{ "id": "22f1ea85-9c4c-46e3-afff-fa0bb443aace", "created_at": "2026-04-06T00:11:07.505377Z", "updated_at": "2026-04-10T13:12:21.134021Z", "deleted_at": null, "sha1_hash": "9678a3d78e7cc2e3b7272727b69a6f20c8b4ca8f", "title": "RotaJakiro, the Linux version of the OceanLotus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 704543, "plain_text": "RotaJakiro, the Linux version of the OceanLotus\r\nBy Alex.Turing\r\nPublished: 2021-05-06 · Archived: 2026-04-05 16:58:52 UTC\r\nOn Apr 28, we published our RotaJakiro backdoor blog, at that time, we didn’t have the answer for a very\r\nimportant question, what is this backdoor exactly for? We asked the community for clues and two days ago we got\r\na hint, PE (Thanks!) wrote the following comment on our blog post.\r\nThe sample mentioned in the message is a zip packing file, which has appeared in 2016. The zip contains multiple\r\nfiles, the Mach-O format executable file named Noi dung chi tiet (translated to detailed information ) is\r\nthe OceanLotus sample. When we compare the this file with the RotaJakiro sample, we noticed there are multiple\r\nsimilarities and it is VERY likely that this is the Linux version of the OceanLotus.\r\nSimilarity 1: Function for C2 session creation\r\nThe common domain name resolution function for Linux is gethostbyname() , but RotaJakiro uses the relatively\r\nniche getaddrinfo() function. C2 domain name resolution and session establishment are performed in one\r\nfunction, this is also used by the the OceanLotus sample. The comparison of the 2 functions is as follows.\r\nIt can be seen that they not only have the same function, but also use sprintf() and getaddrinfo() in almost\r\nexactly the same way. In addition, both RotaJakiro and OceanLotus use separate data structures to hold C2 session\r\ninformation, such as socket fd, whether active, timeout , etc., and their data structures are also very similar.\r\nSimilarity 2: registration packet construction method\r\nhttps://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/\r\nPage 1 of 7\n\nThe network packets of both RotaJakiro and OceanLotus are composed of Head, Key, and Payload , of which\r\nHead is mandatory and has a length of 82 bytes, while Key and Payload are optional.\r\nOffset 1, type DWORD, which holds a magic.\r\nOffset 9, type DWORD, holding the length of the Payload.\r\nOffset 13, type WORD, holding the Key length.\r\nOffset 15, type DWORD, holds the message code.\r\nThe RotaJakiro initializes the Head of the registration packets with a separate function.\r\nThis function first calls the malloc() function to dynamically allocate memory for the registrationpacket, then calls\r\nthe time()/srand()/rand() function in turn to generate a random character and then assign it to the first field of the\r\nhttps://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/\r\nPage 2 of 7\n\nregistration packet, and the remaining large swath of code is to assign values to the remaining fields one by one\r\nwith multiple constants, so the most obvious feature of this function is to initialize the registration packet\r\nwith multiple constants .\r\nThere is also a function in the OceanLotus sample that is dedicated to initializing the Head of the registration\r\npackets.\r\nThis function has no code for memory allocation and random character generation, and the whole function uses\r\nmultiple constants to assign values to specific fields of the registration packet one by one, exactly like the\r\nRotaJakiro . In addition, OceanLotus shares the same field values with RotaJakiro at offsets 1, 24 and 75,\r\nespecially the magic at offset 1 is 0x3B91011 , which is hard to describe as a coincidence, so it greatly increases\r\nthe probability that these two pieces of code are the same origin. In addition, both the RotaJakiro and the\r\nOceanLotus have assigned message codes to the registration packets, and both are 0x2170272 :\r\nhttps://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/\r\nPage 3 of 7\n\nThe resulting registration packets is also very similar, and the RotaJakiro registration packets is as follows.\r\nThe following is the OceanLotus registration packets analyzed by PAN in 2017.\r\nThe decrypted registration packets for the RotaJakiro is shown below.\r\nThe following is the OceanLotus plaintext registration packets from PAN's analysis.\r\nYou can see that they have the same plaintext structure and basically the same key field values.\r\nSimilarity 3: rotate function\r\nBoth RotaJakiro and OceanLotus have a function we called rotate() for encryption/decryption, the rotate\r\nfunction of RotaJakiro is as follows.\r\nhttps://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/\r\nPage 4 of 7\n\nFor OceanLotus\r\nhttps://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/\r\nPage 5 of 7\n\nIt is easy to see the commonalities between them.\r\n1. Both accept 3 parameters.\r\n2. The prototype is the same, where the first parameter is the actual rotate object, the second parameter is the\r\nlength field, and the third parameter plays a control role.\r\nIn actual use, for example, in the process of encrypting the registration packets, you can see that the RotaJakiro\r\nand the OceanLotus use the same parameters .\r\nSimilarity 4: Same instruction code\r\nBoth RotaJakiro and OceanLotus use DWORD type instruction codes to specify the function of the message, and\r\nshare several semantically identical instruction codes, some of which are featured as shown in the following table.\r\nCmd Function\r\n0x18320e0 Upload device Info\r\n0x2170272 Register\r\nhttps://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/\r\nPage 6 of 7\n\nCmd Function\r\n0x1B25503\r\nexecute function from a\r\nplugin(a aynamic library)\r\n0x1532e65\r\nexecute function from a\r\nplugin(a aynamic library)\r\n0x25D5082\r\nexecute function from a\r\nplugin(a aynamic library)\r\nThis similarity obviously cannot be explained by coincidence, it is an\r\nextremely strong evidence of their code homology.\r\nSummary\r\nAlthough the RotaJakiro and the Mac version of the OceanLotus are implemented in different languages, their\r\nsimilarity in function and message format design, and their similarity in specific implementation, can no longer be\r\nexplained by coincidence. It is highly likely that RotaJakiro is a Linux version of the OceanLotus.\r\nSource: https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/\r\nhttps://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/" ], "report_names": [ "rotajakiro_linux_version_of_oceanlotus" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434267, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9678a3d78e7cc2e3b7272727b69a6f20c8b4ca8f.pdf", "text": "https://archive.orkl.eu/9678a3d78e7cc2e3b7272727b69a6f20c8b4ca8f.txt", "img": "https://archive.orkl.eu/9678a3d78e7cc2e3b7272727b69a6f20c8b4ca8f.jpg" } }