{ "id": "4f13344c-9ba4-49b6-8d92-57c3c2e7ec4f", "created_at": "2026-04-06T00:11:04.421092Z", "updated_at": "2026-04-10T13:12:09.32244Z", "deleted_at": null, "sha1_hash": "0d47000f0e6189fc85017db4d3ce4989447267b8", "title": "Fake or Fake: Keeping up with OceanLotus decoys", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 332567, "plain_text": "Fake or Fake: Keeping up with OceanLotus decoys\r\nBy Romain Dumont\r\nArchived: 2026-04-05 15:28:49 UTC\r\nThis article will first describe how the OceanLotus group (also known as APT32 and APT-C-00) recently used one\r\nof the publicly available exploits for CVE-2017-11882, a memory corruption vulnerability present in Microsoft\r\nOffice software, and how OceanLotus malware achieves persistence on compromised systems without leaving any\r\ntraces. Then the article describes how, since the beginning of 2019, the group has been leveraging self-extracting\r\narchives to run code.\r\nContext\r\nFollowing OceanLotus’ activities is taking a tour in the world of deception. This group is known to lure victims by\r\nforging appealing documents to entice potential victims into executing the group’s backdoor, and keeps coming up\r\nwith new ideas to diversify its toolset. The techniques employed for the decoys range from files with so-called\r\ndouble extensions, self-extracting archives and macro-enabled documents, to reusing known exploits. On top of\r\nthat, they are very active and relentlessly continue to raid their favourite victims, South East Asian countries.\r\nSumming up the Equation Editor exploit\r\nIn mid-2018, OceanLotus carried out a campaign using documents abusing the weakness exposed by the CVE-2017-11882 vulnerability. Indeed, several Proofs-of-Concept were made available. The vulnerability resides in the\r\ncomponent responsible for rendering and editing mathematical equations. One of the malicious documents used\r\nby OceanLotus was analysed by 360 Threat Intelligence Center (in Chinese) and includes details about the exploit.\r\nLet’s take a look at a similar document.\r\nFirst stage\r\nThis document FW Report on demonstration of former CNRP in Republic of Korea.doc (SHA-1:\r\nD1357B284C951470066AAA7A8228190B88A5C7C3) is similar to the one mentioned in the article above, and\r\nalso interesting as it really targets people interested in Cambodian politics (the CNRP – Cambodia National\r\nRescue Party – political party was dissolved in late 2017). Despite its .doc extension, the document is actually in\r\nRTF format (see Figure 1), contains many garbage groups, and is also malformed.\r\nFigure 1 -- RTF garbage fields\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 1 of 17\n\nDespite the presence of malformed elements, Word successfully opens this RTF file. As seen in (Figure 2), at\r\noffset 0xC00 there is an EQNOLEFILEHDR structure, followed by the MTEF header and then an MTEF record\r\n(Figure 3) for a font.\r\nFigure 2 -- FONT record values\r\nAn overflow in the name field is possible because its size isn’t checked before being copied. A name that is too\r\nlong triggers the vulnerability. As seen in the RTF file content (offset 0xC26 in Figure 2), the buffer is filled with\r\nshellcode followed by a NOP (0x90) sled and the return address 0x402114. That address is a gadget in\r\nEQNEDT32.exe pointing to a RET instruction. This results in EIP pointing at the beginning of the name field\r\nwhich contains the shellcode.\r\nFigure 4 -- Start of the exploit shellcode\r\nThe address 0x45BD3C stores a variable that is dereferenced until it reaches a pointer to the currently loaded\r\nMTEFData structure. That is where the rest of the shellcode resides.\r\nThe purpose of the shellcode is to execute a second piece of shellcode, embedded inside the open document. First,\r\nthe initial shellcode tries to find the handle of the open document file by iterating through all the system’s handles\r\n(NtQuerySystemInformation with the SystemExtendedHandleInformation argument) and checking if the handle’s\r\nPID matches the PID of a WinWord process and if the document was opened with the following access mask:\r\n0x12019F. To confirm it found the right handle and not the handle of another open document, the content of the\r\nfile is mapped with the CreateFileMapping function and the shellcode checks if the last four bytes of the\r\ndocument are \"yyyy\"; this technique is called “Egg Hunting”. Once it finds a match, the document is copied to a\r\ntemporary folder (GetTempPath) as ole.dll. Then the last 12 bytes of the document are read.