{ "id": "5b912155-a34c-4cbb-a54f-bb417f5704c7", "created_at": "2026-04-06T00:15:55.279427Z", "updated_at": "2026-04-10T03:36:21.992792Z", "deleted_at": null, "sha1_hash": "9fc813c649024772b809abde9c20844d86cbd5ed", "title": "How Vietnam-based hacking operation OceanLotus targets journalists - Committee to Protect Journalists", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67870, "plain_text": "How Vietnam-based hacking operation OceanLotus targets\r\njournalists - Committee to Protect Journalists\r\nBy Madeline Earp\r\nPublished: 2021-02-01 · Archived: 2026-04-02 11:01:37 UTC\r\nIn early 2020, Vietnamese writer Bui Thanh Hieu told Marina Mai, a freelancer based in Berlin, that he was\r\nclosing his blog to protect his family. In 2009, Hieu was detained for a week for his critical writing on Vietnam’s\r\nterritorial disputes with China, as CPJ documented. In 2013, he fled to Germany, but continued writing about\r\nVietnamese politics on his popular blog Nguoi Buon Gio (The Wind Trader) and on Facebook, he told Mai in an\r\ninterview for the Berlin-based daily taz. He went on to face hacking attacks, repeated attempts to have Facebook\r\ndisable his account, and even sought protection from German police following threats related to his work,\r\naccording to the interview. Eventually, he felt he had no choice but to shut the site. \r\nWhat Mai didn’t know at the time was that her subject had fallen victim to a massive hacking and surveillance\r\noperation known as OceanLotus, which experts say targets people who have criticized the Vietnamese state – and\r\nwhich would come to target her as well. Mai, who has not been back to her home country in several years,\r\nstill writes about Vietnam, as well as the Vietnamese diaspora in Germany, and local issues in Berlin. She told CPJ\r\nin an email in late 2020 that she learned she was a target when German journalists informed her of an attempt to\r\ninstall spyware on her computer. \r\n“I didn’t think I’d be an interesting person for the Vietnamese secret service, because I only write in German,” she\r\ntold CPJ. “I had to correct this opinion.”\r\nSteven Adair, president and co-founder of Volexity, a U.S.-based cybersecurity company that has studied\r\nOceanLotus, spoke to CPJ by phone in late 2020 about how the group identifies and targets journalists. The\r\nmethod used in the separate attacks on Mai and Hieu, known as spear phishing, is familiar to many journalists.\r\nMai told CPJ she was targeted via an email that appeared to be legitimate but contained malware; German\r\njournalists reported that the same method was used against Hieu in an October 2020 article published by Die\r\nZeit newspaper and public service broadcaster BR. (Hieu initially agreed to an interview when CPJ reached him\r\nvia messaging app in late 2020, but later said he was too busy to respond.) \r\nOceanLotus also creates fictitious news websites and social media profiles to lure its target audience, according to\r\nAdair; in December, Facebook said it had traced malicious activity by the same actors to an IT company in\r\nVietnam. Adair shared more insights into the group with CPJ below. His answers have been edited for length and\r\nclarity.  \r\nTell us about your work on OceanLotus so far.\r\nIn 2017, we released research about a large digital surveillance campaign called OceanLotus or APT32, a cyber-threat actor or group of hackers. There was no attribution to a country, but [Silicon Valley-headquartered\r\nhttps://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists\r\nPage 1 of 4\n\ncybersecurity firm] FireEye and the EFF [U.S. digital rights group the Electronic Frontier Foundation] had some\r\nreporting that clearly showed OceanLotus was out of Vietnam, and was spear phishing dissidents. \r\nThen we happened to come across some weird code on Cambodian government websites that had been\r\ncompromised. It was profiling visitors, collecting information about them. We eventually uncovered that in over\r\n100 different websites for the Philippine military, Laotian websites, Cambodian media websites – all countries\r\nsurrounding Vietnam. \r\nWe uncovered this huge set of stuff going on, including phishing attacks, and some of the malware we could\r\nclearly tie back to OceanLotus. Once they have access to your inbox, they can pretend to be you or anyone that’s\r\never emailed you. \r\nThey also [create] fake sites – a lot of them are news websites. None of them are going to leapfrog CNN with\r\nmillions of views a day, but they have news constantly updating, or they advertise somewhere. Some of the pages\r\nnever really caught on, but one had over 20,000 [social media] followers. That’s a decent number for a completely\r\nfraudulent website whose purpose is inarguably to track and target visitors. \r\nThe majority [of targets] ended up being human rights defenders like the [Germany-based] VETO! Human Rights\r\nDefenders Network, media organizations in the United States, and Vietnamese Catholicism related websites…\r\ngroups whose mission is offensive to the Vietnamese government. A lot of them were media websites or blogs that\r\nexpose corruption. \r\nIs it possible to say whether state actors are behind OceanLotus?