{
	"id": "adfc81d1-f34a-4d3a-ac28-5c806ed2597b",
	"created_at": "2026-04-06T00:09:53.333498Z",
	"updated_at": "2026-04-10T03:36:22.064885Z",
	"deleted_at": null,
	"sha1_hash": "0249a2a0094532a953b3cf069e4098b9bd06dc8d",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1322342,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-05 23:01:53 UTC\r\nThe OceanLotus, an APT group said to have a Vietnamese background, was first exposed and named by SkyEye\r\nLabs (the predecessor of the RedDrip team of QiAnXin Threat Intelligence Center) in May 2015. Its attack\r\nactivities can be traced back to April 2012 with initial targets including Chinese maritime institutions, maritime\r\nconstruction, scientific research institutes and shipping enterprises. Their targets expanded to almost all important\r\norganizations afterwards and related activities are still active now.\r\nThe RedDrip Team (@RedDrip7) keeps a close eye on activities made by OceanLotus. Last month we released an\r\nin-depth analysis report: OceanLotus’ Attacks to Indochinese Peninsula: Evolution of Targets, Techniques and\r\nProcedure. Currently we capture another attack incident targeting a Vietnamese environmentalist with new\r\nmalware payload and hope the revealed details could lead to more findings in the future.\r\nBait Analysis\r\nThe bait sample is a zip archive in Vietnamese: Thông tin về chuyên đề môi trường_Nhờ anh Đặng Vũ Lượng tư\r\nvấn thêm.zip\r\nFrom the contents of the compressed package, the three pictures named in Vietnamese meaning \"illustration\"\r\nrespectively show that there is garbage in the rivers in Vietnam, the factories are exhausting smoke everywhere,\r\nand the stinking ditch is all garbage. All these pictures make people feel disgusting. At the same time, it shows the\r\nimportance of mandatory waste classification.\r\nIn addition to the picture, the main attack sample is an hta script named as Van nan moi truong Viet Nam hien nay\r\nva giai phap khac phuc hau qua_Phuong huong trong thoi gian toi.\r\nIt can be seen that both the bait name from the compressed package and the bait name as the attack sample are\r\nconsistent with the scene of attacking the person in charge of the environmental protection organization.\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 1 of 16\n\nTherefore, we will characterize this attack as: Oceanlotus attacked the head of an environmental protection\r\norganization in Vietnam.\r\nSample Analysis\r\nExecution process of the sample used by OceanLotus this time is roughly as follows:\r\n1. The hta sample decrypts and loads subsequent additional data.\r\n2. Utilize DLL Side-Loading to take advantage of adobe reader to load the payload and then connects to the\r\nC2.\r\nPayload Analysis\r\nThe hta script has been obfuscated and will replace \",\", \".\", \" \" with \"+\", \"/\", \"=\" first:\r\nFigure 2.1 The confused hta script\r\nThe script is generated by using the cactusTorch framework\r\n(https://github.com/mdsecactivebreach/CACTUSTORCH), which first decrypts the Loader module, then decrypts\r\nthe attached data through the Loader module, and finally executes the decrypted shellcode in memory:\r\nFigure 2.2 Loading Loader in Memory\r\nThe parameters passed to the Loader's \"X\" function are as follows:\r\nWinShusWenTun.X ( 1632689155 ,31529 ,194,1292962 )\r\nThe meaning of each parameter is as follows:\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 2 of 16\n\nName Value Description\r\nParameter\r\n1\r\n163268915\r\n0x6150DC03）\r\n4-byte key, just use the first 3 bytes (0x03, 0xdc, 0x50)\r\nParameter\r\n2\r\n31529\r\nThe position at the end of the script, which points to the\r\nappended data.\r\nParameter\r\n3\r\n194 The length of the name of the released docx file\r\nParameter\r\n4\r\n1292962 Size of the appended data\r\nThe second parameter is the beginning of the appended data:\r\nFigure 2.3 Append data behind the hta file\r\nLoader Analysis\r\nThe decrypted Loader module is named L.dll. The function of the dll is mainly to decrypt and load the appended\r\ndata behind the hta:\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 3 of 16\n\nFigure 2.4 Some functions of Loader\r\nThe X function is mainly to encrypt and load the shellcode; the decoding algorithm is base64 and then performs\r\nXOR decryption with the key in single byte, and the key is passed by the parameter:\r\nFigure 2.5 X function of L.dll\r\nThe key here is 1632689155 (0x6150DC03). From the algorithm, only the first 3 bytes (0x03, 0xdc, 0x50) are\r\nused in while performing XOR decryption:\r\nFigure 2.6 L.dll decryption function\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 4 of 16\n\nThen the decrypted data is executed in memory:\r\nFigure 2.7 function B of L.dll\r\nThe function of the shellcode executed by Loader is mainly to release the file and achieve persistence. As can be\r\nseen from the code features, OceanLotus often uses the shellcode to perform attacks.