Cisco Talos discovered multiple cyber espionage campaigns attributed to the Lotus Blossom group, active since 2012. The group uses the Sagerunex backdoor, evolving since 2016, and employs new variants utilizing cloud services like Dropbox and Twitter for C2. Lotus Blossom demonstrates persistence through registry installations and command-line execution, maintaining long-term access to compromised systems.