications, and media organizations, including targets in the Philippines, Vietnam, Hong Kong, and Taiwan.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Then last month, Cisco Talos connected the Lotus Panda actor to intrusions aimed at government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with a backdoor known as Sagerunex.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique“...Lotus Blossom (G0030), the threat actor behind the recent Notepad++ supply chain attack.”
Execution
3 techniques“Tools such as WMI, PsExec, and PowerShell are used to move laterally.”
The tools that were reportedly used by Billbug APT are the following: ... PowerShell
Privilege Escalation
2 techniquesStealth
8 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Credential Access
1 techniqueThe tools that were reportedly used by Billbug APT are the following: ... Mimikatz
Discovery
4 techniquesThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lateral Movement
1 techniqueThe tools that were reportedly used by Billbug APT are the following: ... PsExec
Collection
4 techniquesThe content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Multiple actors and tools are described as using 7-Zip/WinRAR/zip/tar/gzip/makecab/PowerShell Compress-Archive to compress (often password-protect/encrypt) collected data prior to exfiltration (e.g., “used 7zip to archive extracted data in preparation for exfiltration”, “created password-protected RAR archives prior to exfiltration”, “used built-in PowerShell capabilities (Compress-Archive cmdlet) to compress collected data”).
Command and Control
8 techniquesAPT41 DUST used HTTPS for command and control. APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS. Lumma Stealer has used HTTPS for command and control purposes.
AuditCred can utilize proxy for communications... FunnyDream can identify and use configured proxies in a compromised network for C2 communication... Kapeka can identify system proxy settings via WinHttpGetIEProxyConfigForCurrentUser() during initialization and utilize these settings for subsequent command and control operations... PoshC2 contains modules that allow for use of proxies in command and control.
"APT28 has used Google Drive for C2."; "APT37 leverages social networking sites and cloud platforms ... for C2."; "FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2."
The tools that were reportedly used by Billbug APT are the following: ... Certutil
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
Exfiltration
2 techniquesADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
The tools that were reportedly used by Billbug APT are the following: ... WinSCP
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Primary modular backdoor framework for Lotus Blossom; commonly installed as a Windows service; newer variants use legitimate cloud/email services for C2 to increase stealth.
Backdoor family described as a defining toolset element for Lotus Blossom operations for nearly a decade.
Backdoor used by Lotus Panda/Lotus Blossom since at least 2016; updated variants used against government and other sectors in parts of Asia.
A long-running backdoor family associated with Lotus Blossom, used for persistent access and espionage across multiple variants over years.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.