\r\nFigure 2.8 Shellcode frequently used by OceanLotus\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 5 of 16\n\nAfter shellcode is loaded in memory, it will load the dll file in memory after execution.\r\nFigure 2.9 Loading Dll into memory by shellcode\r\nSubsequently released files are stored in the resource, and the PE file to be released is extracted from the resource\r\ndata through RtlDecompressBuffer:\r\nFigure 2.10 Get the address of the decompression API\r\nThe resource names are 0x65 and 0x66. As shown in the figure, if the 0x65 resource does not exist, it will get\r\n0x66 resource instead.\r\nFigure 2.11 Obtaining resource data\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 6 of 16\n\nThe obtained resource data is as follows, including the file name, file size, and compressed data:\r\nFigure 2.12 Raw data in the resource\r\nThen get the exe and dll file names in system32, Program File and Windows directory, insert them into the array,\r\nthen randomly generate a random number, randomly select a file in the array, get the file name and file description\r\nof the file as the name of the dropped exe file and related folder name respectively:\r\nFigure 2.13 Get the file name of the specified directory\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 7 of 16\n\nIf rasman.dll is randomly selected, it will get the file description as the name of the folder where the malicious\r\ncode was released. Here is the Create Remote Access Connection Manger folder for placing malicious code.\r\nFigure 2.14 File description of rasman.dll\r\nIf the File Description field of the selected file is empty, this will use the default folder name \"NLS_000001\":\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 8 of 16\n\nFigure 2.15 handling the case when the field is empty\r\nIn the following 2 folders (\"Program Files\", \"%appdata%\"), it creates a subdirectory (the name is a randomly\r\nselected \"file description\" content). If there is no permission to create a directory under \"Program Files\", it will be\r\nunder %appdata%\":\r\nFigure 2.16 Creating a subdirectory\r\nThen release the 10 files decrypted in the resource to the newly created directory; in our case the released\r\ndirectory name is: \"C:Program FilesRemote Access Connection Manager\", which is based on the description of\r\nthe file randomly selected.\r\nThe name of the exe file is the name of the randomly selected file.\r\nRasman.db3 is the shellcode to be loaded.\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 9 of 16\n\nFigure 2.17 Released file\r\nThen it will be written into the registry run item to achieve persistence.\r\nAt the same time, an empty docx file will be created under temp folder and then opened, so that the victim thinks\r\nthat it is a docx file:\r\nThong tin chi tiet nhung san pham can dat hang qua shop zero waste_Bao gia chi tiet san pham.docx\r\nFigure 2.18 The created docx file\r\nEnglish translation of the file name: The details information about products need order shop zero waste details\r\nprice list\r\nDropper Analysis\r\nThe released rasman.exe is a legitimate file: Adobe 3D Utility:\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 10 of 16\n\nFigure 3.1 Version information of rasman.exe\r\nRasman.exe will load dlls in the same directory by default, including AGM.dll, BIB.dll, CoolType.dll and\r\nACE.dll, which could lead to DLL Side-Loading:\r\nFigure 3.2 Import table information of rasman.exe\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 11 of 16\n\nThe code of the 4 dlls is the same, is the hijacked dll, will be loaded by rasman.exe program by default. Although\r\n4 dlls have the opportunity to execute dllmain, the only dll that loads the next stage payload is CoolType.dll\r\nbecause the attacker designed a flag variable to control whether the next stage payload needs to be loaded:\r\nMD5 File Name Size flag Comment\r\n9ca638aeb4ce87936b1a993ef8e285fa ACE.dll 11441Kb 0x8F\r\nLoader filled with useless\r\ndata\r\n0a9d3ffff6083a015ab72117cba84fe0 AGM.dll 11441Kb 0x8F\r\nLoader filled with useless\r\ndata\r\n840c754098c473faff6fd22ddb8163b7 BIB.dll 11441Kb 0x6D\r\nLoader filled with useless\r\ndata\r\na8ff3e6abe26c4ce72267154ca604ce3 rasman.db3 910Kb\r\nShellcode file with random\r\nname\r\ne84927bc7e4bef6af8daf8640d95325e rasman.exe 246Kb\r\nLegitimate executable with\r\nrandom name\r\nd7c72d9394dc6e519dbce21830eb37cb CoolType.dll 11441Kb 0x27\r\nLoader filled with useless\r\ndata, load shellcode\r\nf5220efbe14b98ac06bc2cadef5c0f23 MSVCP80.dll 11441Kb\r\nLibrary functions\r\npopulated with useless data\r\n321c4d24da35f39c4ab145b6cfc4da19 MSVCR80.dll 11441Kb\r\nLibrary functions\r\npopulated with useless data\r\nThe code at the entrance of AGM.dll indicates the two if judgments will not enter, because the value of flag is\r\n0x8f, which is greater than the first two judgments, so the subsequent payload will not be loaded:\r\nFigure 3.3 DllMain function of