malware-research/oceanlotus at master · eset/malware-research
By marc-etienne
Archived: 2026-04-05 12:48:17 UTC
Collection of helper scripts for OceanLotus
This repository contains scripts to help analysing OceanLotus' latest campaign using the legitimate "rastls.exe"
application for side-loading.
As described in ESET research whitepaper there are two components that has encrypted payloads: the fake
document (dropper component) and the backdoor ( rastls.dll ).
ol_unpack_shellcode_from_decoy.py will unpack the shellcode embedded in the resource of the (fake) decoy
document.
ol_unpack_files_from_3rd_stage.py is almost the same script but it is used for the third stage of the dropper
part, obtained after the emulation (using shellcode_emulator ) of shellcode outputted by
ol_unpack_shellcode_from_decoy.py . The script extracts the encrypted and compressed configuration and parse
it. It prints the possible install paths for the backdoor and its persistence mechanism. Finally, the script drops all
the backdoor components (e.g. rastls.exe , rastls.dll and SyLog.bin ). The Kaitai Struct structure
ol_decoy_dropped_files.ksy was used to create the Python class.
Both of these scripts uses lief as a PE parser so make sure to install it beforehand.
ol_unpack_files_from_3rd_stage.py uses Kaitai Struct.
ol_unpack_shellcode_from_backdoor.py decrypts the shellcode of an installed backdoor using the key and IV
embedded in the rastls.dll file and the encrypted OUTLFLTR.DAT file (or SyLog.bin depending on the
version).
The folder shellcode_emulator contains a script and its description to run the shellcode emulator. Since the
same shellcode is used everywhere during this campaign, it was faster to emulate it instead of using dynamic
analysis.
The following flow could be used to obtain the dropped files from the decoy document (the dropper):
ol_unpack_shellcode_from_decoy.py ⇒ ol_shellcode_emulator.py ⇒
ol_unpack_files_from_3rd_stage.py
The following flow could be used to obtain the third stage of the backdoor component:
ol_unpack_shellcode_from_backdoor.py ⇒ ol_shellcode_emulator.py
https://github.com/eset/malware-research/tree/master/oceanlotus
Page 1 of 2

Finally, this repository also contains the Kaitai structure for the fifth stage of the backdoor component. It will
parse the configuration structure of the decrypted resource. In order to generate a parser class or visualize it, Kaitai
Struct should be installed.
Source: https://github.com/eset/malware-research/tree/master/oceanlotus
https://github.com/eset/malware-research/tree/master/oceanlotus
Page 2 of 2