\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 2 of 17\n\nFigure 5 -- Markers at the end of the document\r\nThe 32-bit value between the AABBCCDD and yyyy markers is the offset to the next shellcode. It is invoked\r\nusing the CreateThread function. The extracted shellcode is the same that the OceanLotus group has been using\r\nfor a while now. The Python emulator script we released in March 2018 still works to dump the next stage.\r\nSecond stage\r\nExtracting the components\r\nThe filenames and directories are chosen dynamically. The code randomly selects the filename of an executable or\r\nDLL file located in C:\\Windows\\system32. It will then query its resources and extract the FileDescription field to\r\nuse as a folder name. If this does not work, the code randomly chooses a folder name from the %ProgramFiles%\r\nor C:\\Windows (from GetWindowsDirectoryW) directories. It avoids using a name that may clash with existing\r\nfiles by making sure it does not contain: windows, Microsoft, desktop, system, system32 or syswow64. If the\r\ndirectory already exists, the directory name is appended with \"NLS_{6 digits}\".\r\nThe stage’s 0x102 resource is parsed and the files are dropped in either %ProgramFiles% or %AppData% in the\r\nrandomly chosen folder. The creation times are changed to have the same values as kernel32.dll.\r\nFor example, here is a folder and a list of files created by picking the C:\\Windows\\system32\\TCPSVCS.exe\r\nexecutable as a source of data.\r\nFigure 6 -- Extraction of the different components\r\nThe structure of the resource 0x102 in the dropper is quite complex. In a nutshell, it contains:\r\nfilenames\r\nfiles’ size and content\r\ncompression format (COMPRESSION_FORMAT_LZNT1 used by RtlDecompressBuffer function)\r\nThe first file is dropped as TCPSVCS.exe which is in fact Adobe’s legitimate AcroTranscoder.exe (according to its\r\nFileDescription, SHA-1: 2896738693A8F36CC7AD83EF1FA46F82F32BE5A3).\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 3 of 17\n\nYou may have noticed that the file size of some DLLs exceeds 11MB. This is because a large contiguous buffer of\r\nrandom data is placed inside the executable. It is possibly a way to evade detection by some security products.\r\nAchieving persistence\r\nThe resource 0x101 of the dropper contains two 32-bit integers that dictate how the persistence should be\r\nimplemented. The value of the first one specifies how the malware will achieve persistence without administrator\r\nprivileges.\r\nFirst\r\ninteger\r\nvalue\r\nPersistence mechanism\r\n0 Do not achieve persistence\r\n1 Scheduled task as current user\r\n2 (HKLM|HKCU)\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n3\r\nCreation of a shortcut file (with a .lnk extension) in the subdirectory Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup under one of the environment variables: %ALLUSERSPROFILE%,\r\n%APPDATA% or %USERPROFILE%\r\nThe value of the second integer specifies how the malware should try to achieve persistence if it runs with\r\nelevated privileges.\r\nSecond integer value Persistence mechanism\r\n1 Scheduled task as administrator\r\n2 Creation of a service\r\nThe service name is the filename without extension; the display name is the folder name but if it already exists\r\nthen the string “Revision 1” is appended (the number is incremented until it finds an unused name). The operators\r\nmade sure the persistence through the service would be resilient: on service failure, the service should restart after\r\n1 second. Then, the registry value WOW64 of the new service key is set to 4 which indicates that it’s a 32-bit\r\nservice.