{ "id": "6bcf1963-ab19-4e4e-bfe0-8cb2bc90bbbb", "created_at": "2026-04-06T00:08:11.109865Z", "updated_at": "2026-04-10T03:36:22.015543Z", "deleted_at": null, "sha1_hash": "8f2af18f2d5711fc5241660848dc005f6d1ec78b", "title": "APT 32, OceanLotus, SeaLotus - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 110493, "plain_text": "APT 32, OceanLotus, SeaLotus - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-05 20:41:40 UTC\r\nHome \u003e List all groups \u003e APT 32, OceanLotus, SeaLotus\r\n APT group: APT 32, OceanLotus, SeaLotus\r\nNames\r\nAPT 32 (Mandiant)\r\nOceanLotus (SkyEye Labs)\r\nSeaLotus (?)\r\nAPT-C-00 (Qihoo 360)\r\nOcean Buffalo (CrowdStrike)\r\nTin Woodlawn (SecureWorks)\r\nATK 17 (Thales)\r\nSectorF01 (ThreatRecon)\r\nPond Loach (Accenture)\r\nAPT-LY-100 (?)\r\nLotus Bane (Group-IB)\r\nG0050 (MITRE)\r\nCountry Vietnam\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription\r\n(FireEye) Since at least 2014, FireEye has observed APT32 targeting foreign\r\ncorporations with a vested interest in Vietnam’s manufacturing, consumer products,\r\nand hospitality sectors. Furthermore, there are indications that APT32 actors are\r\ntargeting peripheral network security and technology infrastructure corporations.\r\nIn addition to focused targeting of the private sector with ties to Vietnam, APT32 has\r\nalso targeted foreign governments, as well as Vietnamese dissidents and journalists\r\nsince at least 2013.\r\nObserved Sectors: Defense, Financial, Government, High-Tech, Hospitality, Manufacturing,\r\nMedia, Retail, Telecommunications and Uyghurs, dissidents and journalists.\r\nCountries: ASEAN, Australia, Bangladesh, Brunei, Cambodia, China, Denmark,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b\r\nPage 1 of 7\n\nGermany, India, Indonesia, Iran, Japan, Laos, Malaysia, Myanmar, Nepal,\nNetherlands, Philippines, Singapore, South Korea, Thailand, UK, USA, Vietnam.\nTools used\nAtNow, CACTUSTORCH, CamCapture Plugin, Cobalt Strike, Cuegoe, DKMC,\nfingerprintjs2, Goopy, HiddenLotus, KerrDown, KOMPROGO, METALJACK,\nMimikatz, MSFvenom, Nishang, OceanLotus, Pagoda, PhantomLance, PHOREAL,\nPowerSploit, QuasarRAT, RatSnif, Remy, Roland, Salgorea, SOUNDBITE,\nTerracotta VPN, Veil and 0-day exploits in MS Office.\nOperations performed\nApr 2014\nOperation “PhantomLance”\nIn July 2019, Dr. Web reported about a backdoor trojan in Google\nPlay, which appeared to be sophisticated and unlike common malware\noften uploaded for stealing victims’ money or displaying ads. So, we\nconducted an inquiry of our own, discovering a long-term campaign,\nwhich we dubbed “PhantomLance”, its earliest registered domain\ndating back to December 2015.\nDec 2014\nThese applications disguise as a normal application, and their icons\nwill hide automatically after they are running. They will release\nmalicious sub-packages in the background, receive the remote control\ncommand, steal the privacy information of users such as SMS\nmessages, contacts, call records, geographic locations, and browser\nrecords. They also download apks secretly and record audios and\nvideos, then upload users’ privacy information to server, causing\nusers’ privacy leakage.\nAug 2015\nTerracotta VPN\nDubbed by RSA as “Terracotta VPN” (a reference to the Chinese\nTerracotta Army), this satellite array of VPN services “may represent\nthe first exposure of a PRC-based VPN operation that maliciously,\nefficiently and rapidly enlists vulnerable servers around the world,”\nthe company said in a report released today.\nSep 2016 Blackberry Cylance threat researchers have analyzed the Ratsnif\nrojans, which offer a veritable swiss-army knife of network attack\ntechniques. The rojans, under active development since 2016,\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b\nPage 2 of 7\n\ncombine capabilities like packet sniffing, gateway/device ARP\npoisoning, DNS poisoning, HTTP injection, and MAC spoofing.