A sophisticated Chinese hacking group known as Billbug (also tracked as Lotus Blossom, Lotus Panda, and Bronze Elgin) has intensified its espionage campaign across Southeast Asia, employing a new custom Reverse SSH Tool to compromise high-value targets.
This group, active since at least 2009, has historically focused on government and military organizations in the region, demonstrating a persistent threat to national security infrastructure.
Between August 2024 and February 2025, Billbug orchestrated a coordinated attack campaign against multiple organizations within a single Southeast Asian country, including a government ministry, an air traffic control organization, a telecommunications operator, and a construction company.
.png
)
The group expanded its reach by targeting a news agency in another Southeast Asian country and an air freight organization in a neighboring nation, showing a strategic widening of their operational scope.
Symantec researchers identified this campaign as a continuation of activities first documented in December 2024.
The threat actors deployed an arsenal of sophisticated tools, with the custom Reverse SSH Tool (SHA256: 461f0803b67799da8548ebfd979053fb99cf110f40ac3fc073c3183e2f6e9ced) emerging as a particularly notable addition to their toolkit.
This specialized malware establishes persistent backdoor access by listening for SSH connections on Port 22, enabling attackers to maintain stealthy control over compromised systems.
The campaign represents an evolution in Billbug’s tactics, techniques, and procedures (TTPs), demonstrating their continued investment in custom malware development.
In addition to the Reverse SSH Tool, the attackers deployed credential theft utilities specifically targeting Chrome browser data (ChromeKatz and CredentialKatz) and leveraged legitimate software to evade detection.
The persistent and targeted nature of these attacks indicates a long-term espionage operation with specific intelligence-gathering objectives.
Infection Mechanism: DLL Sideloading Techniques
The attackers employed sophisticated DLL sideloading techniques to establish initial access and persistence on targeted systems.
This method involves placing malicious DLL files alongside legitimate executables from trusted vendors, exploiting Windows’ DLL search order to execute malicious code with the permissions of legitimate software.
In one instance, attackers leveraged a legitimate Trend Micro executable (tmdbglog.exe) to load a malicious DLL (tmdglog.dll). The malicious DLL operated as follows:-
// Simplified pseudocode of tmdglog.dll operation
void DllMain() {
// Read encrypted payload from C:\Windows\temp\TmDebug.log
byte[] payload = ReadFile("C:\\Windows\\temp\\TmDebug.log");
// Decrypt payload
byte[] decryptedPayload = Decrypt(payload);
// Execute decrypted payload in memory
ExecuteInMemory(decryptedPayload);
// Log execution progress to obscure file
LogProgress("C:\\Windows\\Temp\\VT001.tmp");
}Similarly, a Bitdefender executable (bds.exe) was exploited to load another malicious DLL (log.dll), which decrypted content from a file named “winnt.config” and injected it into the legitimate systray.exe process.
These techniques allowed the attackers to establish persistence while evading traditional security controls that focus on executable files rather than DLLs.
The Reverse SSH Tool represents a significant advancement in Billbug’s capabilities, providing a stealthy channel for command and control while masquerading as legitimate SSH traffic on standard ports.
This approach makes detection particularly challenging for traditional network monitoring solutions and represents an ongoing threat to organizations throughout Southeast Asia.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