\r\nThe scheduled task is created via several COM interfaces: ITaskScheduler, ITask, ITaskTrigger, IPersistFile and\r\nITaskScheduler. Essentially, the malware creates a hidden task, sets the account information with the current user\r\nor the administrator information and sets the trigger.\r\nThis is a daily task with a duration of 24 hours and the interval between two executions is set to 10 minutes, which\r\nmeans it will run all the time.\r\nThe malicious bit\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 4 of 17\n\nIn our example, the executable TCPSVCS.exe (AcroTranscoder.exe) is legitimate software side-loading the DLLs\r\nthat were dropped with it. In this case, the Flash Video Extension.dll is the interesting one.\r\nIts DLLMain function just calls a single function. Some opaque predicates are present:\r\nFigure 7 -- Opaque predicates\r\nAfter these deceptive checks, the code gets the .text section of TCPSVCS.exe, changes its protection to\r\nPAGE_EXECUTE_READWRITE and overwrites it with do-nothing instructions that have no side effects:\r\nFigure 8 -- Sequence of instructions without side effects\r\nAt the end, a CALL instruction to the address of the function FLVCore::Uninitialize(void) exported by Flash\r\nVideo Extension.dll is appended. This means that, after loading the malicious DLL, when the runtime calls\r\nWinMain in TCPSVCS.exe, the instruction pointer will point to the NOP sled, which will eventually call\r\nFLVCore::Uninitialize(void), the next stage.\r\nThis function simply creates a mutex starting with{181C8480-A975-411C-AB0A-630DB8B0A221}and followed\r\nby the current username. Then, it reads the dropped file with the  .db3  extension, which contains position-independent code, and uses CreateThread to execute its content.\r\nThe content of the .db3 file is shellcode commonly used by OceanLotus. Again, we successfully unpacked its\r\npayload using the emulator script we published on GitHub.\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 5 of 17\n\nThe script extracts the final stage. This component is the backdoor that we already analysed in this white paper:\r\nOceanLotus: Old techniques, new backdoor. It is recognizable as such from the GUID {A96B020F-0000-466F-A96D-A91BBF8EAC96} that is present in the binary. The configuration of the malware is still encrypted in a PE\r\nresource. It contains almost the same configuration but the C\u0026C servers are different from the ones that were\r\nalready published:\r\nandreagahuvrauvin[.]com\r\nbyronorenstein[.]com\r\nstienollmache[.]xyz\r\nOnce again OceanLotus showcases a large combination of techniques to stay under the radar. They came back\r\nwith a “better” version of the infection process. By choosing random names and filling executables with random\r\ndata, they reduce the number of reliable IoCs (hash-based and filename-based). Moreover, since they’re using\r\nDLL side-loading, the attackers only have to drop the legitimate AcroTranscoder binary as-is.\r\nAfter using RTF files, the group started using self-extracting (SFX) archives that use common document icons in\r\nan attempt to further mislead their victims. It was briefly documented by Threatbook (in Chinese). When run,\r\nthese self-extracting RAR files drop and execute DLL files (with a .ocx extension) with the final payload being the\r\npreviously documented {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll. Since the middle of January 2019,\r\nOceanLotus began reusing the technique but changed some configuration over time. This section will describe the\r\ntechnique and what they have altered to achieve their goal.\r\nFalling for the decoy\r\nThe document THICH-THONG-LAC-HANH-THAP-THIEN-VIET-NAM (1).EXE (meaning \"FAVORITE\r\nRELATIONSHIP OF VIETNAMESE PERFORMANCE\" according to Google Translate, SHA-1:\r\nAC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB) was first seen in 2018. This SFX file is cleverly\r\ncrafted, as the description (Version Info) states it’s a “JPEG Image”. The script of the SFX is the following:\r\nFigure 9 -- SFX commands\r\nThe malware drops {9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (SHA-1:\r\nEFAC23B0E6395B1178BCF7086F72344B24C04DCC) as well as the image 2018 thich thong lac.jpg.