Billbug Attack Detection: China-Linked Espionage Actors Target Southeast Asian Organizations

ESET’s Q2-Q3 2024 APT Activity Report highlights China-affiliated groups leading global APT operations, with campaigns aimed at intelligence gathering being among the most common and persistent threats. The China-linked espionage group known as Billbug has been observed breaching multiple organizations in Southeast Asia across several industry verticals throughout August 2024 and February 2025 using novel custom tools, such as loaders, infostealing malware, and a reverse‑SSH utility.

Detect Billbug Attacks by China-Linked Threat Actors

With global tensions continuing to rise, state-sponsored threat actors are becoming more active and sophisticated in their methods. Cyber espionage has taken center stage, with attacks growing more targeted and difficult to detect. A recent example is a campaign by the China-linked Billbug group, which has been focusing on organizations across Asia.

To outscale emerging threats and stay on top of potential Billbug attacks against your organization, the SOC Prime Platform offers a set of relevant Sigma rules addressing attackers’ TTPs. Press the Explore Detections button below to immediately access the dedicated rule set.

Explore Detections

The rules are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK® to streamline threat investigation. Detections are also enriched with extensive metadata, including CTI links, attack timelines, triage recommendations, and more.

Security professionals seeking for more detection content addressing TTPs used by nation-backed actors, can browse Threat Detection Marketplace using “APT” tag to dive into broader collection of detection algorithms and real-time threat intel backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection.

Billbug Attack Analysis

The China-backed group, tracked as Billbug (aka Lotus Blossom, Lotus Panda, Bronze Elgin, Spring Dragon, or Thrip), has conducted a series of cyber-espionage attacks against Southeast Asian organizations, infiltrating a government ministry, an air traffic control agency, a telecom provider, and a construction firm. Adversaries also breached a news agency in one Southeast Asian country and an air‑cargo operator in a neighboring country, using a suite of custom tools, including loaders, credential stealers, and a reverse‑SSH utility.

Billbug has been active in the cyber threat arena since at least 2009. Earlier, Billbug was observed using PsExec to deploy Infostealer. Catchamas, leading to the discovery of further intrusions in the U.S. and Southeast Asia across the defense, geospatial, and telecom sectors. Since 2019, Billbug has used custom backdoors like Hannotog and Sagerunex alongside evolving persistence shells to target military, media, and education entities across Asia. Their operations have successfully hit state bodies, manufacturing, telecom, and media targets across the Philippines, Vietnam, Hong Kong, and Taiwan. In 2022, the group notably breached a certificate authority, raising concerns over potential abuse of digital certificates for stealthy attacks.

Among some of the group’s intrusions, attackers abused legitimate Trend Micro and Bitdefender executables to sideload malicious DLLs. Variants of log.dll and another module, sqlresourceloader.dll, were also seen sideloaded. The latest research by Symantec reveals that during attacks against Southeast Asia, the group employed ChromeKatz and CredentialKatz to harvest Chrome credentials and cookies along with a custom reverse‑SSH listener on port 22. In addition, adversaries exploited the public Zrok P2P tunneling tool to expose internal services, and datechanger.exe to falsify file timestamps and thwart forensic analysis.

A surge in cyber-espionage activity linked to China-backed actors continues to raise concerns across the global cybersecurity landscape. The Billbug APT group, active since at least 2009, has intensified operations targeting critical sectors across Southeast Asia, including government, telecom, aviation, and media. Leveraging custom tools, credential stealers, reverse-SSH listeners, and sideloaded malware, the group demonstrates a consistent focus on stealth and persistence. This underscores the urgent need for organizations to reinforce their defenses and stay ahead of evolving APT tactics. Organizations can rely on SOC Prime’s complete product suite, backed by AI and fusing cutting-edge technologies, to risk-optimize the organization’s cybersecurity posture.