Cisco Talos has uncovered multiple cyber espionage campaigns attributed to the Lotus Blossom group, targeting sectors such as government, manufacturing, telecommunications, and media. These campaigns utilize the Sagerunex backdoor, which has evolved to use third-party cloud services like Dropbox and Twitter for command and control (C2) to evade detection. Lotus Blossom, active since at least 2012, employs sophisticated tactics to gain persistence and control over infected systems. The group's consistent use of specific tactics, techniques, and procedures (TTPs) and their focus on long-term persistence highlight their advanced capabilities in cyber espionage.

‍