\r\nThe decoy image is the following:\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 6 of 17\n\nFigure 10 -- Decoy image\r\nYou may have noticed the first two lines in the SFX script invoke the OCX file twice, but it is not a mistake...\r\n{9ec60ada-a200-4159-b310-8071892ed0c3}.ocx (ShLd.dll)\r\nThe OCX file’s control flow is very similar to other OceanLotus components: there are a lot of JZ/JNZ and\r\nPUSH/RET instruction sequences interleaved with junk code.\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 7 of 17\n\nFigure 11 -- Obfuscated code\r\nAfter filtering the junk code, the export DllRegisterServer called by regsvr32.exe looks like this:\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 8 of 17\n\nFigure 12 -- Main code of the installer\r\nBasically, the first time the DllRegisterServer is called, it sets the registry value\r\nHKCU\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model to an encoded\r\noffset in the DLL (0x10001DE0).\r\nThe second time the function is called, it reads this very same value and executes the function at that address.\r\nFrom there, the resource is read and executed and many in-memory operations are executed.\r\nThe shellcode is the same PE loader used in the earlier OceanLotus campaigns. It can be emulated with our miasm\r\nemulation script. Ultimately, it drops db293b825dcc419ba7dc2c49fa2757ee.dll, loads it into memory and executes\r\nDllEntry.\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 9 of 17\n\nThe DLL retrieves the content of its resource, decrypts (AES-256-CBC) and decompresses it (LZMA). The\r\nresource has a specific format that is quite easy to reverse engineer.\r\nFigure 13 -- Structure of the installer configuration (KaitaiStruct Visualizer)\r\nThe configuration is explicit: depending on the privilege level, the binary data will be written to either\r\n%appdata%\\Intel\\logs\\BackgroundUploadTask.cpl or %windir%\\System32\\BackgroundUploadTask.cpl (or\r\nSysWOW64 for 64-bit systems).\r\nNext, persistence is achieved by creating a task named BackgroundUploadTask[junk].job where a [junk]is a\r\ncollection of 0x9D and 0xA0 bytes.\r\nThe application name of the task is %windir%\\System32\\control.exe and the parameter value is the path of the\r\ndumped binary. The hidden task is set to run every day.\r\nStructurally, the CPL file is a DLL whose internal name is ac8e06de0a6c4483af9837d96504127e.dll and that\r\nexports a CPlApplet function. This file decrypts its only resource {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll, then loads that DLL and calls its only export, DllEntry.\r\nBackdoor configuration file\r\nThe backdoor has an encrypted configuration embedded in its resources. The structure of the configuration file is\r\nquite similar to the previous one.\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 10 of 17\n\nFigure 14 -- Structure of the backdoor configuration (KaitaiStruct Visualizer)\r\nDespite the structural similarity, of the values in many of these fields have been updated comparing this to that in\r\nour white paper from March 2018.\r\nThe first element of the binaries array contains a DLL (HttpProv.dll\r\nMD5: 2559738D1BD4A999126F900C7357B759) identified by Tencent but as the export name has been removed\r\nfrom the binary, the hashes don't match.\r\nWhile hunting for samples, a few characteristics stood out. The sample just analysed appeared around July 2018\r\nand other similar were found very recently in mid-January through early-February 2019. The infection vector used\r\nwas an SFX archive dumping a legitimate, decoy document and a malicious OCX file.\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 11 of 17\n\nEven though OceanLotus uses fake timestamps, it has been observed that the timestamp of the SFX and OCX files\r\nare always the same (0x57B0C36A (08/14/2016 @ 7:15pm UTC) and 0x498BE80F (02/06/2009 @ 7:34am UTC)\r\nrespectively). This probably means that they have some kind of “builder” that reuses the same templates and just\r\nchanges some characteristics.