Lotus Blossom APT

Type: Nation-State-Sponsored

Lotus Blossom APT Status: Believed Inactive

Lotus Blossom APT Other Names: Operation Lotus Blossom/ Spring Dragon/ ST Group/ LStudio/ APToLSTU

Active Since/Discovered: 2012

Last Report: June 16, 2015

Targets: Hong Kong, Taiwan, Vietnam, the Philippines, Indonesia, United States, and Canada

Target Sectors: Military and Government, Aviation


  • custom Trojan backdoor called “Elise” or “Page” malware (BKDR_ESILE)
    • At least three variants; all use separate, but connected, C2 infrastrucuture
    • Evades detection, detects virtual environments, connects to C2 for additional instruction, exfiltrates data
    • Encrypted binary configuration data structure containing a list of C2 servers to contact
    • A campaign identifier that identifies the specific malware reporting to the C2 server
    • C2 communications using a custom format delivered over HTTP or HTTPS
    • Upon installation, performs basic network reconnaissance, and sends data to C2
    • Ability to execute commands, DLLs, and executables
    • Read and write files
    • Update configuration and upload configuration data
    • The malware
    • The malware injects itself into iexplore.exe, decrypts an embedded DLL located in its resource section (‘XDATA’) and writes this DLL to a new section of memory in iexplore.exe
  • Elise delivered as malicious payload to decoy attachment
    • The document is usually a personnel roster for a specific military or government office
  • May also use the LStudio or Evora tools

Preferred Attack Vector: Spear-phishing and watering-hole attacks

  • Past Lures:
    • A spreadsheet listing high-level officers in the Philippine Navy, along with their birth dates and mobile phone numbers
    • The operational humanitarian and disaster response (HADR) plan for the Armed Forces of the Philippines, stamped “Secret.”
    • An invitation to the screening of a film at the Norwegian embassy


  • typically includes exploit code for a well-known Microsoft  Office vulnerability, CVE-2012-0158


  • Over 50 attacks between 2012-2015