Billbug Espionage Group Deploys New Tools in Southeast Asia

A wide-ranging cyber-espionage campaign targeting multiple critical sectors in Southeast Asia has been attributed to the China-linked group Billbug.

According to Symantec, the attacks, which spanned from August 2024 to February 2025, impacted a government ministry, an air traffic control authority, a telecoms operator and a construction company, all located in a single Southeast Asian country.

Additional intrusions were recorded against a news agency in one neighboring nation and an air freight company in another.

What sets this campaign apart is the deployment of previously unseen tools by Billbug – also known as Lotus Blossom or Bronze Elgin – including credential stealers, advanced loaders and a reverse SSH tool capable of listening for inbound connections.

The activity appears to be a continuation of a campaign first described by Symantec in late 2024. While initial attribution to a specific actor was unclear, a recent blog from Cisco Talos linked indicators of compromise to Billbug operations, strengthening the case for its involvement.

Malware Hidden in Plain Sight

Billbug’s techniques included the use of DLL sideloading, in which legitimate executables from vendors such as Trend Micro and Bitdefender were exploited to launch malicious payloads.

In one instance, a Trend Micro binary was used to sideload a DLL that decrypted and ran code from a file named TmDebug.log.

Another Bitdefender executable loaded a DLL which injected malicious content into the Windows systray.exe process.

Read more on advanced malware obfuscation techniques: Walmart Discovers New PowerShell Backdoor Linked to Zloader Malware

Credential Theft and Network Persistence

Two new tools – ChromeKatz and CredentialKatz – were used in the newly observed campaigns to extract login data and cookies from Google Chrome browsers. These tools were complemented by a custom reverse SSH utility that established listening services on Port 22.

Billbug also deployed:

• A new Sagerunex backdoor variant with enhanced persistence via registry modifications
• The open-source, peer-to-peer tool Zrok to enable remote access
• Datechanger.exe, a timestamp manipulation tool likely used to obscure forensic analysis

Long-Term Espionage Focus

Active since at least 2009, Billbug has a documented history of targeting government, defense and telecom sectors across Southeast Asia. 

Its campaigns have involved spear-phishing, digital certificate abuse and the deployment of novel malware families such as Trensil and Infostealer.Catchamas.

In recent years, the group has demonstrated increasing sophistication and persistence, often using legitimate software to camouflage intrusion and evade detection.