{
	"id": "8624f46d-b53a-4e6b-b484-854d82557ad5",
	"created_at": "2026-04-06T00:22:09.960217Z",
	"updated_at": "2026-04-10T03:23:31.240454Z",
	"deleted_at": null,
	"sha1_hash": "0e33812cdd6028a00c42ed1694cc246f40e3d2fb",
	"title": "investigations/2021-02-24_vietnam at master · AmnestyTech/investigations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 315227,
	"plain_text": "investigations/2021-02-24_vietnam at master ·\r\nAmnestyTech/investigations\r\nBy Te-k\r\nArchived: 2026-04-05 13:06:17 UTC\r\nOverview of Ocean Lotus Samples used to target Vietnamese Human Rights\r\nDefenders\r\nFrom May to November 2020, we have identified malware attacks targeting Human Rights Defenders and\r\norganizations from Viet Nam. This technical blog post provides an overview of the different Ocean Lotus samples\r\nidentified, technical indicators, and details on the link with earlier Ocean Lotus activities. For more information on\r\nthe context of these attacks and the targets we identified, please read the report entitled “Click and Bait:\r\nVietnamese Human Rights Defenders Targeted with Spyware Attacks” on the Amnesty website (also available in\r\nVietnamese).\r\nWe found 9 different malware samples in this investigation: 4 for Mac OS, and 5 for Microsoft Windows.\r\nMac OS Malware\r\nFirst appearance in 2018\r\nThe first Mac OS sample we identified targeted Bui Thanh Hieu in February 2018. Attackers delivered a malicious\r\nMac OS application named “PHIẾU GHI DANH THAM DỰ TĨNH HỘI HMDC 2018” attached to an email. This\r\nsample belongs to the same family as the Ocean Lotus samples analysed by Trend Micro in 2018, and they even\r\nshare the same string encryption algorithm and key.\r\nThe malicious application uses a first stage dropper to bypass Apple GateKeeper, then it installs the final payload\r\neither in /Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources/screenassistantd , if it is launched with root access,\r\notherwise in ~/Library/Spelling/spellagentd . The malware gains persistence with a Property List file placed\r\nin ~/Library/LaunchAgents/ .\r\nThe final payload communicates with the same domains mentioned in the Trend Micro report:\r\nssl.arkouthrie.com , s3.hiahornber.com and widget.shoreoa.com .\r\nNew variants from 2019\r\nIn 2019 Bui Thanh Hieu received three more malicious emails with links to or attached malicious Mac OS\r\napplications, which are more recent variants of the same malware we described above. However, these variants\r\nseem less developed than the samples analysed by Trend Micro in November 2020, making them likely\r\nintermediate versions between those discovered by Trend Micro in 2018 and in 2020.\r\nhttps://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam\r\nPage 1 of 8\n\nWhen executed, these applications launch an installer either embedded in the package or decrypted by a dedicated\r\nPython script. The installer disables security protections by removing the com.apple.quarantine bit, launches the\r\nfinal payload and configures persistence by creating a property list in the LaunchAgent user folder, or in the\r\n/Library/LaunchDaemons/ folder if launched as root.\r\nThe installer drops two files in the destination folder: one Mach-O binary payload and an encrypted shared Mach-O library named [INTEGER].3gp (such as 33.3gp or 152.3gp). To avoid their discovery during forensic analysis,\r\nthese files’ creation date and time are faked with the command touch –t .\r\nThe payload first gathers information on the system, including the MacOS version, the kernel version and details\r\non the hardware and CPU. Then it tries to decrypt all the files in the folder until it finds a shared library exporting\r\nthe functions ArchaeologistCodeine and PlayerAberadurtheIncomprehensible . This shared library implements\r\nthe communication with one of three configured Command \u0026 Control (C\u0026C) domains, using libcurl to send\r\nPOST HTTP requests with an encrypted body.