Hannotog
Hannotog is a custom backdoor/loader malware associated with the Billbug espionage group, also tracked as Lotus Blossom and Thrip. It was documented by Symantec in 2019 and was reused in later Billbug activity observed since at least March 2022 targeting a digital certificate authority and multiple government and defense organizations in Asia. Multiple files believed to be Hannotog loaders were found on victim machines.
Based on the provided content, Hannotog is frequently used as a loader that prepares victim systems by creating Windows services for persistence, modifying local firewall settings via netsh to open a listening UDP port, and deploying secondary payloads such as Sagerunex. It can create a new service for persistence, stop services, gather system information, execute cmd.exe commands, download files, and upload encrypted data for exfiltration. Hannotog uses non-standard listening ports for command and control, including UDP port 5900.
The malware has been used in espionage-focused intrusions attributed to Billbug/Lotus Blossom/Thrip against victims in Asian countries, including government, defense, and a certificate authority. In the observed campaigns, Hannotog was used alongside Sagerunex and dual-use tools such as AdFind, Certutil, Ping, Tracert, Route, NBTscan, Winmail, and WinRAR.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity. Multiple files that are believed to be loaders for the Hannotog backdoor were spotted on victim machines.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques
Execution
“Tools such as WMI, PsExec, and PowerShell are used to move laterally.”
The tools that were reportedly used by Billbug APT are the following: ... PowerShell
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Command and Control
2 techniques
Command and Control
Exfiltration
3 techniques
Exfiltration
IOCs tracked for this family
23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Loader used to prepare hosts (service creation, firewall modification) and deploy secondary payloads, notably Sagerunex.
Custom backdoor malware used by the Billbug (aka Lotus Blossom/Thrip) APT for espionage-oriented access on compromised systems.
A backdoor used by Billbug that is deployed via loader files and appears to also function as a loader for Sagerunex. It can modify firewall settings, listen on port 5900, create services for persistence, stop services, upload encrypted data, execute shell commands for system reconnaissance, and download files.
Malware that creates a new Windows service for persistence.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.