{ "id": "fd289326-4fc4-41a6-a9fd-8f0627eca0b2", "created_at": "2026-04-06T00:15:44.201364Z", "updated_at": "2026-04-10T13:11:29.112344Z", "deleted_at": null, "sha1_hash": "af8a0f81d234b77742640be6aaad3ccaf317ab86", "title": "Ocean Lotus APT Group (APT32) - Brandefense", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1693192, "plain_text": "Ocean Lotus APT Group (APT32) - Brandefense\r\nPublished: 2022-08-22 · Archived: 2026-04-02 12:12:24 UTC\r\nAugust 22, 2022\r\n1:09 pm\r\nOcean Lotus APT Group (APT32)\r\nThreat Actor ID\r\nCountry Vietnam\r\nSponsor State-sponsored1\r\nFirst Seen 2014\r\nMotivation Information theft and espionage\r\nMethods Watering Hole, Malware, Spearphishing\r\nOther Names\r\nAPT32 (Mandiant)Ocean Lotus (SkyEye Labs)\r\nOcean Buffalo (Crowd Strike)\r\nTin Woodlawn (SecureWorks)\r\nGroup’s Mission and Vision\r\nThe Ocean Lotus APT group is a hacker group operating against both private and government organizations and\r\ntheir opponents since 2014. The primary motivation behind the attacks carried out by the Ocean Lotus group is\r\ninformation theft and espionage – given the private information sought to be obtained in the attacks and the high-profile individuals targeted.\r\nThe targets of the Ocean Lotus group are generally foreign companies with sure success and interests in Vietnam’s\r\nhospitality, manufacturing, and consumer goods sectors. As well as the private sector, the Ocean Lotus group\r\ntargets politicians and journalists opposed to the Vietnamese government.\r\nTargeted Countries \u0026 Industries\r\nThe cyberespionage group Ocean Lotus, active since 2014, targets organizations in various industries in Vietnam\r\nand other Southeast Asian countries.\r\nIndonesia,\r\nIran,\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 1 of 11\n\nJapan,\r\nLaos,\r\nMalaysia,\r\nMyanmar,\r\nNepal,\r\nNetherlands,\r\nPhilippines,\r\nSingapore,\r\nSouth Korea,\r\nThailand,\r\nUK,\r\nUSA,\r\nVietnam,\r\nASEAN,\r\nAustralia,\r\nBangladesh,\r\nBrunei,\r\nCambodia,\r\nChina,\r\nDenmark,\r\nGermany,\r\nIndia.\r\nFigure 1: Targeted countries\r\nOcean Lotus targeted dissidents and journalists operating against Vietnam.\r\nOcean Lotus attempted to steal trade secrets by breaching the network security of automotive\r\nmanufacturers BMW and Hyundai.\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 2 of 11\n\nOcean Lotus targeted the Chinese Ministry of Emergency Management and the Wuhan Municipal\r\nGovernment to obtain information on the COVID-19 pandemic.\r\nOcean Lotus compromised the mod.gov[.]kh domain of the Cambodia Ministry of Defense in its Watering\r\nHole campaign.\r\nOcean Lotus used mobile malware to attack mobile devices and steal confidential personal information\r\nsuch as SMS, call logs, connections, geolocation, and browser logs.\r\nVarious security vendors have reported that the Ocean Lotus group also has targeted finance, hospitality, and\r\nproduct sales sectors.\r\nOperations Performed by APT32\r\nIn 2016, Ocean Lotus was observed targeting a number of Vietnamese organizations with a watering hole attack.\r\nThe group used a website that masqueraded as a site for Vietnamese students studying abroad. When visitors to\r\nthe site attempted to register for an account, they were redirected to a malicious website that served malware. This\r\nmalware allowed Ocean Lotus to gain control of the victim’s computer.\r\nIn 2017, Ocean Lotus carried out a campaign against Vietnam’s National Assembly. The group sent spear phishing\r\nemails containing a link to a fake website that mimicked the National Assembly’s intranet login page. Victims who\r\nattempted to log in had their credentials stolen by Ocean Lotus.\r\nIn 2018, Ocean Lotus launched a successful campaign against Vietnam’s Ministry of Foreign Affairs. The group\r\nsent spear phishing emails containing a link to a fake website that mimicked the Ministry of Foreign Affairs\r\nintranet login page. Victims who attempted to log in had their credentials stolen by Ocean Lotus.\r\nIn 2019, Ocean Lotus was observed targeting a number of Vietnamese organizations with watering hole attacks.