\r\nhttps://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam\r\nPage 2 of 8\n\nThis malware uses custom base64 and AES algorithms to obfuscate all the strings, making it harder to analyse or\r\nbuild signatures as the encryption keys are changing regularly. In comparison, the 2018 variant used a custom\r\nbase64 but standard AES, while more recent samples analysed by Trend Micro in 2020 abandoned AES in favour\r\nof a custom byte manipulation algorithm.\r\nThis backdoor has limited purpose. It allows to manipulate files and execute commands in a terminal. For the full\r\nlist of supported commands, check Trend Micro’s report.\r\nWindows Backdoors\r\nWe identified five emails in 2019 and 2020 each containing two files compressed in RAR or ISO archives. The\r\nfirst file is a legitimate copy of Microsoft Word 2007’s executable used for DLL side-loading, while the second is\r\na DLL named wwlib.dll loaded at launch by the Word executable it accompanies.\r\nDLL side-loading is a technique observed several times used by Ocean Lotus, typically with a Microsoft Word\r\nexecutable. The final payload is always a variant of a downloader used exclusively by Ocean Lotus and named\r\nKerrdown by the cybersecurity company Palo Alto. All the Kerrdown samples we analysed delivered a Cobalt\r\nStrike payload.\r\nKerrdown analysis\r\nKerrdown is a dropper that uses several layers of shellcode to obfuscate the final payload. Each one of them\r\ndecrypting and redirecting to the next layer, until the final payload is reached.\r\nFor instance, the first Kerrdown sample we found in May 2019 used 4 distinct stages before executing the final\r\nshellcode that downloads a payload from api.ciscofreak.com/HjRX (the domain was down during our\r\ninvestigation, but this Cobalt Strike beacon uploaded on Virus Total in 2019 communicates with this domain)\r\nhttps://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam\r\nPage 3 of 8\n\nThese layers of shellcode are different for each Kerrdown sample we discovered, making it challenging to build\r\nsignatures for this malware family.\r\nOne of the samples which targeted the Vietnamese blogger in July 2020 introduced an additional step in the\r\nexecution. The wwwlib.dll payload installs a binary in C:\\ProgramData\\Java\\UK.exe , a self-extractable RAR\r\narchive containing a legitimate executable copy of the Opera browser, then used to sideload a malicious DLL\r\ncalled opera.dll.\r\nThis opera.dll is another variant of the Kerrdown family, but the file itself is exceptionally large (42MB).\r\nExpanding payloads with junk data is a technique, called “binary padding”, often used by malware to avoid\r\ndetection by security solutions as some do not analyse large files in depth to avoid performance issues. Binary\r\npadding is known to have been used by Ocean Lotus in the past. This Kerrdown sample includes an obfuscated\r\nCobalt Strike beacon communicating with the domain delicalo.dnsalias.net .\r\nhttps://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam\r\nPage 4 of 8\n\nCobalt Strike\r\nCobalt Strike is an intrusion toolkit sold by the US company [Strategic Cyber LLC](Strategic Cyber LLC) for\r\npenetration testing or adversary simulation. Over the past years, cracked versions of Cobalt Strike have been\r\nregularly used by attack groups in their operations. Cobalt Strike allows to remotely monitor a compromised\r\nsystem, including accessing files but also logging keystrokes or taking screenshots.\r\nOcean Lotus has been known for using Cobalt Strike since at least 2017. The 4 Kerrdown samples we identified\r\nall either embedded or downloaded a Cobalt Strike beacon. They all used a Cobalt Strike profile impersonating\r\nGoogle Safe Browsing services URLs, similar to this public profile.