CyberSecurityBoard
Sponsor Register Login

Lotus Blossom APT Exploits WMI for Post-Exploitation Activities

The Lotus Blossom APT group’s sophisticated use of WMI, legitimate cloud platforms, and stealthy persistence mechanisms underscores the need for robust cybersecurity measures tailored to counter advanced threat actors. The Lotus Blossom Advanced Persistent Threat (APT) group, also known as Lotus Panda, Billbug, and Spring Dragon, has intensified its cyberespionage efforts with new variants of the Sagerunex backdoor. These developments highlight the group’s evolving tactics, including leveraging Windows Management Instrumentation (WMI) for post-exploitation activities and employing legitimate cloud services for command-and-control (C2) communications. Endpoint Detection and Response (EDR): Deploy behavior-based EDR tools capable of identifying suspicious activities such as registry modifications and encrypted communications with cloud services. On compromised machines, the attackers deploy a suite of tools, including RAR archivers for data compression, custom proxy utilities like Venom for traffic relaying, and Chrome cookie stealers for credential harvesting. The Sagerunex backdoor demonstrates advanced evasion techniques by utilizing legitimate platforms such as Dropbox, Twitter (X), and Zimbra for C2 communications. Security Validation: Use Breach and Attack Simulation (BAS) platforms to test defenses against Lotus Blossom’s tactics. According to Picus Security, these platforms allow attackers to blend malicious traffic with normal user activity. Lotus Blossom’s attack chain begins with initial access achieved through spear-phishing, watering hole attacks, or exploiting vulnerabilities in public-facing applications. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. If direct internet access is unavailable, the group uses proxy configurations or deploys Venom to route traffic through other infected hosts. This technique enables attackers to execute commands on remote systems without deploying additional malware, making detection more challenging.

This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 29 Mar 2025 16:50:17 +0000


Cyber News related to Lotus Blossom APT Exploits WMI for Post-Exploitation Activities