AGM.dll\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 12 of 16\n\nThe code of the CoolType.dll code is 0x27, which is less than 0x46, so it will enter the first if condition and\r\nexecute fun_LoadExportFun:\r\nFigure 3.4 DllMain function of CoolType.dll\r\nThe function of fun_LoadExportFun is mainly to cover large code at the entrance of exe, loop into the garbage\r\ncode appearing in the configuration, the size is 0x20610 bytes, then add the code 0xff, 0x15 at the end, and finally\r\nconnect the address of the export function of AGM_5, only In order to finally execute the code that loads the\r\nshellcode:\r\nFigure 3.5 fun_LoadExportFun\r\nWhen the program returns to the exe process space, it will jump back to the code range covered by\r\nfun_LoadExportFun to continue running, and finally execute the AGM_5 function, mainly to avoid being traced\r\nback to the execution flow:\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 13 of 16\n\nFigure 3.6 A lot of padding code\r\nWhen AGM_5 is executed, it first hides all the child windows of the process, then reads the file with the suffix of\r\ndb3 (here rasman.db3) with the same file name in the same directory, and finally performs execution:\r\nFigure 3.7 Loading shellcode for rasman.db3\r\nThe loaded shellcode is a variant of the Denis family used by OceanLotus:\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 14 of 16\n\nFigure 3.8 Contents of rasman.db3\r\nThen it connects to udt.sophiahoule.com and establish C2 communication, which eventually causes the computer\r\nto be controlled:\r\nFigure 3.9 Captured network packets\r\nThe characteristics of this malicious code:\r\n1. Insert the encrypted data to the end of the hta script to avoid the existence of multiple files.\r\n2. The released files are randomly named according to the file name and file description selected from the\r\ncompromised computer, so as to avoid being easily acquired in forensics.\r\n3. Only select one of the dll files while performing DLL Side-Loading, and fill the exe entry point with junk\r\ncode and then do a jump operation to avoid stack traceback.\r\n4. Enlarge the file size to avoid being uploaded automatically.\r\nConclusion\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 15 of 16\n\nThe OceanLotus reflects a very strong confrontational ability and willing to attack by keep evolving their\r\ntechniques, including approaches to deliver bait documents, changes of the payloads, measures in circumvention,\r\nas well as domain assets, no matter the target is domestic or overseas. Due to the transnational nature of most APT\r\ngroups, it is difficult to eliminate threats from the root cause. Therefore, tracking these APT attacks and adopting\r\nconfrontation measures will exist for a long time. All we can do is to continuously improve our own discovery and\r\ncontainment capabilities, then will be able to overwhelming opponents technically.\r\nAt present, all QiAnXin products can protect users from this new attack carried out by OceanLotus.\r\nIOC\r\nBait Document\r\n0dd468ee3a4ec0f6f84473bd8428a1e1\r\nLoader\r\nb28c80ca9a3b7deb09b275af1076eb55\r\nC2\r\nudt.sophiahoule.com\r\nSource: https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nhttps://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/"
	],
	"report_names": [
		"english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2439ad53-39cc-4fff-8fdf-4028d65803c0",
			"created_at": "2022-10-25T16:07:23.353204Z",
			"updated_at": "2026-04-10T02:00:04.55407Z",
			"deleted_at": null,
			"main_name": "APT 32",
			"aliases": [
				"APT 32",
				"APT-C-00",
				"APT-LY-100",
				"ATK 17",
				"G0050",
				"Lotus Bane",
				"Ocean Buffalo",
				"OceanLotus",
				"Operation Cobalt Kitty",
				"Operation PhantomLance",
				"Pond Loach",
				"SeaLotus",
				"SectorF01",
				"Tin Woodlawn"
			],
			"source_name": "ETDA:APT 32",
			"tools": [
				"Agentemis",
				"Android.Backdoor.736.origin",
				"AtNow",
				"Backdoor.MacOS.OCEANLOTUS.F",
				"BadCake",
				"CACTUSTORCH",
				"CamCapture Plugin",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Cuegoe",
				"DKMC",
				"Denis",
				"Goopy",
				"HiddenLotus",
				"KOMPROGO",
				"KerrDown",
				"METALJACK",
				"MSFvenom",
				"Mimikatz",
				"Nishang",
				"OSX_OCEANLOTUS.D",
				"OceanLotus",
				"PHOREAL",
				"PWNDROID1",
				"PhantomLance",
				"PowerSploit",
				"Quasar RAT",
				"QuasarRAT",
				"RatSnif",
				"Remy",
				"Remy RAT",
				"Rizzo",
				"Roland",
				"Roland RAT",
				"SOUNDBITE",
				"Salgorea",
				"Splinter RAT",
				"Terracotta VPN",
				"Yggdrasil",
				"cobeacon",
				"denesRAT",
				"fingerprintjs2"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434193,
	"ts_updated_at": 1775792182,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0249a2a0094532a953b3cf069e4098b9bd06dc8d.pdf",
		"text": "https://archive.orkl.eu/0249a2a0094532a953b3cf069e4098b9bd06dc8d.txt",
		"img": "https://archive.orkl.eu/0249a2a0094532a953b3cf069e4098b9bd06dc8d.jpg"
	}
}