Description
[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, [Lotus Blossom](https://attack.mitre.org/groups/G0030) has also targeted entities such as digital certificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)
Techniques Used (TTPs)
- T1016 — System Network Configuration Discovery (discovery)
- T1543.003 — Windows Service (persistence, privilege-escalation)
- T1087.002 — Domain Account (discovery)
- T1074.001 — Local Data Staging (collection)
- T1134 — Access Token Manipulation (defense-evasion, privilege-escalation)
- T1087.001 — Local Account (discovery)
- T1090.001 — Internal Proxy (command-and-control)
- T1539 — Steal Web Session Cookie (credential-access)
- T1112 — Modify Registry (defense-evasion, persistence)
- T1049 — System Network Connections Discovery (discovery)
- T1047 — Windows Management Instrumentation (execution)
- T1482 — Domain Trust Discovery (discovery)
- T1016.001 — Internet Connection Discovery (discovery)
- T1090.003 — Multi-hop Proxy (command-and-control)
- T1588.002 — Tool (resource-development)
- T1018 — Remote System Discovery (discovery)
- T1083 — File and Directory Discovery (discovery)
- T1560.003 — Archive via Custom Method (collection)
- T1560.001 — Archive via Utility (collection)
- T1046 — Network Service Discovery (discovery)
- T1012 — Query Registry (discovery)
Total TTPs: 21