A sophisticated Chinese hacking group known as Billbug (also tracked as Lotus Blossom, Lotus Panda, and Bronze Elgin) has intensified its espionage campaign across Southeast Asia, employing a new custom Reverse SSH Tool to compromise high-value targets. Between August 2024 and February 2025, Billbug orchestrated a coordinated attack campaign against multiple organizations within a single Southeast Asian country, including a government ministry, an air traffic control organization, a telecommunications operator, and a construction company. In addition to the Reverse SSH Tool, the attackers deployed credential theft utilities specifically targeting Chrome browser data (ChromeKatz and CredentialKatz) and leveraged legitimate software to evade detection. The group expanded its reach by targeting a news agency in another Southeast Asian country and an air freight organization in a neighboring nation, showing a strategic widening of their operational scope. The Reverse SSH Tool represents a significant advancement in Billbug’s capabilities, providing a stealthy channel for command and control while masquerading as legitimate SSH traffic on standard ports. This group, active since at least 2009, has historically focused on government and military organizations in the region, demonstrating a persistent threat to national security infrastructure. The threat actors deployed an arsenal of sophisticated tools, with the custom Reverse SSH Tool (SHA256: 461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9ced) emerging as a particularly notable addition to their toolkit. Similarly, a Bitdefender executable (bds.exe) was exploited to load another malicious DLL (log.dll), which decrypted content from a file named “winnt.config” and injected it into the legitimate systray.exe process. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These techniques allowed the attackers to establish persistence while evading traditional security controls that focus on executable files rather than DLLs. This specialized malware establishes persistent backdoor access by listening for SSH connections on Port 22, enabling attackers to maintain stealthy control over compromised systems. The campaign represents an evolution in Billbug’s tactics, techniques, and procedures (TTPs), demonstrating their continued investment in custom malware development. This method involves placing malicious DLL files alongside legitimate executables from trusted vendors, exploiting Windows’ DLL search order to execute malicious code with the permissions of legitimate software. This approach makes detection particularly challenging for traditional network monitoring solutions and represents an ongoing threat to organizations throughout Southeast Asia. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 21 Apr 2025 07:20:56 +0000