{
	"id": "66dd81bc-a6c5-49a2-84bb-dcfc5b5ed84b",
	"created_at": "2026-04-06T00:19:47.721136Z",
	"updated_at": "2026-04-10T03:35:58.691025Z",
	"deleted_at": null,
	"sha1_hash": "7358dad06d62b1576933b66e91f8a617b46f7db4",
	"title": "Taking Action Against Hackers in Bangladesh and Vietnam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77595,
	"plain_text": "Taking Action Against Hackers in Bangladesh and Vietnam\r\nBy isolomons\r\nPublished: 2020-12-11 · Archived: 2026-04-05 14:11:05 UTC\r\nToday, we’re sharing actions we took against two separate groups of hackers — APT32 in Vietnam and a group\r\nbased in Bangladesh — removing their ability to use their infrastructure to abuse our platform, distribute malware\r\nand hack people’s accounts across the internet.\r\nFacebook’s threat intelligence analysts and security experts work to find and stop a wide range of threats including\r\nmalware campaigns, influence operations and hacking of our platform or individual Facebook accounts by nation\r\nstate adversaries, hackers and others. As part of these efforts, our teams routinely disrupt adversary operations by\r\ndisabling them, notifying users if they should take steps to protect their accounts, sharing our findings publicly\r\nand continuing to improve the security of our products.\r\nToday we’re sharing our latest research and enforcement actions against attempts to compromise people’s\r\naccounts and gain access to their information, commonly referred to as cyber espionage. These two unconnected\r\ngroups targeted people on our platform and elsewhere on the internet using very different tactics. The operation\r\nfrom Vietnam focused primarily on spreading malware to its targets, whereas the operation from Bangladesh\r\nfocused on compromising accounts across platforms and coordinating reporting to get targeted accounts and Pages\r\nremoved from Facebook.\r\nThe people behind these operations are persistent adversaries, and we expect them to evolve their tactics.\r\nHowever, our detection systems and threat investigators, as well as other teams in the security community, keep\r\nimproving to make it harder for them to remain undetected. We will continue to share our findings whenever\r\npossible so people are aware of the threats we are seeing and can take steps to strengthen the security of their\r\naccounts.\r\nHere’s What We Found\r\nBangladesh\r\nThe Bangladesh-based group targeted local activists, journalists and religious minorities, including those living\r\nabroad, to compromise their accounts and have some of them disabled by Facebook for violating our Community\r\nStandards. Our investigation linked this activity to two non-profit organizations in Bangladesh: Don’s Team (also\r\nknown as Defense of Nation) and the Crime Research and Analysis Foundation (CRAF). They appeared to be\r\noperating across a number of internet services.\r\nDon’s Team and CRAF collaborated to report people on Facebook for fictitious violations of our Community\r\nStandards, including alleged impersonation, intellectual property infringements, nudity and terrorism. They also\r\nhacked people’s accounts and Pages, and used some of these compromised accounts for their own operational\r\npurposes, including to amplify their content. On at least one occasion, after a Page admin’s account was\r\nhttps://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam\r\nPage 1 of 3\n\ncompromised, they removed the remaining admins to take over and disable the Page. Our investigation suggests\r\nthat these targeted hacking attempts were likely carried out through a number of off-platform tactics including\r\nemail and device compromise and abuse of our account recovery process.\r\nTo disrupt this activity, we removed the accounts and Pages behind this operation. We shared information about\r\nthis group with our industry partners so they too can detect and stop this activity. We encourage people to remain\r\nvigilant and take steps to protect their accounts, avoid clicking on suspicious links and downloading software from\r\nuntrusted sources that can compromise their devices and information stored on them.