{ "id": "4cb64ec4-de7a-489e-977c-603a66b5bc2a", "created_at": "2026-04-06T00:21:13.138451Z", "updated_at": "2026-04-10T03:36:22.100065Z", "deleted_at": null, "sha1_hash": "ac844dfefd92df69384d56efeb86e1dfb08c0c9f", "title": "New MacOS Backdoor Connected to OceanLotus Surfaces", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1067531, "plain_text": "New MacOS Backdoor Connected to OceanLotus Surfaces\r\nBy By: Luis Magisa, Steven Du Nov 27, 2020 Read time: 5 min (1439 words)\r\nPublished: 2020-11-27 · Archived: 2026-04-05 14:37:57 UTC\r\nWe recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new\r\nvariant include new behavior and domain names.\r\nWe recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new\r\nvariant (detected by Trend Micro as Backdoor.MacOS.OCEANLOTUS.F) include new behavior and domain names. As of\r\nwriting, this sample is still undetected by other antimalware solutions.\r\nDue to similarities in dynamic behavior and code with previous OceanLotus samples, it was confirmed to be a variant of the\r\nsaid malware. \r\nFigures 1-2. Comparison of old OceanLotus sample (above) with the latest OceanLotus sample (below)\r\nOceanLotus was responsible for targeted attacks against organizations from industriesopen on a new tab such as media,\r\nresearch, and construction. Recently they have also been discovered by researchers from Volexity to be using malicious\r\nwebsitesopen on a new tab to propagate malware.\r\nThe attackers behind this sample are suspected to target users from Vietnam since the document’s name is in Vietnamese and\r\nthe older samples targeted the same region before.\r\nArrival\r\nThe sample arrives as an app bundled in a Zip archive. It uses the icon for a Word document file as a disguise, attempting to\r\npass itself off as a legitimate document file.\r\nhttps://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nPage 1 of 9\n\nFigure 3. The sample’s file name, icon, and app bundle structure\r\nAnother technique it uses to evade detection is adding special characters to its app bundle name. When a user looks for the\r\nfake doc folder via the macOS Finder app or the terminal command line, the folder's name shows \"ALL tim nha Chi Ngoc\r\nCanada.doc\" (“tìm nhà Chị Ngọc” roughly translates to “find Mrs. Ngoc’s house”). However, checking the original Zip file\r\nthat contains the folder shows 3 unexpected bytes between \".\" and \"doc\".\r\nFigure 4. Special character between ‘.’ and ‘doc’ as viewed inside the zip archive.\r\nThe 3 bytes \"efb880\" is in UTF-8 encoding. According to UTF-8 mapping, the related Unicode code is \"U+FE00\".\r\nCode point First byte Second byte Third byte Fourth byte\r\nU+0000 to U+007F 0xxxxxxx\r\nU+0080 to U+07FF 110xxxxx 10xxxxxx\r\nU+0800 to U+FFFF 1110xxxx 10xxxxxx 10xxxxxx\r\nU+10000 to U+10FFFF 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx\r\nTable 1. UTF-8 mapping\r\n\"U+FE00\" is a special Unicode control character with name variation selector-1, which provides the visual appearance of a\r\nCJK compatibility ideograph. In this case, the preceding character is the general character \".\", so the variation selector does\r\nnot change the visual appearance.\r\nThe operating system sees the app bundle as an unsupported directory type, so as a default action the “open” command is\r\nused to execute the malicious app. Otherwise, if the postfix is .doc without special characters, Microsoft Word is called to\r\nopen the app bundle as a document; but since it is not a valid document, the app fails to open it.\r\nHere is the code signing information for the app bundle sample.\r\nhttps://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nPage 2 of 9\n\nFigure 5. Code signing information for the sample\r\nThe app bundle contains two notable files:\r\nALL tim nha Chi Ngoc Canada: The shell script containing the main malicious routines\r\nconfigureDefault.def: The word file displayed during execution\r\nFigure 6. Contents of “ALL tim nha Chi Ngoc Canada” file\r\nFigure 7. The document displayed after executing the file\r\nWhen the shell script was run, it performed the following routines:\r\n1)      Delete the file quarantine attribute for the files in \"*ALL tim nha Chi Ngoc Canada.?doc*”\r\nhttps://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nPage 3 of 9\n\n2)      Attempt to remove file quarantine attribute of the files in the system.