\r\nThe group used websites that masqueraded as sites for Vietnamese students studying abroad. When visitors to the\r\nsites attempted to register for an account, they were redirected to malicious websites that served malware. This\r\nmalware allowed Ocean Lotus to gain control of the victim’s computer.\r\nOcean Lotus’ operations have continued into 2020. In February 2020, the group was observed targeting\r\nVietnamese organizations with a phishing campaign. The group sent emails containing a link to a fake website that\r\nmimicked the login page for Google’s Gmail service. Victims who attempted to log in had their credentials stolen\r\nby Ocean Lotus.\r\nOcean Lotus has been active for over eight years and shows no signs of slowing down. The group is skilled in\r\ncarrying out sophisticated attacks and is considered a serious threat to organizations in Vietnam and other\r\nSoutheast Asian countries.\r\nTTPs \u0026 Attack Lifecycle\r\nThe techniques, tactics, and procedures used by the Ocean Lotus group to violate the security of the target system\r\nin their attacks help define the threat group’s characteristics and determine the countermeasures that can be taken.\r\nIn addition, the information below will be helpful for an overview of how a typical attack lifecycle is performed\r\nwith the software used by Ocean Lotus and for what purposes the tools are used.\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 3 of 11\n\nTactic\r\nTactic\r\nID\r\nTechnique Technique ID\r\nInitial Access TA0001\r\nDrive-by CompromisePhishing\r\n•Spearphishing Attachment\r\n•Spearphishing Link\r\nValid Accounts\r\n•Local Accounts\r\nT1189T1566\r\nT1566.001\r\nT1566.002\r\nT1078\r\nT1078.003\r\nExecution TA0002\r\nCommand and Scripting\r\nInterpreter•JavaScript\r\n•PowerShell\r\n•Visual Basic\r\n•Windows Command Shell\r\nExploitation for Client Execution\r\nScheduled Task/Job\r\n•Scheduled Task\r\nSoftware Deployment Tools\r\nSystem Services\r\n•Service Execution\r\n•Malicious File\r\n•Malicious Link\r\nWindows Management Instrumentation\r\nT1059T1059.007\r\nT1059.001\r\nT1059.005\r\nT1059.003\r\nT1203\r\nT1053\r\nT1053.005\r\nT1072\r\nT1569\r\nT1569.002\r\nT1204.002\r\nT1204.001\r\nT1047\r\nPersistence TA0003 Boot or Logon Autostart\r\nExecution•Registry Run Keys / Startup\r\nFolder\r\nCreate or Modify System Process\r\n•Windows Service\r\nT1547T1547.001\r\nT1543\r\nT1543.003\r\nT1574\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 4 of 11\n\nHijack Execution Flow\r\n•DLL Side-Loading\r\nOffice Application Startup\r\nServer Software Component\r\n•Web Shell\r\nT1574.002\r\nT1137\r\nT1505\r\nT1505.003\r\nPrivilege\r\nEscalation\r\nTA0004\r\nExploitation for Privilege\r\nEscalationProcess Injection\r\nT1068T1055\r\nDefense Evasion TA0005 Hide Artifacts•Hidden Files and\r\nDirectories\r\n•Hidden Window\r\n•NTFS File Attributes\r\nIndicator Removal on Host\r\n•Clear Windows Event Logs\r\n•File Deletion\r\n•Timestomp\r\nMasquerading\r\n•Masquerade Task or Service\r\n•Match Legitimate Name or Location\r\n•Rename System Utilities\r\nModify Registry\r\nObfuscated Files or Information\r\n•Binary Padding\r\nSystem Binary Proxy Execution\r\n•Mshta\r\n•Regsvr32\r\nT1564T1564.001\r\nT1564.003\r\nT1564.004\r\nT1070\r\nT1070.001\r\nT1070.004\r\nT1070.006\r\nT1036\r\nT1036.004\r\nT1036.005\r\nT1036.003\r\nT1112\r\nT1027\r\nT1027.001\r\nT1218\r\nT1218.005\r\nT1218.010\r\nT1218.011\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 5 of 11\n\n•Rundll32\r\nSystem Script Proxy Execution\r\n•PubPrn\r\nUse Alternate Authentication Material\r\n•Pass the Hash\r\n•Pass the Ticket\r\nT1216\r\nT1216.001\r\nT1550\r\nT1550.002\r\nT1550.003\r\nCredential\r\nAccess\r\nTA0006\r\nInput Capture•Keylogging\r\nOS Credential Dumping\r\n•LSASS Memory\r\nUnsecured Credentials\r\n•Credentials in Registry\r\nT1056T1056.001\r\nT1003\r\nT1003.001\r\nT1552\r\nT1552.002\r\nDiscovery TA0007\r\nAccount Discovery•Local Account\r\nFile and Directory Discovery\r\nNetwork Service Discovery\r\nNetwork Share Discovery\r\nQuery Registry\r\nRemote System Discovery\r\nSystem Information Discovery\r\nSystem Network Configuration Discovery\r\nSystem Network Connections Discovery\r\nSystem Owner/User Discovery\r\nT1087T1087.001\r\nT1083\r\nT1046\r\nT1135\r\nT1012\r\nT1018\r\nT1082\r\nT1016\r\nT1049\r\nT1033\r\nTactic\r\nTactic\r\nID\r\nTechnique