Elise Malware from Operation Lotus Blossom

June 29, 2015  |  Garrett Gross

Devotion to the mystic law of hack and defend...

We keep seeing these Advanced Persistent Threat (APT) type attacks crop up throughout the world. One of the main differentiating factors in these attacks vs ‘common’ ones are the resources at their disposal: time, money, and, most importantly, the expertise required to develop custom pieces of malware to carry out specific, targeted, attacks.


Operation Lotus Blossom is no exception and we have already seen over 50 attacks recently linked to this group. While mainly attacking government and military targets up to this point, its still to soon to tell if their reach might expand into the private sector (a la Duqu and Stuxnet). Initially, the victim is lured into opening an attachment via a targeted spearphishing email. Once they open the tainted attachment, the custom created ‘Elise’ malware is executed, opening a backdoor in the user’s system and establishing a connection to a command and control (C&C) server. At this point, the victim’s machine is under the attacker’s control. This allows them to conduct network scanning from the inside, exfiltrate data, or even deploy second-stage malware to carry out additional attacks or infect other machines on the network.

Impact on you

  • Having any type of malware on your network puts you at risk of compromise, especially one designed to steal data
  • Once Elise is installed, it has the ability to infect other machines and continue to deliver additional malware variants as needed
  • This malware is specifically designed to steal data from you, putting you and your clients’ sensitive information at risk

How AlienVault Helps

AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can detect activity from Elise. Learn more about this threat intelligence update and others in our forum.

  • System Compromise, Malware infection, Elise

Further Technical Information:

Code42 (Palo Alto) Lotus Blossom report

Share this with others

Get price Free trial