\nMar 2017\nBreach of the ASEAN website\nSteven Adair, founder and CEO, said the hacking group was still\nactive, and had compromised the website of the Association of South\nEast Asian Nations (ASEAN) over several high-profile summit\nmeetings. ASEAN is holding another summit of regional leaders in\nthe Philippines capital Manila this week.\nMay 2017\nOperation “Cobalt Kitty”\nDubbed Operation Cobalt Kitty, the APT targeted a global corporation\nbased in Asia with the goal of stealing proprietary business\ninformation. The threat actor targeted the company’s top-level\nmanagement by using spear-phishing attacks as the initial penetration\nvector, ultimately compromising the computers of vice presidents,\nsenior directors and other key personnel in the operational\ndepartments. During Operation Cobalt Kitty, the attackers\ncompromised more than 40 PCs and servers, including the domain\ncontroller, file servers, Web application server and database server.\nMay 2017\nMass Digital Surveillance and Attacks Targeting ASEAN, Asian\nNations, the Media, Human Rights Groups, and Civil Society\nIn May 2017, Volexity identified and started tracking a very\nsophisticated and extremely widespread mass digital surveillance and\nattack campaign targeting several Asian nations, the ASEAN\norganization, and hundreds of individuals and organizations tied to\nmedia, human rights and civil society causes. These attacks are being\nconducted through numerous strategically compromised websites and\nhave occurred over several high-profile ASEAN summits.\nOct 2017 During an incident response investigation in the final quarter of 2017,\nCylance incident responders and threat researchers uncovered several\nbespoke backdoors deployed by OceanLotus Group (a.k.a. APT32,\nCobalt Kitty), as well as evidence of the threat actor using obfuscated\nCobaltStrike Beacon payloads to perform C2.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b\nPage 3 of 7\n\nEarly 2018\nKerrDown downloader\nWe identified two methods to deliver the KerrDown downloader to\ntargets. One is using the Microsoft Office Document with a malicious\nmacro and the other is RAR archive which contains a legitimate\nprogram with DLL side-loading. For RAR archive files, the file\nnames used to trick targets are all in Vietnamese as shown in Figure\n11. Our analysis shows that the primary targets of the ongoing\ncampaign discussed in this blog are either in Vietnam or Vietnamese\nspeaking individuals.\nMar 2018\nOceanLotus ships new backdoor using old tricks\nApr 2018\nNew MacOS Backdoor\nThe MacOS backdoor was found in a malicious Word document\npresumably distributed via email. The document bears the filename\n“2018-PHIẾU GHI DANH THAM DỰ TĨNH HỘI HMDC\n2018.doc,” which translates to “2018-REGISTRATION FORM OF\nHMDC ASSEMBLY 2018.doc.” The document claims to be a\nregistration form for an event with HDMC, an organization in\nVietnam that advertises national independence and democracy.\nApr 2018\nSteganography to Shroud Payloads\nThe OceanLotus APT is using two new loaders which use\nsteganography to read their encrypted payloads.\nMay 2018 Watering Hole Attack using the Phnom Penh Post website\nThe attack started just days after Australian mining magnate Bill\nClough sold the newspaper to Malaysian spin doctor Sivakumar\nGanapathy, who specializes in “covert PR”.\n“Since last Tuesday [May 8], computers in our office were targeted by\na malicious piece of code when we visited the Phnom Penh Post\nwebsite,” said Naly Pilorge, director of Licadho — one of\nCambodia’s leading human rights groups.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b\nPage 4 of 7\n\nMid-2018\nEquation Editor exploit\nIn mid-2018, OceanLotus carried out a campaign using documents\nabusing the weakness exposed by the CVE-2017-11882 vulnerability.