Movatterモバイル変換

Home
Software
Hannotog

Hannotog

Hannotog is a type of backdoor malware uniquely assoicated withLotus Blossom operations since at least 2022.^[1]

ID: S1211

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 16 March 2025

Last Modified: 04 April 2025

Version Permalink

Enterprise Layer

Techniques Used

Domain	ID		Name	Use
Enterprise	T1020		Automated Exfiltration	Hannotog can upload encyrpted data for exfiltration.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter:Windows Command Shell	Hannotog can execute various`cmd.exe /c %s` commands.^[1]
Enterprise	T1543	.003	Create or Modify System Process:Windows Service	Hannotog creates a new service for persistence.^[1]
Enterprise	T1562	.004	Impair Defenses:Disable or Modify System Firewall	Hannotog can modify local firewall settings via`netsh` commands to open a listening UDP port.^[1]
Enterprise	T1105		Ingress Tool Transfer	Hannotog can download additional files to the victim machine.^[1]
Enterprise	T1571		Non-Standard Port	Hannotog uses non-standard listening ports, such as UDP 5900, for command and control purposes.^[1]
Enterprise	T1489		Service Stop	Hannotog can stop Windows services.^[1]

Groups That Use This Software

ID	Name	References
G0030	Lotus Blossom	Hannotog is a backdoor associated withLotus Blossom operations.^[1]

References

Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.

×

[8]ページ先頭

©2009-2026 Movatter.jp