{ "id": "44344731-caac-45f8-9651-c752db750437", "created_at": "2026-04-06T00:07:04.223812Z", "updated_at": "2026-04-10T03:36:21.81302Z", "deleted_at": null, "sha1_hash": "b802d4a3eae2d091c99443ba66af628df01114eb", "title": "New MacOS Backdoor Linked to OceanLotus Found", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 102092, "plain_text": "New MacOS Backdoor Linked to OceanLotus Found\r\nBy By: Jaromir Horejsi Apr 04, 2018 Read time: 6 min (1532 words)\r\nPublished: 2018-04-04 · Archived: 2026-04-05 19:24:46 UTC\r\nWe identified a MacOS backdoor (detected by Trend Micro as  OSX_OCEANLOTUS.D) that we believe is the\r\nlatest version of a threat used by OceanLotus (a.k.a. APT 32, APT-C-00, SeaLotus, and Cobalt Kitty). OceanLotus\r\nwas responsible for launching targeted attacks against human rights organizations, media organizations, research\r\ninstitutes, and maritime construction firms. The attackers behind OSX_OCEANLOTUS.D target MacOS\r\ncomputers which have the Perl programming language installed.\r\nThe MacOS backdoor was found in a malicious Word document presumably distributed via email. The document\r\nbears the filename “2018-PHIẾU  GHI  DANH  THAM  DỰ  TĨNH  HỘI HMDC 2018.doc,” which translates to\r\n“2018-REGISTRATION FORM OF HMDC ASSEMBLY 2018.doc.” The document claims to be a registration\r\nform for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.\r\nintel\r\nFigure 1. Graphic used by the malicious document\r\nUpon receiving the malicious document, the user is advised to enable macros. In our analysis, the macro is\r\nobfuscated, character by character, using the decimal ASCII code. This is shown in the figure below.\r\nintel\r\nFigure 2. Code snippet of the obfuscated document\r\nAfter deobfuscation, we can see that the payload is written in the Perl programming language. It extracts\r\ntheme0.xml file from the Word document. theme0.xml is a Mach-O 32-bit executable with a  0xFEEDFACE\r\nsignature that is also the dropper of the backdoor, which is the final payload. theme0.xml is extracted to\r\n/tmp/system/word/theme/syslogd before it’s executed.\r\nintel\r\nFigure 3. Deobfuscated Perl payload from the delivery document\r\nDropper analysis\r\nThe dropper is used to install the backdoor into the infected system and establish its persistence.\r\nintel\r\nFigure 4. The main function of the dropper\r\nAll strings within the dropper, as well as the backdoor, are encrypted using a hardcoded RSA256 key. There are\r\ntwo forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/\r\nPage 1 of 7\n\nstring.\r\nintel\r\nFigure 5. Hardcoded RSA256 key showing the first 20 characters\r\nUsing the setStartup() method, the dropper first checks if it is running as a root or not. Based on that, the\r\nGET_PROCESSPATH and GET_PROCESSNAME methods will decrypt the hardcoded path and filename where\r\nthe backdoor should be installed. The locations:\r\nFor root user\r\npath: /Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources/\r\nprocessname: screenassistantd\r\nFor regular user\r\npath: ~/Library/Spelling/\r\nprocessname: spellagentd\r\nSubsequently, it implements the Loader::installLoader method, reading the hardcoded 64-bit Mach-O executable\r\n(magic value 0xFEEDFACF), and writing to the previously determined path and file.\r\nintel\r\nFigure 6. The dropper installs the backdoor, sets its attributes to “hidden”, and sets a random file date and time\r\nWhen the dropper installs the backdoor, it sets its attributes to “hidden” and sets file date and time to  random\r\nvalues using the touch command: touch –t YYMMDDMM “/path/filename” \u003e /dev/null. The access permissions\r\nwill then be changed to 0x1ed = 755, which is equal to u=rwx,go=rx.\r\nintel\r\nFigure 7. The magic value 0xFEEDFACF that belongs to Mach-O Executable (64 bit)\r\nMethods GET_LAUNCHNAME and GET_LABELNAME will return the hardcoded name of the property list\r\n“.plist” for the root user (com.apple.screen.assistantd.plist) and for the regular user (com.apple.spell.agent.plist).\r\nAfterwards, the persistence file will be created in /Library/LaunchDaemons/ or ~/Library/LaunchAgents/  folder.