top of page
Image by Snehal Krishna

Naikon

Naikon (also tracked as APT30, Lotus Blossom) is a China-linked cyber espionage group active since at least 2010. The group is known for long-running espionage campaigns against Southeast Asian governments, military organizations, and critical industries. Naikon specializes in spear-phishing, backdoors, and long-term infiltration of regional networks.

The group has been tied to custom malware families such as Aria-body, XSControl, Nebulae, RainyDay, and PlugX variants, and it has exploited geopolitical events like South China Sea disputes and regional military exercises. Naikon’s activity reflects Chinese strategic priorities, especially in monitoring ASEAN governments, military affairs, and foreign policy positions.

OceanLotus

Aliases: Naikon, APT30, Lotus Blossom, Override Panda (sometimes linked)

 

Origin: China

​

Years Active: ~2010 – Present

​

Motivation: State-sponsored espionage supporting PRC regional strategy

​

Primary Targets: Southeast Asian governments, military organizations, ministries of foreign affairs, NGOs, defense contractors

​

Tactics, Techniques, and Procedures (TTPs)
Initial Access: Spear-phishing with geopolitical lure documents (Word, RTF, Excel), malicious archives, decoy PDFs

Malware Families: Aria-body backdoor, XSControl, Nebulae loader, RainyDay backdoor, PlugX variants, ReVBShell

Persistence & Evasion: DLL side-loading, decoy documents, custom RATs, living-off-the-land techniques

Post-Exploitation: Credential dumping, registry manipulation, command-line reconnaissance, staging via RAR archives

C2: HTTP(S), dynamic DNS, compromised regional servers

​

​

Notable Campaigns & Operations
​​​

2010–2015: Long-running espionage against ASEAN govs & militaries, first attributed publicly by Kaspersky and ThreatConnect

2015–2016: Lotus Blossom campaign targeting Philippines, Vietnam, Malaysia, and military/naval orgs

2017–2019: Activity quieter; continued low-profile espionage

2020 – Aria-body backdoor: ESET exposed Naikon returning with a new toolkit, targeting Asia-Pacific governments

2021–2022: PlugX + Nebulae loader campaigns across Myanmar, Cambodia, Philippines

2023–2024: Regional espionage continues; RainyDay backdoor deployed; targeting ministries of foreign affairs in SE Asia

​

​

 Infrastructure & IOCs

​

<Currently Compiling >

​

Regional & Geopolitical Context

Operations aligned with China’s foreign policy interests:

 

South China Sea disputes (Philippines, Vietnam, Malaysia)

​

Monitoring of ASEAN political and military affairs

​

Targeting Myanmar, Cambodia, Laos to track Belt & Road projects and defense relationships

​

Reflects PLA/MSS-linked priorities in the Asia-Pacific

​​​

​​​

​​​​

Threat Assessment

 

Sophistication: Moderate–High (custom malware ecosystem, patient intrusions, multi-year campaigns)

Current Activity: Still active in 2025 with new malware variants (RainyDay, Nebulae, XSControl)

Risk Profile: Regional governments, foreign ministries, militaries, and strategic industries in SE Asia

​

​
References

Kaspersky (2015): Naikon report – one of first full public exposures

ThreatConnect (2015): “Lotus Blossom” campaign analysis

FireEye / Mandiant: APT30 and Naikon overlaps

ESET (2020): “Naikon Returns with Aria-body backdoor”

Check Point: XSControl and Nebulae malware analysis

Recorded Future Insikt Group: Naikon geopolitics and South China Sea context

Palo Alto Unit 42: PlugX and Naikon-linked clusters

Campaign Timeline

2010-2014

Targets: SE Asian gov ministries, militaries, foreign affairs departments

Method: Spear-phishing with geopolitical lure docs → custom RATs

Impact: Long-term infiltration of ASEAN gov networks

2015-2016
Lotus Blossom Campaign

Targets: Philippines, Vietnam, Malaysia, Indonesia military/naval entities

Method: Custom backdoors (Lotus Blossom malware, PlugX)

Impact: Regional surveillance of maritime disputes and military exercises

2016

Targets: Journalists, NGOs, human rights groups in Vietnam & abroad

Method: Phishing campaigns w/ KerrDown loader

Impact: Monitoring and suppression of political dissent

APT30 Overlap

Targets: Political orgs + media in Asia-Pacific

Method: Shared toolkits w/ Naikon (Aria-body precursors)

Impact: Attribution overlaps between Naikon & APT30 clusters

2017-2019

Targets: Cambodia, Myanmar ministries

Method: Phishing w/ custom loaders + PlugX

Impact: Maintained espionage capability, but less noisy

Aria-body Backdoor Campaign

Targets: Asia-Pacific ministries, embassies

Method: Aria-body + ReVBShell

Impact: Proved Naikon’s re-emergence after years of low activity

2021-2022 
Nebulae + PlugX Campaigns

Targets: Myanmar, Cambodia, Philippines govs

Method: Nebulae loader, DLL side-loading, PlugX RAT

Impact: Espionage during political instability in Myanmar + SEA disputes

2023-2024
RainyDay Backdoor Ops

Targets: Foreign ministries across SEA (Cambodia, Philippines, Laos)

Method: RainyDay + XSControl malware family

Impact: Intelligence collection on foreign policy stances re: China

bottom of page