\r\nVietnam\r\nAPT32, an advanced persistent threat actor based in Vietnam, targeted Vietnamese human rights activists locally\r\nand abroad, various foreign governments including those in Laos and Cambodia, non-governmental organizations,\r\nnews agencies and a number of businesses across information technology, hospitality, agriculture and\r\ncommodities, hospitals, retail, the auto industry, and mobile services with malware. Our investigation linked this\r\nactivity to CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne\r\nTechnologies, Hành Tinh Company Limited, Planet and Diacauso).\r\nAs our industry partners have previously reported, APT32 has deployed a wide range of adversarial tactics across\r\nthe internet. We have been tracking and taking action against this group for several years. Our most recent\r\ninvestigation analyzed a number of notable tactics, techniques and procedures (TTPs) including:\r\nSocial engineering: APT32 created fictitious personas across the internet posing as activists and business\r\nentities, or used romantic lures when contacting people they targeted. These efforts often involved creating\r\nbackstops for these fake personas and fake organizations on other internet services so they appear more\r\nlegitimate and can withstand scrutiny, including by security researchers. Some of their Pages were\r\ndesigned to lure particular followers for later phishing and malware targeting.\r\nMalicious Play Store apps: In addition to using Pages, APT32 lured targets to download Android\r\napplications through Google Play Store that had a wide range of permissions to allow broad surveillance of\r\npeoples’ devices.\r\nMalware propagation: APT32 compromised websites and created their own to include obfuscated\r\nmalicious javascript as part of their watering hole attack to track targets’ browser information. A watering\r\nhole attack is when hackers infect websites frequently visited by intended targets to compromise their\r\ndevices. As part of this, the group built custom malware capable of detecting the type of operating system a\r\ntarget uses (Windows or Mac) before sending a tailored payload that executes the malicious code.\r\nConsistent with this group’s past activity, APT32 also used links to file-sharing services where they hosted\r\nmalicious files for targets to click and download. Most recently, they used shortened links to deliver\r\nmalware. Finally, the group relied on Dynamic-Link Library (DLL) side-loading attacks in Microsoft\r\nWindows applications. They developed malicious files in exe, rar, rtf and iso formats, and delivered benign\r\nWord documents containing malicious links in text.\r\nThe latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation\r\nfocusing on many targets at once, while obfuscating their origin. We shared our findings including YARA rules\r\nand malware signatures with our industry peers so they too can detect and stop this activity. To disrupt this\r\nhttps://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam\r\nPage 2 of 3\n\noperation, we blocked associated domains from being posted on our platform, removed the group’s accounts and\r\nnotified people who we believe were targeted by APT32.\r\nThreat Indicators:\r\nHashes\r\n768510fa9eb807bba9c3dcb3c7f87b771e20fa3d81247539e9ea4349205e39eb\r\n69730f2c2bb9668a17f8dfa1f1523e0e1e997ba98f027ce98f5cbaa869347383\r\nDomains\r\ntocaoonline[.]com\r\nqh2020[.]org\r\ntinmoivietnam[.]com\r\nnhansudaihoi13[.]org\r\nchatluongvacuocsong[.]vn\r\ntocaoonline[.]org\r\nfacebookdeck[.]com\r\nthundernews[.]org\r\nYARA Signatures\r\nrule APT32_goopdate_installer\r\nrule APT32_goopdate_installer { meta: reference = “ author = “Facebook” description = \"Detects APT32\r\n}\r\nrule APT32_osx_backdoor_loader\r\nrule APT32_osx_backdoor_loader { meta: reference = “ author = “Facebook” description = \"Detects APT32\r\n}\r\nSource: https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam\r\nhttps://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam"
	],
	"report_names": [
		"taking-action-against-hackers-in-bangladesh-and-vietnam"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434787,
	"ts_updated_at": 1775792158,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7358dad06d62b1576933b66e91f8a617b46f7db4.pdf",
		"text": "https://archive.orkl.eu/7358dad06d62b1576933b66e91f8a617b46f7db4.txt",
		"img": "https://archive.orkl.eu/7358dad06d62b1576933b66e91f8a617b46f7db4.jpg"
	}
}