Technique ID\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 6 of 11\n\nLateral\r\nMovement\r\nTA0008\r\nLateral Tool TransferRemote Services\r\n•SMB/Windows Admin Shares\r\nSoftware Deployment Tools\r\nT1570T1021\r\nT1021.002\r\nT1072\r\nCollection TA0009 Archive Collected Data T1560\r\nCommand and\r\nControl\r\nTA0011\r\nApplication Layer Protocol•Mail Protocols\r\n•Web Protocols\r\nIngress Tool Transfer\r\nNon-Standard Port\r\nWeb Service\r\nT1071T1071.003\r\nT1071.001\r\nT1105\r\nT1571\r\nT1102\r\nExfiltration TA0010\r\nExfiltration Over Alternative\r\nProtocol•Exfiltration Over Unencrypted\r\nNon-C2 Protocol\r\nExfiltration Over C2 Channel\r\nT1048T1048.003\r\nT1041\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 7 of 11\n\nFigure 2: Attack Lifecycle Ocean Lotus / APT32\r\nRecommendations \u0026 Mitigations\r\nWe have listed the steps to be taken in order to be protected from the threat and/or to minimize the possible\r\ndamage according to the identified techniques, tactics, and procedures of the Ocean Lotus APT group.\r\nUse strong passwords and multi-factor authentication: This will help to protect your accounts from\r\nbeing compromised by password guessing or brute force attacks. Multi-factor authentication adds an extra\r\nlayer of security by requiring another form of verification, such as a code sent to your mobile phone, in\r\naddition to your password.\r\nKeep your software up to date: Outdated software can contain security vulnerabilities that can be\r\nexploited by attackers. By ensuring that your software is up to date, you can help to close these potential\r\nentry points.\r\nInstall a reputable security suite: A good security suite can provide protection against a wide range of\r\nthreats, including viruses, malware, and phishing attacks.\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 8 of 11\n\nBe cautious when opening email attachments: Email attachments may contain malicious code that can\r\ninfect your computer. Before opening an attachment, make sure that you trust the sender and that you have\r\nscanned the attachment for viruses using reliable antivirus software.\r\nDon’t click on links in emails from unknown senders: Emails from unknown or untrustworthy sources\r\nmay contain malicious code/attachments.\r\nConclusion\r\nOcean Lotus is well-resourced and executes its attacks with precision and care. The group uses a variety of custom\r\ntools, which suggests a high level of technical capability. Additionally, the group appears to have significant\r\nfinancial resources, as evidenced by its use of 0-day exploits and ability to mount long-term operations.\r\nDownload IoCs\r\nShare This:\r\nCategories\r\nAPT Groups\r\nBlog\r\nDark Web\r\nDRPS\r\nFraud\r\nRansomware\r\nSector Analysis\r\nSecurity News\r\nVIP Security\r\nWe In The Press\r\nWeekly Newsletter\r\nLatest News\r\nMFA Doesn't Protect You — Cookies Give You Away: The Rise of Session Hijacking\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 9 of 11\n\nFake Mobile App: How Is Your Clone on the App Store Stealing Your Users?\r\nUAC-0102: Inside a Covert Espionage Operation Targeting Ukraine and Beyond\r\nInside the Operations of Crazy Evil: The Rise of a Global Crypto-Focused Cybercrime Network\r\n1 Million User Records Exposed: A Deep Dive into the Komiko AI App Data Breach\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 10 of 11\n\nFollow Us on Social Media!\r\nSource: https://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nhttps://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/" ], "report_names": [ "ocean-lotus-apt-group" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "61c16af3-1c0e-449d-bc0e-60ae3f49dd9f", "created_at": "2024-07-28T02:00:04.69478Z", "updated_at": "2026-04-10T02:00:03.681909Z", "deleted_at": null, "main_name": "UAC-0102", "aliases": [], "source_name": "MISPGALAXY:UAC-0102", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434544, "ts_updated_at": 1775826689, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/af8a0f81d234b77742640be6aaad3ccaf317ab86.pdf", "text": "https://archive.orkl.eu/af8a0f81d234b77742640be6aaad3ccaf317ab86.txt", "img": "https://archive.orkl.eu/af8a0f81d234b77742640be6aaad3ccaf317ab86.jpg" } }