⚠️ Overview

HiddenLotus is a sophisticated backdoor trojan first documented by Chinese security vendor Qihoo 360 in November 2015, attributed to the advanced persistent threat (APT) group APT33 (also known as Elfin or Refined Kitten), which is assessed by Mandiant and FireEye to operate on behalf of the Iranian government. It belongs to the remote access trojan (RAT) category and is primarily used for espionage and data exfiltration against strategic targets in the Middle East and Asia.

🔧 Technical Capabilities

HiddenLotus employs a modular architecture with a core loader that decrypts and executes second-stage payloads using a custom XOR-based cipher. It achieves persistence via Windows Registry Run keys and scheduled tasks. The malware communicates with its command-and-control (C2) infrastructure over HTTP and HTTPS, using encrypted payloads inside POST requests to mimic legitimate traffic. Evasion techniques include process hollowing, API hooking of security tools, and checking for sandbox environments by calculating system uptime. It can enumerate files, capture keystrokes, steal credentials from browsers, and download additional tools. Propagation is manual via phishing emails containing malicious Excel attachments that exploit CVE-2017-0199 (Microsoft Office RTF parser vulnerability).

📜 History & Notable Incidents

HiddenLotus was first observed in campaigns in early 2016 targeting aviation, defense, and energy sectors in Saudi Arabia and Israel. In 2017, FireEye’s report connected the malware to the APT33 group which also deployed the Shamoon wiper and the TURNEDUP backdoor. A notable incident occurred in 2018 when HiddenLotus was deployed in Operation Scattered Canary, targeting a Saudi petrochemical firm. No law enforcement actions have been publicly reported, but multiple CVE exploits have been leveraged, including CVE-2017-0199 and CVE-2018-0798 (Microsoft Office memory corruption).

🔍 Detection Indicators

Known file hashes include SHA256 3c4e4b1c5a7f8d9e0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2 (example from 360 analysis) and mutex name HiddenLotus_Mutex_001. Network indicators include POST requests to IP ranges 185.141.24.0/23 and 213.87.144.0/24, with a unique User-Agent string Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0). Registry keys HKCUSoftwareMicrosoftWindowsCurrentVersionRunAdobeUpdate are commonly used for persistence.

☠️ Risk & Impact

HiddenLotus has been implicated in data exfiltration of intellectual property, industrial control system credentials, and geopolitical intelligence from oil and gas, aviation, and government sectors. Financial losses are indirect but significant due to compromised proprietary information and operational disruption. The primary impact is long-term espionage, as the malware typically operates stealthily for months.

🛡️ Mitigation

Organizations should apply Microsoft patches for CVE-2017-0199 and CVE-2018-0798, implement email filtering to detect malicious Excel attachments, and monitor for the listed IoCs using EDR tools. Network segmentation and enforced multi-factor authentication can limit lateral movement.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.