Lotus Blossom APT

Type: Nation-State-Sponsored

Lotus Blossom APT Status: Believed Inactive

Lotus Blossom APT Other Names: Operation Lotus Blossom/ Spring Dragon/ ST Group/ LStudio/ APToLSTU

Active Since/Discovered: 2012

Last Report: June 16, 2015

Targets: Hong Kong, Taiwan, Vietnam, the Philippines, Indonesia, United States, and Canada

Target Sectors: Military and Government, Aviation


  • custom Trojan backdoor called “Elise” or “Page” malware (BKDR_ESILE)
    • At least three variants; all use separate, but connected, C2 infrastrucuture
    • Evades detection, detects virtual environments, connects to C2 for additional instruction, exfiltrates data
    • Encrypted binary configuration data structure containing a list of C2 servers to contact
    • A campaign identifier that identifies the specific malware reporting to the C2 server
    • C2 communications using a custom format delivered over HTTP or HTTPS
    • Upon installation, performs basic network reconnaissance, and sends data to C2
    • Ability to execute commands, DLLs, and executables
    • Read and write files
    • Update configuration and upload configuration data
    • The malware
    • The malware injects itself into iexplore.exe, decrypts an embedded DLL located in its resource section (‘XDATA’) and writes this DLL to a new section of memory in iexplore.exe
  • Elise delivered as malicious payload to decoy attachment
    • The document is usually a personnel roster for a specific military or government office
  • May also use the LStudio or Evora tools

Preferred Attack Vector: Spear-phishing and watering-hole attacks

  • Past Lures:
    • A spreadsheet listing high-level officers in the Philippine Navy, along with their birth dates and mobile phone numbers
    • The operational humanitarian and disaster response (HADR) plan for the Armed Forces of the Philippines, stamped “Secret.”
    • An invitation to the screening of a film at the Norwegian embassy


  • typically includes exploit code for a well-known Microsoft  Office vulnerability, CVE-2012-0158


  • Over 50 attacks between 2012-2015
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google