\r\n3)      Copy \"ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def(doc)\" to \"/tmp/ALL tim nha Chi\r\nNgoc Canada.doc(doc)\"\r\n4)      Open \"/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)\"\r\n5)      Extract the b64-encoded fat binary to \"ALL tim nha Chi Ngoc Canada.?\r\ndoc/Contents/Resources/configureDefault.def(fat - binary)\", which is the second-stage payload\r\n6)      Change access permission of second-stage payload to execute the launch of the second-stage payload\r\n7)      Delete the malware app bundle \"ALL tim nha Chi Ngoc Canada.?doc\"\r\n8)      Copy \"/tmp/ALL tim nha Chi Ngoc Canada.doc(doc)\" to \"{execution directory}/ALL tim nha Chi Ngoc Canada.doc\"\r\n9)      Delete \"/tmp/ALL tim nha Chi Ngoc Canada.doc\"\r\nSecond-stage payload\r\nWhen executed, the second stage payload (ALL tim nha Chi Ngoc Canada.?doc/Contents/Resources/configureDefault.def)\r\nperforms the following malware routines:\r\n1)      Drop third-stage payload to ~/Library/User Photos/mount_devfs\r\n2)      Create persistence for the sample by creating ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist\r\nFigure 8. Plist file ~/Library/LaunchAgents/com.apple.marcoagent.voiceinstallerd.plist\r\n3)      Use the touch command to change the timestamp of the sample\r\nFigure 9. The timestamp of the dropped files\r\n4)      Delete itself\r\nThird-stage payload\r\nIn the third-stage payload (~/Library/User Photos/mount_devfs), the strings are encrypted with custom encryption using\r\nbase64 encoding and byte manipulation.\r\nFigure 10. Encrypted strings\r\nhttps://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nPage 4 of 9\n\nFigures 11-12. Decryption routine\r\nLike older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating\r\nsystem information and submitting this to its malicious C\u0026C servers and receiving additional C\u0026C communication\r\ninformation, and another for the backdoor capabilities.\r\nIt collects the following information from the infected system by invoking the following commands:\r\nCommand Description\r\nsystem_profiler SPHardwareDataType 2\u003e/dev/null | awk '/Processor /\r\n{split($0,line,\\\":\\\"); printf(\\\"%s\\\",line[2]);}'\r\nGet processor information\r\n15f20 = system_profiler SPHardwareDataType 2\u003e/dev/null | awk '/Memory/\r\n{split($0,line, \\\":\\\"); printf(\\\"%s\\\", line[2]);}'\r\nGet memory information\r\nioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line,\r\n\\\"\\\\\\\"\\\"); printf(\\\"%s\\\", line[4]); }\r\nGet serial number\r\nifconfig -l\r\nifconfig \u003cdevice\u003e | awk '/ether /{print $2}' 2\u003e\u00261\r\nGet network interface MAC\r\naddresses\r\nTable 2. OceanLotus commands and descriptions\r\nThe collected information is encrypted and sent to the malware C\u0026C server.\r\nFigure 13. TCP stream excerpt of the malware sending information to C\u0026C server\r\nIt also receives commands from the same server.\r\nhttps://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nPage 5 of 9\n\nFigure 14. TCP stream excerpt of the malware receiving commands from C\u0026C server\r\nHere are the C\u0026C servers used by the malware:\r\nmihannevis[.]com\r\nmykessef[.]com\r\nidtpl[.]org\r\nThe new variant’s backdoor capabilities are similar to those of the old OceanLotus sample, as detailed in the code excerpts\r\nbelow:\r\nFigures 15-16. A comparison of the codes of the old OceanLotus variant (above) and the new one (below)\r\nBelow are the supported commands and their respective codes (taken from an earlier blog post that covered OceanLotus).\r\n0x33 Get file size\r\n0xe8 Exit\r\n0xa2 Download and execute a file\r\n0xac Run command in terminal\r\n0x48 Remove file\r\n0x72 Upload file\r\n0x23 Download file\r\n0x3c Download file\r\n0x07 Get configuration info\r\n0x55 Empty response, heartbeat packet\r\nTable 3. Supported commands and their respective codes\r\nhttps://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nPage 6 of 9\n\nDetails about C\u0026C domain names\r\nAccording to its Google and Whoisopen on a new tab history, the mihannevis[.]com domain was used to host other websites\r\nin the past before it was changed to a C\u0026C server around the end of August 2020.