\nIndeed, several Proofs-of-Concept were made available. The\nvulnerability resides in the component responsible for rendering and\nediting mathematical equations.\nSep 2018\nWatering Hole Attack in Southeast Asia\nESET researchers have discovered a new watering hole campaign\ntargeting several websites in Southeast Asia, and that is believed to\nhave been active since September 2018. This campaign stands out\nbecause of its large scale, as we were able to identify 21 compromised\nwebsites, some of which are particularly notable. Among the\ncompromised websites were the Ministry of Defense of Cambodia,\nthe Ministry of Foreign Affairs and International Cooperation of\nCambodia and several Vietnamese newspaper or blog websites.\nJan 2019\nSelf-Extracting archives\nAfter using RTF files, the group started using self-extracting (SFX)\narchives that use common document icons in an attempt to further\nmislead their victims. It was briefly documented by Threatbook (in\nChinese). When run, these self-extracting RAR files drop and execute\nDLL files (with a .ocx extension) with the final payload being the\npreviously documented {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll. Since the middle of January 2019,\nOceanLotus began reusing the technique but changed some\nconfiguration over time.\nMar 2019 macOS malware update\nEarly in March 2019, a new macOS malware sample from the\nOceanLotus group was uploaded to VirusTotal, a popular online\nmulti-scanner service. This backdoor executable bears the same\nfeatures as the previous macOS variant we looked at, but its structure\nhas changed and its detection was made harder. Unfortunately, we\ncouldn’t find the dropper associated with this sample so we do not\nknow the initial compromise vector.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b\nPage 5 of 7\n\nMar 2019\nMalicious macro armed documents likely targeting ASEAN affairs\nand meeting members. Telemetry and spreading statistics related to\nthese decoy documents highlight their diffusion in the geographical\narea of Thailand.\nMar 2019\nBreach of Toyota in Australia, Japan, Thailand and Vietnam\nToyota said the servers that hackers accessed stored sales information\non up to 3.1 million customers. The carmaker said there’s an ongoing\ninvestigation to find out if hackers exfiltrated any of the data they had\naccess to.\nMay 2019\nAttacks to Indochinese Peninsula\nIn this report, we share our summary of the latest attack techniques,\nattack payloads and related attacks of the OceanLotus, hoping that we\ncan jointly improve understanding of OceanLotus group, an\nextremely active APT group.\nDec 2019\nBreach of BMW and Hyundai\nJan 2020\nVietnamese Threat Actors APT32 Targeting Wuhan Government and\nChinese Ministry of Emergency Management in Latest Example of\nCOVID-19 Related Espionage\n2020\nThroughout the year, Volexity identified multiple Vietnamese-language news websites that appeared to be compromised, as they\nwere being used to load an OceanLotus web profiling framework.\nJul 2020\nNew APT32 Malware Campaign Targets Cambodian Government\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b\nPage 6 of 7\n\nNov 2020\nNew MacOS Backdoor Connected to OceanLotus Surfaces\nAug 2024\nAdvanced Persistent Threat Targeting Vietnamese Human Rights\nDefenders\nCounter operations Dec 2020\nTaking Action Against Hackers in Bangladesh and Vietnam\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b" ], "report_names": [ "showcard.cgi?u=b79f69a4-18a3-4d4f-b6e5-5ad3e01c984b" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434091, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8f2af18f2d5711fc5241660848dc005f6d1ec78b.pdf", "text": "https://archive.orkl.eu/8f2af18f2d5711fc5241660848dc005f6d1ec78b.txt", "img": "https://archive.orkl.eu/8f2af18f2d5711fc5241660848dc005f6d1ec78b.jpg" } }