\r\nThe configuration can be easily extracted with the scripts we released in September 2020. Here is an example of\r\nconfiguration for a beacon hosted on delicalo.dnsalias.net :\r\ndns False\r\nssl True\r\nport 443\r\n.sleeptime 4100\r\n.http-get.server.output\r\nhttps://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam\r\nPage 5 of 8\n\n.jitter 12\r\n.maxdns 245\r\npublickey 30819f300d06092a864886f70d010101050003818d0030818902818100ac50b035fd1b294778b8cbd\r\n.http-get.uri delicalo.dnsalias[.]net,/safebrowsing/rd/e3Iz4FnySnhy3IuXKqrWM40JnseSLDHcH-OzVVfW\r\n.user-agent Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2\r\n.http-post.uri /safebrowsing/rd/3KHLhJGZRq4iyImdpSZ5RM90vLo3Yt2hB\r\n.http-get.client\r\nGAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflaPREF=ID=Cookie\r\n.http-post.client\r\nGAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflatU=NoncmvrScxBxlwoPREF=ID=Cookie\r\n.post-ex.spawnto_x86 %windir%\\syswow64\\rundll32.exe\r\n.post-ex.spawnto_x64 %windir%\\sysnative\\rundll32.exe\r\n.pipename\r\n.cryptoscheme 1\r\n.dns_idle 0\r\n.dns_sleep 0\r\n.http-get.verb GET\r\n.http-post.verb POST\r\nshouldChunkPosts 0\r\n.watermark 0\r\n.stage.cleanup 0\r\nCFGCaution 0\r\n.proxy_type 2\r\nkilldate 0\r\ntext_section 0\r\nprocess-inject-start-rwx 64\r\nprocess-inject-use-rwx 64\r\nprocess-inject-min_alloc 0\r\nprocess-inject-transform-x86\r\nprocess-inject-transform-x64\r\nIndicators of Compromise\r\nMac OS samples\r\nFeb 2018\r\nPackage name PHIẾU GHI DANH THAM DỰ TĨNH HỘI HMDC 2018\r\nDropper 952c16674bde3c16aa3935b3e01f3f0fb4cbac7ffa130143cbf6ccaa72733068\r\nPayload d3a198e18f8c5e9ed54ed4959b471a0f15fbda7d4abf92b7726bc07723e46dd5\r\nhttps://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam\r\nPage 6 of 8\n\nFeb 2018\r\nC\u0026C ssl.arkouthrie.com widget.shoreoa.com s3.hiahornber.com\r\nJune 2019\r\nPackage name TaiLieu\r\nDropper ecb6186a5e722fa360ece37191589305858a0e176321c9339831f2884dcb0405\r\nPayload 1599fe6cc77764c17802cfde1ca77f091bb3ec2a49f6cab1c80ee667ea7c752b\r\nNetwork library b8567ce4d0595e6466414999798bcb1dfe01cc5ca1dd058bfc55f92033f0f3d8\r\nC\u0026C\r\ntips.jasperpfeiffer.com land.rellecharlessper.com and\r\nart.guillermoespana.com\r\nOctober 2019\r\nPackage Name Danh sach nhan su\r\nDropper b252a8d2ec5c7080286fe3f0ad193062f506b5c34c4c797f97717e396c0a22d5\r\nPayload 9c14cffd79f863fec0a6c0ed337ea82a9044db09afda53b8ac2aef1d49f74f4f\r\nNetwork\r\nLibrary\r\n5ed6b7b450ead2d0e69faa3069d1e0bd3a6852909092235f75087da0ca05462f\r\nC\u0026C\r\ntips.jasperpfeiffer.com land.rellecharlessper.com and\r\nart.guillermoespana.com\r\nDecember 2019\r\nPackage Name Don keu cuu cua gia dinh Le Nam Tra\r\nDropper a890c88b6c64371242b4047830b9189b4546536c6b11576d0738f0ba1840ade\r\nPayload 0c41358adeea24d80b35bac4b4f60d93711e32e287343cb604e1fa79b5e5e465\r\nNetwork\r\nLibrary\r\n5ed6b7b450ead2d0e69faa3069d1e0bd3a6852909092235f75087da0ca05462f\r\nC\u0026C\r\ntips.jasperpfeiffer.com land.rellecharlessper.com and\r\nart.guillermoespana.com\r\nWindows Samples\r\nJune 2019\r\nWinword.exe (legitimate) 6c959cfb001fbb900958441dfd8b262fb33e052342948bab338775d3e83ef7f7\r\nhttps://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam\r\nPage 7 of 8\n\nJune 2019\r\nwwlib.dll 148e647885712b69258967c5f8798966fb9b8ae24847dda8aeb880cb6f56b6da\r\nC\u0026C api.ciscofreak.com\r\nApril 2020\r\nWinword.exe (legitimate) 6c959cfb001fbb900958441dfd8b262fb33e052342948bab338775d3e83ef7f7\r\nwwlib.dll acb33adf7429424170f63fa5490ed580cf502de4a7ef00e4b8c962425cd85052\r\nC\u0026C node.podzone.org\r\nJuly 2020\r\nWinword.exe (legitimate) 6c959cfb001fbb900958441dfd8b262fb33e052342948bab338775d3e83ef7f7\r\nwwlib.dll 5cc8d52fcabfd35042336e095f1f78c2b2884e7826358f5385729cf45ce4d860\r\nOpera.exe (legitimate) 71c3b9538a0f14a8ab67e579ecc4ce2b01e25507d8c07eaf46555e8f44181e37\r\nOpera.dll a51fb048e5a2730bffd0fd43e3bdda4e931c9358254aff960ddf43526c768120\r\nC\u0026C delicalo.dnsalias.net\r\nNovember 2020 (2 emails)\r\nWinword.exe (legitimate) 6c959cfb001fbb900958441dfd8b262fb33e052342948bab338775d3e83ef7f7\r\nwwlib.dll a574720e7b4f420098a0ac0055089000435439eb61ec6de2077ac0f782a506e9\r\nC\u0026C coco.cechire.com\r\nYou can find the full list of indicators of compromise here.\r\nSource: https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam\r\nhttps://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam"
	],
	"report_names": [
		"2021-02-24_vietnam"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434929,
	"ts_updated_at": 1775791411,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0e33812cdd6028a00c42ed1694cc246f40e3d2fb.pdf",
		"text": "https://archive.orkl.eu/0e33812cdd6028a00c42ed1694cc246f40e3d2fb.txt",
		"img": "https://archive.orkl.eu/0e33812cdd6028a00c42ed1694cc246f40e3d2fb.jpg"
	}
}