China-linked Billbug hackers breached multiple entities in Southeast Asian country

A long-running cyber espionage operation linked to China breached multiple prominent government and business organizations in a single Southeast Asian country during a campaign from August 2024 to February 2025. 

Researchers at Symantec attributed the attacks to Billbug — a Chinese advanced persistent threat group (APT) active since at least 2009.

The group — also known as Lotus Panda, Lotus Blossom and Bronze Elgin — targeted a government ministry, an air traffic control organization, a telecoms operator, and a construction company in the unnamed Southeast Asian country. 

“The activity appears to be a continuation of a campaign first documented by Symantec in December 2024, where multiple high-profile organizations in Southeast Asian countries were targeted,” Symantec said. 

The researchers said it was clear Chinese actors were behind the attack, but they initially were unable to attribute it directly to Billbug. But a recent report from cybersecurity firm Cisco Talos contained evidence Symantec then used to determine that Billbug was behind the incidents.

According to Symantec, the attacks involved multiple custom-made tools including credential stealers, backdoors and more. Multiple legitimate tools were deployed during the attacks, including one that was capable of changing the timestamps on files in an effort to confuse incident responders. 

Billbug was initially spotlighted by researchers from Palo Alto Networks in 2015, who tracked more than 50 attacks over a three-year stretch. 

Symantec has published multiple reports on the group’s activity and has gained a window into campaigns targeting organizations in Hong Kong, Macau, Indonesia, Malaysia, the Philippines and Vietnam. 

In one of its most significant attacks, Billbug actors targeted the digital certificate authority in an Asian country — allowing them to legitimize malware that could then evade detection. 

Billbug has been one of several Chinese groups primarily targeting Southeast Asian governments, militaries and businesses as Beijing has sought to bolster its claims over Taiwan and islands in the South China Sea.