Lotus Blossom APT Exploits WMI for Post-Exploitation Activities - The Lotus Blossom APT group’s sophisticated use of WMI, legitimate cloud platforms, and stealthy persistence mechanisms underscores the need for robust cybersecurity measures tailored to counter advanced threat actors. The Lotus Blossom Advanced ...
2 days ago Cybersecuritynews.com Lotus Blossom
What is an advanced persistent threat? - An advanced persistent threat is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APT attacks are initiated to steal highly sensitive data rather than cause damage to ...
1 year ago Techtarget.com Cozy Bear APT29
An Argument for Coordinated Disclosure of New Exploits - There were more than 23,000 vulnerabilities discovered and disclosed. While not all of them had associated exploits, it has become more and more common for there to be a proverbial race to the bottom to see who can be the first to release an exploit ...
10 months ago Darkreading.com
CVE-2020-5202 - apt-cacher-ng through 3.3 allows local users to obtain sensitive information by hijacking the hardcoded TCP port. The /usr/lib/apt-cacher-ng/acngtool program attempts to connect to apt-cacher-ng via TCP on localhost port 3142, even if the explicit ...
3 years ago
ESET APT Activity Report T3 2022 - ESET APT Activity Report T3 2022 summarizes the activities of selected advanced persistent threat groups that were observed, investigated, and analyzed by ESET researchers from September until the end of December 2022. In the monitored timespan, ...
2 years ago Welivesecurity.com MuddyWater Mustang Panda POLONIUM
Hijacking Your Bandwidth How Proxyware Apps Open You Up to Risk - Is this true? To examine and understand the kind of risks a potential user might be exposed to by joining such programs, we recorded and analyzed network traffic from a large number of exit nodes of several different network bandwidth sharing ...
2 years ago Trendmicro.com
Malware botnet bricked 600,000 routers in mysterious 2023 event - A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office internet routers offline, disrupting customers' internet access. According to researchers at Lumen's Black Lotus Labs, ...
10 months ago Bleepingcomputer.com
Malware botnet bricked 600,000 routers in mysterious 2023 attack - A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office internet routers offline, disrupting customers' internet access. According to researchers at Lumen's Black Lotus Labs, ...
10 months ago Bleepingcomputer.com
CVE-2024-37412 - Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Blossom Shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through 1.1.7. ...
2 months ago Tenable.com
Raspberry Robin malware evolves with early access to Windows exploits - Recent versions of the Raspberry Robin malware are stealthier and implement one-day exploits that are deployed only on systems that are susceptible to them. One-day exploits refer to code that leverages a vulnerability that the developer of the ...
1 year ago Bleepingcomputer.com CVE-2023-36802 CVE-2023-29360
Lotus Blossom - Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. ...
1 year ago Attack.mitre.org Lotus Blossom
Privilege elevation exploits used in over 50% of insider attacks - Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner. A report by ...
1 year ago Bleepingcomputer.com CVE-2017-0213
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
5 months ago Aws.amazon.com
North Korea-linked APT Kimsuky targeted German defense firm Diehl Defence - North Korea-linked APT group Kimsuky has been linked to a cyberattack on Diehl Defence, a defense firm specializing in the production of advanced military systems. “Researchers from Mandiant, a Google subsidiary, uncovered and analyzed a ...
5 months ago Securityaffairs.com Kimsuky
Harmony Horizon Bridge and Lazarus APT Activities Revealed - SecurityAffairs recently shed light on a report by FireEye security researchers about the activities of the Harmony Horizon Bridge and Lazarus APTs. The report includes a new variant of the Bridge malware named “Ovorum”, as well as the TVShow ...
2 years ago Securityaffairs.com
Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet - Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting ...
1 year ago Securityweek.com Volt Typhoon Hunters
Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet - Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting ...
1 year ago Packetstormsecurity.com Volt Typhoon Hunters
FlyingYeti targets Ukraine using WinRAR exploit to drop Malware - MUST READ. FlyingYeti targets Ukraine using WinRAR exploit to deliver COOKBOX Malware. Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Microsoft fixed two zero-day bugs exploited in malware attacks. ...
9 months ago Securityaffairs.com CVE-2022-38028 CVE-2024-0204 CVE-2023-46747 CVE-2023-46748 CVE-2023-20198 CVE-2023-38831 CVE-2023-38035 APT28 APT29
Government Quash All Post Office Horizon Convictions - It comes after the government in July 2021 had promised to compensate those postmasters who had their Horizon-related convictions overturned. The Government said this week it has committed to making sure these convictions are overturned by the end of ...
1 year ago Silicon.co.uk
Cyber Insights 2023: Criminal Gangs - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. Despite some geopolitical overlaps with state attackers, the majority of ...
2 years ago Securityweek.com
Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs - Russia-sponsored advanced persistent threat group Turla is now targeting Polish NGOs in a cyberespionage campaign that uses a freshly developed backdoor with modular capabilities, signaling an expansion of the scope of its attacks against supporters ...
1 year ago Darkreading.com Turla
Stealthy KV-botnet hijacks SOHO routers and VPN devices - The Chinese state-sponsored APT hacking group known as Volt Typhoon has been linked to a sophisticated botnet named 'KV-botnet' since at least 2022 to attack SOHO routers in high-value targets. Volt Typhoon commonly targets routers, firewalls, and ...
1 year ago Bleepingcomputer.com Volt Typhoon
State-Sponsored APT Groups Use Ransomware Tactics for Intelligence Gathering and Sabotage - State-sponsored threat groups are increasingly using ransomware-like tactics to hide more insidious activities. Russian APT group Sandworm has used ransomware programs to destroy data multiple times in the past six months, while North Korea's Lazarus ...
2 years ago Csoonline.com Andariel APT3 APT37 APT38 Kimsuky Lazarus Group BianLian
CVE-2024-46768 - In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can ...
6 months ago Tenable.com
CVE-2023-52864 - In the Linux kernel, the following vulnerability has been resolved: platform/x86: wmi: Fix opening of char device Since commit fa1f68db6ca7 ("drivers: misc: pass miscdevice pointer via file private data"), the miscdevice stores a pointer to itself ...
10 months ago Tenable.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)