Lotus Panda Expands Operations with Evolved Sagerunex Backdoor
Lotus Panda, a Chinese threat actor also known as Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip, has been ramping up cyber operations against government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. The group, active since at least 2009, has been using an upgraded version of the Sagerunex backdoor, first linked to them in 2016. Recent attacks show a shift toward long-term persistence and more advanced malware variants. These versions use legitimate platforms such as Dropbox, X, and Zimbra for command-and-control communication, helping them blend into normal network traffic and evade detection. The initial access method remains unclear, but Lotus Panda has a history of using spear-phishing and watering hole attacks. Once inside a system, Sagerunex collects sensitive data, encrypts it, and exfiltrates it to remote servers. The Zimbra variant steals information and allows remote command execution using email content. The malware scans inboxes for commands, executes them, and hides the results in draft or trash folders. Additional tools include a Chrome cookie stealer for credential theft, a proxy utility named Venom for network obfuscation, and custom software to compress and encrypt stolen data. The group also runs reconnaissance commands to map the environment and assess network restrictions. If internet access is limited, they exploit the target’s proxy settings or use the Venom tool to connect isolated machines to external systems. This ongoing activity highlights Lotus Panda’s adaptability and continued focus on espionage in key Asian sectors.
Eleven11bot Botnet Infects Over 86,000 IoT Devices for Large-Scale DDoS Attacks
A rapidly growing botnet named Eleven11bot has compromised over 86,000 IoT devices, primarily security cameras and network video recorders, using them to carry out massive DDoS attacks. The botnet, loosely tied to Iran, mainly targets telecommunications providers and online gaming servers, generating attack traffic and reaching several hundred million packets per second. Some attacks have lasted multiple days, causing significant service disruptions. Nokia researchers, who first discovered the botnet, report that its scale is among the largest in recent years. Security platform GreyNoise has been actively tracking the malware’s spread, identifying 1,400 infected IP addresses in the past month, most originating from Iran. The Shadowserver Foundation has observed the highest number of infected devices in the United States, the United Kingdom, Mexico, Canada, and Australia. Eleven11bot spreads by exploiting weak or default credentials on IoT devices, leveraging known admin logins, and scanning for exposed Telnet and SSH ports. Attackers use brute-force techniques to gain access, allowing them to recruit more devices into the botnet. To counter this threat, cybersecurity experts advise organizations and individuals to secure IoT devices by changing default passwords, disabling remote access when not needed, and keeping firmware up to date. GreyNoise has published a list of known malicious IP addresses linked to the botnet, which defenders should block and monitor for any suspicious activity. Since IoT devices often receive limited vendor support, checking for end-of-life status and replacing outdated models with newer, more secure versions is essential to reducing exposure to threats like Eleven11bot.
Malicious Typosquatted Go Packages Targeting Linux and macOS Systems
Cybersecurity researchers have uncovered an active campaign targeting the Go programming ecosystem, using typosquatting modules to distribute loader malware on Linux and macOS systems. At least seven malicious packages impersonate legitimate Go libraries, with one, github[.]com/shallowmulti/hypert, appearing to target financial-sector developers specifically. These packages exhibit consistent obfuscation techniques and repeated filenames, indicating a coordinated operation by a threat actor capable of rapidly adapting. Despite being reported, the counterfeit packages remain available on the official Go package repository, though most of their corresponding GitHub repositories have been taken down. The malware executes an obfuscated shell command that retrieves and runs a script from a remote server (alturastreet[.]icu) after an intentional delay of one hour to evade detection. Once executed, the payload installs an executable file that can potentially steal sensitive data or credentials from infected systems. This attack follows a previously reported software supply chain compromise in the Go ecosystem, granting attackers remote access to infected machines. The repeated use of identical filenames, string obfuscation through arrays, and delayed execution methods suggest a well-coordinated operation designed for persistence. The presence of multiple fallback domains and malicious packages shows an infrastructure built for longevity, allowing attackers to pivot when domains or repositories are blacklisted. Security experts advise developers to carefully verify dependencies before installation, monitor for suspicious activity, and implement supply chain security measures to mitigate risks from these persistent threats.
Black Basta and Cactus Ransomware Gangs Show Overlapping Tactics and Tools
New research has revealed deeper connections between the Black Basta and Cactus ransomware gangs, leveraging the same social engineering tactics and deploying the BackConnect proxy malware for persistent access to corporate networks. Black Basta, which emerged in 2022 after the Conti ransomware shutdown, has historically used QakBot for initial access. However, after QakBot’s takedown in 2023, the group pivoted to BackConnect, a proxy malware that enables attackers to tunnel traffic, maintain remote control, and escalate attacks while evading detection. Trend Micro's latest analysis found that Cactus ransomware also utilizes BackConnect, indicating a possible rebranding of Black Basta or significant overlap in membership. Both groups use aggressive social engineering, flooding targets with emails before impersonating IT staff through Microsoft Teams to manipulate victims into granting remote access via Windows Quick Assist. The shared infrastructure, similar command-and-control servers, and operational methods suggest Black Basta members may be transitioning to Cactus, especially since Black Basta’s leak site has been primarily inactive throughout 2025. Beyond initial access, both ransomware groups abuse legitimate tools like OneDriveStandaloneUpdater.exe to sideload malicious DLLs, granting deeper access into corporate environments. Attackers have also been observed using WinSCP to transfer files and exploiting misconfigured cloud storage for malware distribution. The leaked internal chat logs of Black Basta further confirm links to QakBot developers and reveal discussions on bypassing security solutions. Since late 2024, most attacks have targeted North America and Europe, with manufacturing, financial services, and real estate among the most affected industries. Given the increasing overlap between Black Basta and Cactus, organizations must harden security measures by restricting remote assistance tools, training employees to recognize social engineering attacks, and securing enterprise communication channels like Microsoft Teams. As ransomware groups evolve, defenders must stay ahead by proactively monitoring these tactics and strengthening defenses against increasingly sophisticated intrusion methods.
