Trusted Design

Emissary Trojan/ Operation Lotus Blossom Update

概要

In December 2015, Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload. Emissary is related to the Elise Trojan and the Operation Lotus Blossom attack campaign, which prompted us to start collecting additional samples of Emissary. The oldest sample we found was created in 2009, indicating this tool has been in use for almost seven years. Of note, this is three years earlier than the oldest Elise sample we have found, suggesting this group has been active longer than previously documented. In addition, Emissary appears to only be used against Taiwanese or Hong Kong based targets, all of the decoys are written in Traditional Chinese, and they use themes related to the government or military.

Created: 2026-02-23

Indicators

• URL - http://photograph.myfw.us/lightserver/default.aspx -
• hostname - booking.passinggas.net -
• FileHash-SHA256 - 5171c9a593389011da4d72125e52bf7ef86b2da7fcd6c2a2bc95467afe6a1b58 -
• FileHash-SHA256 - acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9 -
• hostname - eventlog.findhere.org -
• FileHash-SHA256 - b201c89fd7bdfc625bacfd4850feaa81269d9b41ed10ba1f7c0cb1339f4a6abe -
• FileHash-SHA256 - 98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0 -
• FileHash-SHA256 - 70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629 -
• FileHash-SHA256 - 925d2f960d8db0510f3681c038311c0c2df86c5ba03f8cb61e3c8846c31bd6e1 -
• URL - http://123.1.159.153/lightserver/Default.aspx -
• hostname - zooboo.passinggas.net -
• FileHash-SHA256 - 5cda2251059c34f55ac23941b56e248b9a1111e98f62c5a307eadbb9618592dd -
• URL - http://163.20.127.27/0test/test/default.aspx -
• FileHash-SHA256 - 70097adba2743653bc73d0a2909a13f2904dbbcc1ffdb4e9013a8e61866abf5c -
• FileHash-SHA256 - 37f752f89b0384291af23542efc08c01be962c04e3b2c881a8bc1f8771e9179f -
• URL - http://zooboo.PassingGas.net/weboffice/Default.aspx -
• URL - http://103.243.24.179/Default.aspx -
• YARA - 7fdd37ed88229561b0b40e78458ec8bdc9f0ea12 -
• FileHash-SHA256 - fdcd10a2c2bf802ba5b6be55c16c0bf407bcbee902b66466b0f954d2951fad2d -
• hostname - dnt5b.myfw.us -
• URL - http://booking.passinggas.net/lightserver/Default.aspx -
• FileHash-SHA256 - 9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab -
• URL - http://dnt5b.myfw.us/Default.aspx -
• URL - http://grassland.OnTheNetAs.com/lightserver/Default.aspx -
• hostname - appletree.onthenetas.com -
• hostname - grassland.onthenetas.com -
• FileHash-SHA256 - 70bed57bc3484fe5dbcf3c732bd7b11f80a742138f4733bc7e9b6d03e721da4a -
• FileHash-SHA256 - 9bb0288f7b98fac909ed91ec24dad0d5a31e3eec93a1641849d9dab56c23aa59 -
• FileHash-SHA256 - da29b647411153b49cbf4df862e3f36209eafb8ebe8b966429edec4fb15dbce9 -
• FileHash-SHA256 - ddbe42fb03bf9f4b9144396e814f13cd7054dcf238234dcb838fa9643136c03a -
• FileHash-SHA256 - c145bb2e4ce77c79aa01de2aec4a8b5b0b680e23bceda2c230903b5f0e119634 -
• FileHash-SHA256 - e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538 -
• FileHash-SHA256 - dd8ffb9f961299f7cc9cb51e17a5cccf79b7fb583e594b05ef93b54c8cad54f6 -
• FileHash-SHA256 - a7d07b92e48876e2195e5d8769a47cf0a237e11ac304e41b14fc36042b0d9484 -
• hostname - photograph.myfw.us -
• FileHash-SHA256 - e21b47dfa9e250f49a3ab327b7444902e545bed3c4dcfa5e2e990af20593af6d -
• FileHash-SHA256 - e6c4611b1399ada920730686395d6fc1700fc39add3d0d40b4f784ccb6ad0c30 -
• hostname - ustar5.passas.us -
• URL - http://123.1.159.210/lightserver/Default.aspx -
• FileHash-SHA256 - 9dab2d1b16eb0fb4ec2095d4b4e2a3ad67a707ab4f54f9c26539619691f103f3 -
• FileHash-SHA256 - fbcb401cf06326ab4bb53fb9f01f1ca647f16f926811ea66984f1a1b8cf2f7bb -
