China APT Billbug deploys new malware toolsets in attacks on multiple departments

China’s network growth group Billbug has transformed its attack toolkit with a new malware payload in a wide range of activities targeting multiple organizations in Southeast Asia. New tools were observed in attacks that lasted from August to February, including credential stealers, reverse shells and updated backdoors.

“The targets include government ministry, air traffic control organizations, telecom operators and construction companies,” researchers at Broadcom’s Symantec division wrote in a report on the activity. “In addition, the organization invaded news agencies in another country in Southeast Asia and air transport organizations in another neighboring country.”

Also known as Lotus Blossom, Lotus Panda, Bronze Elgin or Spring Dragon in the security industry, Billbug is a cyber ranks suspected of having links to the Chinese government, and the group focuses on obtaining intelligence from other Asian countries. It has been operating since at least 2009, mainly targeting governments and military organizations.