\r\nAmong the documents we analysed since early-2018, we saw different document names suggesting country-related targeting:\r\nThe New Contact Information Of Cambodia Media(New).xls.exe\r\n李建香 (个人简历).exe (fake pdf document of a CV)\r\nfeedback, Rally in USA from July 28-29, 2018.exe\r\nSince the discovery of the {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll backdoor and its public analysis\r\nby multiple researchers, we observed some changes in the malware’s configuration data.\r\nFirst, the authors started removing the names from the helper DLLs (DNSprov.dll and the two versions of\r\nHttpProv.dll).\r\nThen the operators stopped packaging the third DLL (second version of HttpProv.dll), choosing to embed just one.\r\nSecond, a lot of the backdoor configuration fields have been changed, perhaps to avoid detection, since many IoCs\r\nbecame available.\r\nThe important fields that changed are the following:\r\nthe \"AppX\" registry key changed (see IoCs)\r\nthe mutex encoding string (\"def\", \"abc\", \"ghi\")\r\nthe port number\r\nFinally, all the new variants analysed have new C\u0026C servers, which are listed in the IoCs section.\r\nConclusion\r\nOceanLotus is very active and keeps evolving. The group really focuses on varying their toolsets and decoys.\r\nThey cleverly wrap their payloads with attractive documents based on current events that are likely to be of\r\ninterest to their intended victims. They keep coming up with different techniques and even reuse and readapt\r\npublicly available exploit code such as for the Equation Editor exploit. Moreover, they keep improving their\r\ntechniques to reduce the number of artefacts left on their victims’ machines, thereby reducing the odds of\r\ndetection by security products. As we have shown, a lot of in-memory operations are involved, filenames are\r\nrandomly generated and the OceanLotus operators have modified their binaries to avoid being detected. Another\r\nvery interesting point is that some domain names seem to be derived from a dictionary. OceanLotus is making the\r\nextra effort to continue carrying out their campaigns, but don’t hold your breath…\r\nIndicators of Compromise (IoCs)\r\nThe IoCs in this blogpost, as well as the MITRE ATT\u0026CK attributes, are also available from our GitHub\r\nrepository.\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 12 of 17\n\nRegistry keys/values:\r\nHKCU\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model\r\n[HKCU|HKLM]\\SOFTWARE\\App\\\r\nAppXbf13d4ea2945444d8b13e2121cb6b663\\\r\nApplication\r\nDefaultIcon\r\nAppX70162486c7554f7f80f481985d67586d\\\r\nApplication\r\nDefaultIcon\r\nAppX37cc7fdccd644b4f85f4b22d5a3f105a\\\r\nApplication\r\nDefaultIcon\r\nMutexes:\r\n{181C8480-A975-411C-AB0A-630DB8B0A221}_ (+ username)\r\nDomain names\r\naliexpresscn[.]net\r\nandreagahuvrauvin[.]com\r\nandreagbridge[.]com\r\naol.straliaenollma[.]xyz\r\nbeaudrysang[.]xyz\r\nbecreybour[.]com\r\nbyronorenstein[.]com\r\nchinaport[.]org\r\nchristienoll[.]xyz\r\nchristienollmache[.]xyz\r\ncloud.360cn[.]info\r\ndieordaunt[.]com\r\ndns.chinanews[.]network\r\nillagedrivestralia[.]xyz\r\nkarelbecker[.]com\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 13 of 17\n\nDomain names\r\nkarolinblair[.]com\r\nlauradesnoyers[.]com\r\nntop.dieordaunt[.]com\r\noffice.ourkekwiciver[.]com\r\nourkekwiciver[.]com\r\nsophiahoule[.]com\r\nstienollmache[.]xyz\r\nstraliaenollma[.]xyz\r\nursulapapst[.]xyz\r\nFiles:\r\nDocuments exploiting CVE-2017-11882:\r\nSHA-1 hashes\r\nD1357B284C951470066AAA7A8228190B88A5C7C3\r\n49DFF13500116B6C085C5CE3DE3C233C28669678\r\n9DF3F0D8525EDF2B88C4A150134C7699A85A1508\r\n50A755B30E8F3646F9476080F2C3AE1347F8F556\r\nBB060E5E7F7E946613A3497D58FBF026AE7C369A\r\nE2D949CF06842B5F7AE6B2DFFAA49771A93A00D9\r\nESET detection names\r\nWin32/Exploit.CVE-2017-11882.BU\r\nWin32/Exploit.CVE-2017-11882.A\r\nWin32/Exploit.Agent.KT\r\nWin32/Exploit.Agent.LT\r\nWin32/Exploit.CVE-2017-11882.EI\r\nSFX archives and OCX droppers:\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 14 of 17\n\nDocuments