{
	"id": "0355b7d1-3565-437a-8f56-2d215a84d8dc",
	"created_at": "2026-04-06T00:17:43.323065Z",
	"updated_at": "2026-04-10T13:11:55.773943Z",
	"deleted_at": null,
	"sha1_hash": "28e9a3d1415943980b6214a0473241f0cd4d0c92",
	"title": "OceanLotus ships new backdoor using old tricks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1248649,
	"plain_text": "OceanLotus ships new backdoor using old tricks\r\nBy Tomáš Foltýn\r\nArchived: 2026-04-05 18:58:39 UTC\r\nESET Research\r\nTo smuggle the backdoor onto a targeted machine, the group uses a two-stage attack whereby a dropper package\r\nfirst gains a foothold on the system and sets the stage for the backdoor itself. This process involves some trickery\r\ncommonly associated with targeted operations of this kind.\r\n13 Mar 2018  •  , 4 min. read\r\nESET researchers have dissected some of the latest additions to the malicious toolkit of the Advanced Persistent\r\nThreat (APT) group known as OceanLotus, also dubbed APT32 and APT-C-00.\r\nA prolific purveyor of malware, OceanLotus has its sights set on high-profile corporate and government targets in\r\nSoutheast Asia, particularly in Vietnam, the Philippines, Laos, and Cambodia. The apparently well-resourced and\r\ndetermined group, is known for integrating its custom-built creations with techniques long known to be\r\nsuccessful.\r\nhttps://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/\r\nPage 1 of 5\n\nOceanLotus certainly isn’t resting on its laurels while pursuing its goals that include cyberespionage,\r\nreconnaissance and intellectual property theft. One of the group’s latest backdoors is a fully-fledged malicious tool\r\nthat gives its operators remote access to a compromised machine. The backdoor contains a suite of functionalities,\r\nnotably a number of tools for file, registry and process manipulation, as well as the loading of additional\r\ncomponents.\r\nTo smuggle the backdoor onto a targeted machine, the group uses a two-stage attack whereby a dropper package\r\nfirst gains a foothold on the system and sets the stage for the backdoor itself. This process involves some trickery\r\ncommonly associated with targeted operations of this kind.\r\nThe ruse\r\nThe attack typically begins with an attempt – most probably via a spearphishing email – to lure the intended\r\nvictim into running the malicious dropper, which is attached to the email. In order to increase the likelihood that\r\nthe unsuspecting victim will actually click on it, the malicious executable masquerades as a document or\r\nspreadsheet by displaying a fake icon.\r\nWhen the victim clicks on the attachment, the dropper opens a password-protected document that is intended as a\r\n‘red herring’ to divert the victim’s attention while the dropper goes about its nefarious business. No software\r\nexploits are needed.\r\nThe attackers use a number of decoy documents. To boost its aura of authenticity, each file has a rather carefully\r\ncrafted – and usually English – name. ESET detects the files as Win32/TrojanDropper.Agent.RUI.\r\nIn addition, OceanLotus is also known to use ‘watering hole attacks’, which involve the compromise of a website\r\nthat the victim is likely to visit. In this scenario, the ‘prey’ is tricked into downloading and executing a fake\r\ninstaller or fake update for popular software from the booby-trapped website. Whatever the method of\r\ncompromise, ultimately the same backdoor is deployed.\r\nThe watering hole technique has probably been used to distribute a dropper called RobototFontUpdate.exe, which\r\nis a fake updater for the Roboto Slab regular font and features in our analysis below.\r\nUnder the hood\r\nhttps://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/\r\nPage 2 of 5\n\nFigure 1. Dropper execution flow\r\nThe components of the dropper package are executed in a number of steps; each stage involves a heavy dose of\r\ncode obfuscation that is designed to shield the malware from detection. To lead researchers and anti-malware\r\nsoftware further astray, some garbage code is also included.\r\nIf run with administrator privileges, the dropper creates a Windows service that establishes persistence on the\r\nsystem (so that the malware will survive a reboot). Otherwise, the same goal is achieved by tampering with the\r\noperating system’s registry.