\r\nFigures 17-18. Domain history of mihannevis[.]com, from Whois (above) and Google (below)\r\nIn VirusTotal, some related URL queries appeared at the end of August.\r\nFigure 19. URLs related to mihannevis[.]com as seen on VirusTotal\r\nThe domain \"mykessef[.]com\" was used for the C\u0026C server earlier.\r\nFigure 20. Domain history of mykessef[.]com based on Whois Lookup\r\nThe domain name \"idtpl[.]org\" was registered three years ago, and there was no update history. According to Whois lookup,\r\nits register expired at the end of March 2020.\r\nhttps://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nPage 7 of 9\n\nFigure 21. idtpl[.]org registration information based on Whois Lookup\r\nBut from the middle of July 2020, its IP address changed to 185[.]117[.]88[.]91.\r\nFigure 22. Domain History of idtpl[.]org as seen on VirusTotal\r\nRecommendations\r\nThreat groups such as OceanLotus are actively updating malware variants in attempts to evade detection and improve\r\npersistence. The following best practices can be applied to defend against malware:\r\nNever click links or download attachments from emails coming from suspicious sources\r\nRegularly patch and update software and applications\r\nUse security solutions suitable for your operating system\r\nTo protect systems operating on macOS, we recommend Trend Micro Home Security for Macproducts, which offers\r\ncomprehensive and multi-device protection against malware and other cyberthreats.\r\nIndicators of Compromise\r\nSHA-256 Filename/Description Trend Micr\r\ncfa3d506361920f9e1db9d8324dfbb3a9c79723e702d70c3dc8f51825c171420  ALL%20tim%20nha%20Chi%20Ngoc%20Canada.zip Backdoor.M\r\n48e3609f543ea4a8de0c9375fa665ceb6d2dfc0085ee90fa22ffaced0c770c4f ALL tim nha Chi Ngoc Canada Backdoor.SH\r\n05e5ba08be06f2d0e2da294de4c559ca33c4c28534919e5f2f6fc51aed4956e3 2nd stage fat binary Backdoor.M\r\nfd7e51e3f3240b550f0405a67e98a97d86747a8a07218e8150d2c2946141f737  3rd stage fat binary Backdoor.M\r\nDomains\r\nmihannevis[.]com\r\nmykessef[.]com\r\nidtpl[.]org\r\nMITRE TTP\r\nhttps://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nPage 8 of 9\n\nTactic ID Name Description\r\nDefense\r\nEvasion\r\nT1070.004open on a\r\nnew tab\r\nFile Deletion\r\nThe app bundle and dropper delete\r\nthemselves after execution\r\nT1222.002open on a\r\nnew tab\r\nLinux and Mac File and\r\nDirectory Permissions\r\nModification\r\nThe backdoor changes the permission of\r\nthe file it wants to execute to +x\r\nT1027open on a\r\nnew tab\r\nObfuscated Files or Information Readable strings were encrypted\r\nT1036.005open on a\r\nnew tab\r\nMasquerading: Match\r\nLegitimate Name or Location\r\nThe app bundle is disguised as a doc file\r\nto trick users into executing it\r\nT1070.006open on a\r\nnew tab\r\nIndicator Removal on Host:\r\nTimestomp\r\nThe backdoor modifies the date and time\r\nof the dropped files using the “touch”\r\ncommand\r\nDiscovery\r\nT1082open on a\r\nnew tab\r\nSystem Information Discovery\r\nThe backdoor collects various\r\ninformation to send to the C\u0026C server\r\nCollection\r\nT1560.003open on a\r\nnew tab\r\nArchive Collected Data:\r\nArchive via Custom Method\r\nThe backdoor encrypts the data before\r\nexfiltration\r\nCommand and\r\nControl\r\nT1095open on a\r\nnew tab\r\nNon-Application Layer\r\nProtocol\r\nLike previous samples, performs\r\nbackdoor routines based on C\u0026C data\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nhttps://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY", "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" ], "report_names": [ "new-macos-backdoor-connected-to-oceanlotus-surfaces.html" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434873, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ac844dfefd92df69384d56efeb86e1dfb08c0c9f.pdf", "text": "https://archive.orkl.eu/ac844dfefd92df69384d56efeb86e1dfb08c0c9f.txt", "img": "https://archive.orkl.eu/ac844dfefd92df69384d56efeb86e1dfb08c0c9f.jpg" } }