exploiting CVE-2017-11882:\r\nSHA-1 hashes\r\nAC10F5B1D5ECAB22B7B418D6E98FA18E32BBDEAB\r\n7642F2181CB189965C596964D2EDF8FE50DA742B\r\nCD13210A142DA4BC02DA47455EB2CFE13F35804A\r\n377FDC842D4A721A103C32CE8CB4DAF50B49F303\r\nB4E6DDCD78884F64825FDF4710B35CDBEAABE8E2\r\nBD39591A02B4E403A25AAE502648264308085DED\r\nB998F1B92ED6246DED13B79D069AA91C35637DEC\r\nCC918F0DA51794F0174437D336E6F3EDFDD3CBE4\r\n83D520E8C3FDAEFB5C8B180187B45C65590DB21A\r\nEFAC23B0E6395B1178BCF7086F72344B24C04DCC\r\n8B991D4F2C108FD572C9C2059685FC574591E0BE\r\nB744878E150A2C254C867BAD610778852C66D50A\r\n3DFC3D81572E16CEAAE3D07922255EB88068B91D\r\n77C42F66DADF5B579F6BCD0771030ADC7AEFA97C\r\nESET detection names\r\nWin32/Agent.ZUR\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access T1193 Spearphishing Attachment\r\nDeceitful RTF documents and self-extracting archives are sent to\r\npotential victims.\r\nExecution\r\nT1204 User Execution\r\nThe user needs to execute the self-extracting archive or open the RTF\r\ndocument.\r\nT1117 Regsvr32 The self-extracting archives execute\r\nregsvr32 to run the OceanLotus'\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 15 of 17\n\nTactic ID Name Description\r\nbackdoor.\r\nT1035 Service Execution\r\nThe second stage of the exploit tries\r\nto run OceanLotus' backdoor as a\r\nservice.\r\nPersistence\r\nT1050 New Service\r\nThe second stage of the exploit tries\r\nto achieve persistence by creating a\r\nservice.\r\nT1060\r\nRegistry Run Keys / Start\r\nFolder\r\nThe second stage of the exploit tries\r\nto achieve persistence by adding a\r\nvalue in the Run registry key.\r\nT1053 Scheduled Task\r\nThe second stage of the exploit tries\r\nto achieve persistence by creating a\r\nschedule task.\r\nDefense\r\nEvasion\r\nT1009 Binary Padding\r\nThe second stage of the exploit fills\r\ndropped executables with random\r\ndata.\r\nT1073 DLL Side-Loading\r\nOceanLotus' backdoor is side-loaded\r\nby dropping a library and a\r\nlegitimate, signed executable\r\n(AcroTranscoder).\r\nT1112 Modify Registry\r\nOceanLotus' backdoor stores its\r\nconfiguration in a registry key.\r\nT1027 Obfuscated Files or Information\r\nThe second stage of the exploit drops\r\nan encrypted shellcode.\r\nT1099 Timestomp\r\nThe creation time of the files\r\ndropped by the second stage of the\r\nexploit is set to match the creation\r\ntime of kernel32.dll .\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nOceanLotus' backdoor can list files\r\nand directories.\r\nT1012 Query Registry\r\nOceanLotus' backdoor can query the\r\nWindows Registry to gather system\r\ninformation.\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 16 of 17\n\nTactic ID Name Description\r\nT1082 System Information Discovery\r\nOceanLotus' backdoor captures\r\nsystem information and sends it to its\r\nC\u0026C server.\r\nExfiltration\r\nT1002 Data Compressed\r\nOceanLotus' backdoor uses LZMA\r\ncompression before exfiltration.\r\nT1022 Data Encrypted\r\nOceanLotus' backdoor uses RC4\r\nencryption before exfiltration.\r\nT1041\r\nExfiltration Over Command and\r\nControl Channel\r\nData exfiltration is done using the\r\nalready opened channel with the\r\nC\u0026C server\r\nT1203\r\nExploitation for Client\r\nExecution\r\nThe RTF document includes an\r\nexploit to execute malicious code.\r\n(CVE‑2017‑11882)\r\nCommand\r\nAnd Control\r\nT1094\r\nCustom Command and Control\r\nProtocol\r\nOceanLotus' backdoor can exfiltrate\r\ndata by encoding it in the subdomain\r\nfield of DNS packets.\r\nT1065\r\nUncommonly\r\nUsed Port\r\nOceanLotus' backdoor use\r\nHTTP over an uncommon TCP\r\nport (14146). Port is specified in\r\nthe backdoor configuration.\r\nSource: https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" ], "report_names": [ "fake-or-fake-keeping-up-with-oceanlotus-decoys" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434264, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0d47000f0e6189fc85017db4d3ce4989447267b8.pdf", "text": "https://archive.orkl.eu/0d47000f0e6189fc85017db4d3ce4989447267b8.txt", "img": "https://archive.orkl.eu/0d47000f0e6189fc85017db4d3ce4989447267b8.jpg" } }