• FileHash-SHA256 - 0069029ee4029df88f700da335a06e0e3a534a94552fe966186166b526a20b6a -
• URL - http://bluefield.byinter.net/lightserver/Default.aspx -
• URL - http://101.55.121.79/lightserver/Default.aspx -
• FileHash-SHA256 - 0c550fad82f2653bc13d9629357a2a56df82602ee0ce96aa5a31f885e3aa29df -
• FileHash-SHA256 - e67d3cc1684c789c3bd02af7a68b783fd90dc6d2d660b174d533f4c0e07490f9 -
• URL - http://210.209.121.31/lightserver/default.aspx -
• FileHash-SHA256 - 675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc -
• FileHash-SHA256 - 375190cc8e0e75cf771d66347ea2a04b6d1b59bf2f56823eb81270618f133e2d -
• FileHash-SHA256 - 731cd2ce87f4c4375782de0686b5b16619f8fa2de188522cbc8e64f8851bb7ed -
• hostname - www.danangqt.net -
• FileHash-SHA256 - bfceccdd553c7e26006bb044ea6d87e597c7cce08218068e31dc940e9f55b636 -
• URL - http://118.193.221.233:80/default -
• URL - http://203.124.14.229/default.aspx -
• URL - http://www.danangqt.net:80/default -
• hostname - chairman.onthenetas.com -
• FileHash-SHA256 - 42b8898c07374b1fc6a4a33441aadf10e47f226d9d3bf3368a459c0e221dff73 -
• FileHash-SHA256 - 721676d529a0c439594502f1d53fec697adc80fa1301d2bf20c2600d99ceed4e -
• FileHash-SHA256 - c72b07f2a423abc4fc45dfddc5162b8eb1ea97d5b5e66811526433f09b6cdf41 -
• FileHash-SHA256 - 5edf2d0270f8e7eb5be3476802e46c578c4afc4b046411be0806b9acc3bfa099 -
• hostname - bluefield.byinter.net -
• URL - http://appletree.onthenetas.com/Default.aspx -
• FileHash-SHA256 - 8e3b7dc3dca92d7458265e2bcd69caa558cbbf24bbbf1200b9aa924260c42480 -
• FileHash-SHA256 - 26e2f4f9026f19156a73ffbfde438916f24d80b8812b6cebe98167eb9be0863c -
• FileHash-SHA256 - 52b7f93bd4c2d1b1818f2a9506551852e2e7b511c9298e71edb54a39f69f94f2 -
• URL - http://210.209.121.92/weboffice/Default.aspx -
• URL - http://ustar5.PassAs.us/Default.aspx -
• URL - http://eventlog.findhere.org/Default.aspx -
• FileHash-SHA256 - 02831316a3a04c1248605f28fb08d810230dd4411b2a1fc8187508aea6b449c5 -
• FileHash-SHA256 - 46ad72811990c1937d26e1f80ec1b9def8c112817f4bb9f94e3d1e4f0fb86f80 -
• URL - http://dnt5b.myfw.us/default.aspx -
• FileHash-SHA256 - f36b7f63f46ae6afe8882b34c1ec11597c8537a3a7fa8b6521a83308940cc77b -
• FileHash-SHA256 - e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b -
• URL - http://webonline.OnTheNetAs.com/lightserver/default.aspx -
• URL - http://101.55.33.92/default.aspx -
• URL - http://140.131.39.11/icanxp/help/help/default.aspx -
• FileHash-SHA256 - dcbeca8c92d6d18f2faf385e677913dc8abac3fa3303c1f5cfe166180cffbed3 -
• URL - http://210.209.121.92/lightserver/Default.aspx -
• URL - http://groupspace.findhere.org/lightserver/Default.aspx -
• hostname - groupspace.findhere.org -
• FileHash-SHA256 - 29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051 -
• FileHash-SHA256 - b07fbb92484fd2aff6d28f0ab04d5f51e96420b6d670f921b0bbe0e5392da408 -
• URL - http://101.55.33.95:80/default -
• URL - http://203.124.14.214/default.aspx -
• URL - http://ustar5.PassAs.us/default.aspx -
• FileHash-SHA256 - a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8 -
• FileHash-SHA256 - 931a1284b11a3997c7a99076d582ed3436aa30409dc73bd763436dddd490f9cb -
• URL - http://101.55.33.92:80/default -
• hostname - webonline.onthenetas.com -
• URL - http://chairman.OnTheNetAs.com/weboffice/Default.aspx -

類似Pulses

• Attack on French Diplomat Linked to Operation Lotus Blossom (score: 0.69)
• OPERATION LOTUS BLOSSOM (score: 0.68)
• Chinese Actors attacks on US Government and EU Media (score: 0.65)
• New Sofacy Attacks Against US Government Agency (score: 0.56)
• Operation Iron Tiger (score: 0.55)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る