\r\nIn addition, the package drops an application whose sole purpose is to delete the ‘lure document’ once it fulfills its\r\nmission.\r\nFigure 2. Backdoor execution flow\r\nImportantly, two more files are dropped and come into play during this stage – a digitally-signed executable from\r\na major, legitimate software developer and a malicious Dynamic Link Library (DLL) named after one used by the\r\nlegitimate executable.\r\nThe two files figure in a tried-and-tested trick called ‘DLL side-loading’, which consists in co-opting a legitimate\r\napplication’s library-loading process by planting a malicious DLL inside the same folder as the signed executable.\r\nThis is a way to remain under the radar, since a trusted application with a valid signature is less likely to arouse\r\nsuspicion.\r\nIn campaigns utilizing these new OceanLotus tools, we have seen deployed, among others, the genuine signed\r\nexecutables RasTlsc.exe from Symantec and mcoemcpy.exe from McAfee. When run, these programs call,\r\nrespectively, the maliciously supplied rastls.dll (detected by ESET as Win32/Salgorea.BD) and McUtil.dll\r\n(detected as Win32/Korplug.MK).\r\nhttps://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/\r\nPage 3 of 5\n\nFigure 3. Symantec rastlsc.exe digital signature\r\nThe backdoor opens\r\nOnce decrypted, the backdoor takes a fingerprint of the system. It sends home various data, such as the computer\r\nand user names and the operating system version, before waiting for commands to carry out its main mission.\r\nA number of domain names and IP addresses are used for the command-and-control (C\u0026C) infrastructure. All\r\ncommunication with the C\u0026C servers is encrypted. It can be readily unscrambled, however, as the decryption key\r\nis prepended to the data.\r\nOur deep dive (see the link below) into OceanLotus’s latest marauding campaigns shows that the group isn’t\r\nletting up in its efforts and combines legitimate code and publicly available tools with its own harmful creations.\r\nThe group clearly goes to great lengths in order to bypass detection for its malware and, ultimately, to ‘muddy the\r\nwaters’ for researchers.\r\nA detailed analysis may be read in the white paper: OceanLotus: Old techniques, new backdoor\r\nhttps://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/\r\nPage 4 of 5\n\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/\r\nhttps://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
	],
	"report_names": [
		"oceanlotus-ships-new-backdoor"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2439ad53-39cc-4fff-8fdf-4028d65803c0",
			"created_at": "2022-10-25T16:07:23.353204Z",
			"updated_at": "2026-04-10T02:00:04.55407Z",
			"deleted_at": null,
			"main_name": "APT 32",
			"aliases": [
				"APT 32",
				"APT-C-00",
				"APT-LY-100",
				"ATK 17",
				"G0050",
				"Lotus Bane",
				"Ocean Buffalo",
				"OceanLotus",
				"Operation Cobalt Kitty",
				"Operation PhantomLance",
				"Pond Loach",
				"SeaLotus",
				"SectorF01",
				"Tin Woodlawn"
			],
			"source_name": "ETDA:APT 32",
			"tools": [
				"Agentemis",
				"Android.Backdoor.736.origin",
				"AtNow",
				"Backdoor.MacOS.OCEANLOTUS.F",
				"BadCake",
				"CACTUSTORCH",
				"CamCapture Plugin",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Cuegoe",
				"DKMC",
				"Denis",
				"Goopy",
				"HiddenLotus",
				"KOMPROGO",
				"KerrDown",
				"METALJACK",
				"MSFvenom",
				"Mimikatz",
				"Nishang",
				"OSX_OCEANLOTUS.D",
				"OceanLotus",
				"PHOREAL",
				"PWNDROID1",
				"PhantomLance",
				"PowerSploit",
				"Quasar RAT",
				"QuasarRAT",
				"RatSnif",
				"Remy",
				"Remy RAT",
				"Rizzo",
				"Roland",
				"Roland RAT",
				"SOUNDBITE",
				"Salgorea",
				"Splinter RAT",
				"Terracotta VPN",
				"Yggdrasil",
				"cobeacon",
				"denesRAT",
				"fingerprintjs2"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434663,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/28e9a3d1415943980b6214a0473241f0cd4d0c92.pdf",
		"text": "https://archive.orkl.eu/28e9a3d1415943980b6214a0473241f0cd4d0c92.txt",
		"img": "https://archive.orkl.eu/28e9a3d1415943980b6214a0473241f0cd4d0c92.jpg"
	}
}