\r\nThe RunAtLoad key will command launchd to run the daemon when the operating system starts up, while the\r\nKeepAlive key will command launchd to let the process run indefinitely. This persistence file is also set to hidden\r\nwith a randomly generated file date and time.\r\nintel\r\nFigure 8. Property list with persistence settings\r\nlaunchctl load /Library/LaunchDaemons/filename.plist \u003e /dev/nul or launchctl load ~/Library/LaunchAgents/\r\nfilename.plist \u003e /dev/nul will then command the operating system to start the dropped backdoor file at login. The\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/\r\nPage 2 of 7\n\ndropper will delete itself at the end of the process.\r\nBackdoor analysis\r\nThe main loop of the backdoor has two main functions, infoClient and runHandle. infoClient is reponsible for\r\ncollecting OS info, submitting this info to its C\u0026C servers (the servers are malicious in nature), and receiving\r\nadditional C\u0026C communication information. Meanwhile, runHandle is responsible for the backdoor capabilities.\r\nintel\r\nFigure 9. The main functions of the backdoor\r\ninfoClient fills up the variables in HandlePP class.\r\nintel\r\nFigure 10. List of variables belonging to the HandlePP class\r\nclientID is an MD5 hash derived from the environment variables, while strClientID is a hexadecimal\r\nrepresentation of clientID. All strings below are encrypted via AES256 and base64 encoding. The\r\nHandlePP::getClientID method uses the following environment variables:\r\nintel\r\nFigure 11. Serial number\r\nintel\r\nFigure 12. Hardware UUID\r\nintel\r\nFigure 13. MAC address\r\nintel\r\nFigure 14. Randomly generated UUID\r\nFor the initial information packet, the backdoor also collects the following:\r\nintel\r\nFigure 15. OS version\r\nRunning getpwuid -\u003epw_name , scutil - -get ComputerName, and uname –m will provide the following returns\r\nrespectively:\r\nMac OSX 10.12.\r\nSystem Administrator\r\n\u003cowner’s name\u003e's iMac\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/\r\nPage 3 of 7\n\nx86_64\r\nAll these data are scrambled and encrypted before sending to the C\u0026C server.  The process is detailed below:\r\nScrambling\r\nClass Parser has several methods, one for each variable type – Parser::inBytes, Parser::inByte, Parser::inString,\r\nand Parser::inInt.\r\nintel\r\nFigure 16. Parser::inBytes method\r\nIf clientID equals the following sequence of bytes B4 B1 47 BC 52 28 28 73 1F 1A 01 6B FA 72 C0 73, then the\r\nscrambled version is computed using the third parameter (0x10), which is treated as a DWORD. Each quadruple\r\nof bytes is XOR-ed with it, as shown in example below.\r\nintel\r\nintel\r\n Figure 17. Parser::inByte method\r\nWhen scrambling one byte, the scrambler first determines if the byte value is odd or even. If the value is odd, it\r\nadds the byte, along with one more randomly generated byte, to the array. In the case of an even value, the\r\nrandomly generated byte is added first, followed by the byte being added. In the case above, the third parameter is\r\n‘1’ = 0x31, which is an odd number. This means that it adds byte ‘1’ and one randomly generated byte to the final\r\nscrambled array.\r\nintel\r\nFigure 18. Parser::inString method\r\nWhen scrambling a string, the scrambler generates a 5-byte long sequence. First, it generates one random byte,\r\nfollowed by three zero bytes, one random byte, and finally, the byte with the length of the string. Let’s say we\r\nwant to scramble string ‘Mac OSX 10.12.’ Its length is 13 = 0x0d, and the two random bytes are 0xf3 and 0x92. \r\nThe final 5-byte sequence looks like F3 00 00 00 92 0D. The original string is then XOR’ed with the 5-byte\r\nsequence.\r\nintel\r\nFigure 19. Scrambling ‘Mac OSX 10.12’\r\nEncryption\r\nThe scrambled byte sequence is passed onto the constructor of the class Packet::Packet, which creates a random\r\nAES256 key and encrypts the buffer with this key.