Tracking The Spring Dragon Advanced Persistent Threat


In her role as a Senior Security Researcher in the Kaspersky Global Research & Analysis Team (GReAT), Noushin Shabab is responsible for the investigations of targeted cyberattacks with a primary focus on Australia and New Zealand. At the Kaspersky Lab Palaeontology of Cybersecurity conference, she recounted how her team tracked the Spring Dragon APT (Advanced Persistent Threat) attacks across the South China Sea region.

Don’t forget to check out the other Kaspersky Palaeontology of Cybersecurity presentations!


The Spring Dragon Advanced Persistent Threat

In early 2017, Kaspersky Lab researchers noted increased activity by an APT called Spring Dragon (also known as Lotus Blossom). The attacks involved new and evolved tools and techniques and targeted countries around the South China Sea. Kaspersky Lab’s experts have published their analysis of the attackers’ toolset over time in order to help organizations better understand the nature of the threat and protect themselves.

Spring Dragon is a long-running threat actor that has been targeting high profile political, governmental and educations organisations in Asia since 2012. Kaspersky Lab has been tracking the APT for the last few years.

According to Kaspersky Lab telemetry, Taiwan had the largest number of attacks followed by Indonesia, Vietnam, the Philippines, Macau, Malaysia, Hong Kong and Thailand. To help organizations better understand and protect against the threat, Kaspersky Lab’s researchers have undertaken a detailed review of 600 Spring Dragon malware samples.

Kaspersky Lab’s overview of Spring Dragon’s tools shows that:

  • The attackers’ toolset includes a unique customised set of links to command and control servers for each malware: the malware samples contained more than 200 unique IP addresses overall.
  • This toolset was accompanied by customised installation data for each attack to make detection difficult.
  • The arsenal includes various backdoor modules with different characteristics and functionalities – although they all have the capability to download additional files to the victim’s machine, upload files to its servers and execute any executable file or command on the victim’s machine. This allows the attackers to undertake a number of malicious activities on the victim’s machine – particularly cyberespionage.
  • The malware compilation timestamps suggest a time zone of GMT +8 – although the experts warn that does not represent a reliable indicator of attribution.

Noushin Shabab concludes, “We believe that Spring Dragon is going to continue resurfacing regularly in the Asian region and it’s important to be familiar with its tools and techniques. We encourage individuals and businesses to have good Yara rules and other detection mechanisms in place and strongly recommended they use – and regularly audit – a multi layered approach to security.” 


How Do You Protect Against Spring Dragon & Other APTs?

[adrotate group=”2″]

In order to protect your personal or business data from cyberattacks, Kaspersky Lab advise the following:

  • Implement an advanced, multi-layered security solution that covers all networks, systems and endpoints.
  • Educate and train your personnel on social engineering as this method is often used to make a victim open a malicious document or click on an infected link.
  • Conduct regular security assessments of the organisations IT infrastructure.
  • Use Kaspersky’s Threat Intelligence that tracks cyberattacks, incident or threats and provides customers with up-to-date relevant information that they are unaware of. Find out more at

Next Page > The Spring Dragon (Lotus Blossom) APT Presentation Slides


Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Leave a ReplyCancel reply