Cisco Talos recently uncovered multiple Lotus Blossom cyber espionage campaigns targeting government, manufacturing, telecommunications, and media organizations. The group used Sagerunex and other hacking tools after compromising target networks.

The researchers believe Lotus Blossom developed new Sagerunex variants that used a combination of traditional command-and-control (C&C) servers and legitimate third-party cloud services like Dropbox, Twitter, and the Zimbra open-source webmail as C&C tunnels.

Cisco Talos identified several indicators of compromise (IoCs), including 10 domains and 28 IP addresses, which WhoisXML API expanded through a DNS deep dive. Our analysis led to the discovery of:

• 90 email-connected domains
• Four additional IP addresses, two of which turned out to be malicious
• 106 IP-connected domains, two of which have already been weaponized for attacks
• 12 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More on the Lotus Blossom Attack IoCs

Before we dive into our IoC list expansion, we sought to find more information about the IoCs.

We began by querying the 10 domains identified as IoCs on Bulk WHOIS API and Domain Age Checker and found that all of them had current WHOIS records.

• They were created between 2022 and 2025. Specifically, one was created in 2022 and nine in 2025. Specifically, one was created in 2022 and nine in 2025.

  

• They were split among three registrars led by Netowl, which administered eight domains. GMO Internet Group and Wild West Domains accounted for one domain each.

  

• They were registered in two countries topped by Japan, which accounted for nine domains. One domain was registered in the U.S.

  

We also queried the 10 domains identified as IoCs on DNS Chronicle API and found that nine had 127 historical domain-to-IP resolutions. The domain doyourbestyet[.]com had five resolutions since 4 October 2019—the oldest resolution date among the IoCs. Interestingly, though, based on its current WHOIS record, it was created on 28 February 2025, which could mean it was recently reregistered. Take a look at detailed results for three other domains below.

Next, we queried the 28 IP addresses identified as IoCs on Bulk IP Geolocation Lookup and found that:

• They were geolocated in five countries led by China, which accounted for 22 IP addresses. Two IP addresses each originated from Germany and Singapore. Finally, one IP address each was geolocated in Thailand and the U.S.

  

• Only 21 of them had ISPs on record. Hong Kong Broadband and Hong Kong Enterprise Solutions topped the list of ISPs with three IP addresses each. Cloudie, Dimension Network, Huawei Cloud, The Constant Company, and Zenlayer administered two IP addresses each. One IP address each was administered by DXTL, EDGENAP, KLAYER, Lucidacloud, and XNNET. Finally, seven IP addresses did not have ISP information.

  

We also queried the 28 IP addresses identified as IoCs on DNS Chronicle API and found that 16 had 778 historical IP-to-domain resolutions over time. The IP address 160[.]124[.]251[.]105 had 223 resolutions starting on 10 October 2019—the oldest resolution date among the IoCs. Take a look at detailed results for five other IP addresses below.

On to the IoC List Expansion

To kick off our expansion analysis, we queried the 10 domains identified as IoCs on WHOIS History API and found that they all had email addresses in their historical WHOIS records. We uncovered 14 email addresses in all. Further scrutiny revealed that six were public email addresses.

We queried the six public email addresses on Reverse WHOIS API and found that while none of them appeared in the current WHOIS records of other domains, all of them appeared in the historical WHOIS records of several. However, one domain could belong to a domainer. In sum, five public email addresses appeared in the current records of 90 domains after duplicates and those already identified as IoCs were filtered out.

Next, we queried the 10 domains identified as IoCs on DNS Lookup API and found that they resolved to four IP addresses after duplicates and those already tagged as IoCs were filtered out.

A Threat Intelligence API query for the four additional IP addresses showed that two have already been tagged as malicious. An example would be 160[.]16[.]200[.]77, which was associated with generic threats and malware distribution.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.