\r\nWe definitely believe it’s out of Vietnam, but whether it’s a government agency, a contractor working for them, or\r\nsomething else, we don’t claim that we know that. \r\nWe look at the immense level of effort and resources to maintain all the infrastructure and identify the victims. It’s\r\nnot something anyone’s going to do in their spare time. \r\nWhen you look at the 2017 campaign, they’re hacking 120 sites and 90 of them are media and human rights\r\norganizations— from our perspective, there’s no other explanation. \r\n[Editor’s note: CPJ requested comment from the Vietnamese embassy in Berlin via an email address listed on its\r\nwebsite, but did not receive a reply. Phone calls to a number on Hanoi’s Ministry of Public Security website rang\r\nunanswered.] \r\nWhat are the risks of visiting a malicious website set up by hackers? \r\nThese websites have real news on them, and one or two pages out of maybe 5,000 would deliver malware.\r\nTheoretically, someone could end up on that [by mistake], but we surmise that they probably deliver links in a\r\ntargeted fashion through direct messages or email. \r\nOr, if they had designated you as a target and had identified your IP address, then the website would behave\r\ndifferently, either present malware to download or redirect you to a login page to steal your password or the\r\nGoogle OAuth credentials that you use to authorize an application.\r\nhttps://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists\r\nPage 2 of 4\n\nThere’s no vulnerability in a browser that means you could visit a website [from your home] and they would know\r\nwho you are. But if you’re in a corporate office, it may be possible to identify that you’re tied to an organization\r\non the target list. With one organization that we worked with, we could visit a site and nothing much happened.\r\nBut from an IP address tied to that organization, the same website would behave differently. \r\nThe main way they can profile you is by looking at what you do. The system can tell that you’re Person A who\r\nvisited this blog. Maybe you visit a second time, maybe you also start showing up on this other news website\r\ndedicated to dissidents. They can track language settings, where you came from, enough to say, “That’s probably\r\nan activist or someone who is interested in activists.” It’s quite an operation. \r\nOne of the websites that we found was compromised related to the Taiwanese steel plant that spilled a bunch of\r\nchemicals in the river. The site had been running for several years, saying, “Get this company out of Vietnam.” It\r\nwas actually run by OceanLotus. \r\n[Editor’s note: In 2016, a Taiwanese firm that operated a steel plant in Vietnam agreed to pay millions of dollars\r\nin damages for a toxic waste spill, according to The Guardian. The incident became a flashpoint for protests and\r\nthe government cracked down on news coverage, imprisoning at least one journalist as a result, according to CPJ\r\nresearch.]\r\nDie Zeit and BR reported that the hackers used a tool called Cobalt Strike. What is that?\r\nCobalt Strike is a penetration testing tool. I don’t know who their customers are, but it’s sold to a lot of companies\r\nthat use it legitimately. They hire someone to break in and test their security, and that’s a toolkit they can use.\r\nI don’t suspect that OceanLotus is a customer of Cobalt Strike. We don’t know how it happens, but cracked\r\nversions get out there. Maybe someone stole it through hacking or after signing up as a customer, but it means\r\nmultiple people can use an unsupported, illegitimate version without paying for it, and it gives them the capability\r\nto take control of a system. That’s not because of an irresponsible action from the company, as far as we know —\r\nit’s not in the same category as companies that are purveying malware to governments. \r\nThere’s not a specific solution – hackers must be having success with it, or they wouldn’t keep using it. But if it’s\r\nnot that tool, it’s going to be another. Anti-virus [software] is more likely to pick up something like that, which is a\r\nknown, older technology and not being updated – though we don’t know how many of the kinds of people being\r\ntargeted have anti-virus.\r\nIn the case of OceanLotus, it’s interesting that they use it at all. They also have a significant amount of malware\r\ndeveloped in-house and a pretty strong capability to attack across different platforms. But they continue to use it,\r\nthey’ve been using it for years.    \r\nCPJ’s Digital Safety Kit, in six languages, has more information on phishing. \r\nAttila Mong, CPJ’s EU correspondent, contributed reporting from Berlin.\r\nMadeline Earp is a consultant technology editor for CPJ. She has edited digital security and rights research for\r\nprojects including five editions of Freedom House’s Freedom on the Net report, and is a former CPJ Asia\r\nresearcher.\r\nhttps://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists\r\nPage 3 of 4\n\nSource: https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists\r\nhttps://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists" ], "report_names": [ "vietnam-based-hacking-oceanlotus-targets-journalists" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434555, "ts_updated_at": 1775792181, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9fc813c649024772b809abde9c20844d86cbd5ed.pdf", "text": "https://archive.orkl.eu/9fc813c649024772b809abde9c20844d86cbd5ed.txt", "img": "https://archive.orkl.eu/9fc813c649024772b809abde9c20844d86cbd5ed.jpg" } }