\r\nEncoding the encryption key\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/\r\nPage 4 of 7\n\nIn order for the C\u0026C server to decrypt the encrypted data, the randomly generated AES256 key must be included\r\nin the packet along with the encrypted data. However, this key is also scrambled with operation XOR 0x13\r\nfollowed by ROL 6 operation applied to each byte.\r\nintel\r\nFigure 20. Function for scrambling AES256 key in the outgoing packet\r\nSome screenshots taken during scrambling and encryption process:\r\nintel\r\nFigure 21. The highlighted bytes represent the scrambled computer info\r\nintel\r\nFigure 22. Randomly generated AES256 key\r\nintel\r\nFigure 23. Scrambled AES256 key (0xC1 XOR 0x13 = 0xD2, 0xD2 ROL 6 = 0xB4) etc.)\r\nintel\r\nFigure 24. Computer info encrypted with AES256 key\r\nintel\r\nFigure 25. Screenshot of the final payload to be sent to C\u0026C server. The scrambled AES256 key is marked green,\r\nwhile the encrypted computer info is marked red. Other bytes are just randomly generated noise.\r\nWhen the backdoor receives the response from the C\u0026C server, the final payload needs to be decoded again in a\r\nsimilar manner via decryption and scrambling. Packet::getData decrypts the received payload and\r\nConverter::outString descrambles the result. The received data from the C\u0026C server include the following\r\ninformation:\r\nHandlePP::urlRequest (/appleauth/static/cssj/N252394295/widget/auth/app.css)\r\nHandlePP::keyDecrypt\r\nSTRINGDATA::BROWSER_SESSION_ID (m_pixel_ratio)\r\nSTRINGDATA::RESOURCE_ID\r\nThese data will be later used in the C\u0026C communication, as shown in the Wireshark screenshot below.\r\nintel\r\nFigure 26. Communication with the C\u0026C server after the exchange of OS packet info\r\nMeanwhile, the runHandle method of the main backdoor loop will call for the requestServer method with the\r\nfollowing backdoor commands (each command has one byte long code and is extracted by Packet::getCommand):\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/\r\nPage 5 of 7\n\nintel\r\nFigure 27. The getCommand method\r\nThe figure below shows the example of two of several possible command codes. Both create one thread, and each\r\nthread is responsible for either downloading and executing the file or running a command line program in the\r\nterminal:\r\nintel\r\nFigure 28. Commands used for downloading and executing, and running a command in terminal\r\nintel\r\nFigure 29. Commands used in uploading and downloading file\r\nintelFigure 30. Supported commands and their respective codes\r\nMitigation\r\nMalicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new\r\nMacOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for\r\nphishing attacksnews- cybercrime-and-digital-threats regardless of operating system.\r\nEnd users can benefit from security solutions such as Trend Micro Antivirus for Macproducts, which provides\r\ncomprehensive security and multi-device protection against cyberthreats.  Enterprises can benefit from Trend\r\nMicro’s Smart Protection Suitesproducts with XGen™ security, which infuses high-fidelity machine learning into\r\na blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint.\r\nIndicators of Compromise (IoCs)\r\nC\u0026C servers\r\nSsl[.]arkouthrie[.]com\r\ns3[.]hiahornber[.]com\r\nwidget[.]shoreoa[.]com\r\nSHA256\r\nDelivery document (W2KM_OCEANLOTUS.A):\r\n2bb855dc5d845eb5f2466d7186f150c172da737bfd9c7f6bc1804e0b8d20f22a\r\nDropper (OSX_OCEANLOTUS.D):\r\n4da8365241c6b028a13b82d852c4f0155eb3d902782c6a538ac007a44a7d61b4\r\nBackdoor (OSX_OCEANLOTUS.D):\r\n673ee7a57ba3c5a2384aeb17a66058e59f0a4d0cddc4f01fe32f369f6a845c8f\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/\r\nPage 6 of 7\n\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" ], "report_names": [ "new-macos-backdoor-linked-to-oceanlotus-found" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434024, "ts_updated_at": 1775792181, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b802d4a3eae2d091c99443ba66af628df01114eb.pdf", "text": "https://archive.orkl.eu/b802d4a3eae2d091c99443ba66af628df01114eb.txt", "img": "https://archive.orkl.eu/b802d4a3eae2d091c99443ba66af628df01114eb.jpg" } }