{
	"id": "d9b43630-3c36-4706-a08a-290bd8f1c845",
	"created_at": "2026-04-06T00:09:01.837132Z",
	"updated_at": "2026-04-10T03:36:21.92628Z",
	"deleted_at": null,
	"sha1_hash": "bddc3d85b7f57b186c0bf3e794469bbe0d685368",
	"title": "An OceanLotus (APT32) Backdoor – One Night in Norfolk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 845852,
	"plain_text": "An OceanLotus (APT32) Backdoor – One Night in Norfolk\r\nPublished: 2019-03-24 · Archived: 2026-04-05 23:20:24 UTC\r\nSkip to content\r\nRecently, various industry and media sources have publicly reported that OceanLotus, a suspected Vietnam state-sponsored adversary, has conducted multiple targeted intrusions against auto manufacturers. This post examines a\r\nsecond-stage tool, JEShell, used during one such intrusion.\r\nJEShell contains code-level overlaps with the OceanLotus KerrDown malware first publicly described in a\r\nMedium post and a Palo Alto Unit42 post. At a high level, JEShell is functionally similar to the KerrDown\r\nmalware: both families decode and run layers of shellcode with the intention of downloading or directly installing\r\na Cobalt Strike Beacon implant. Unlike KerrDown (a Windows DLL), JEShell is written in Java. JEShell is\r\ndelivered alongside (rather than instead of) KerrDown and other implants and in some cases shares the same C2,\r\nlikely as a measure of redundancy for the attacker.\r\nThis post examines one of two identified JEShell hashes:\r\nMD5: dfc78da5202a70066eba124660fd5085\r\nSHA1: 8cad6621901b5512f4ecab7a22f8fcc205d3762b\r\nSHA256: ea854e2e17615c54edbd6ee2babb874d957f094f3945992f5ac27b78b023051c\r\nC2: update.msoffice-templates[.]info\r\nThe other known file, not examined in this post, is:\r\nMD5: 74731674920c51668c36cc3c16f30553\r\nSHA1: 668572ba2aff5374a3536075b01854678c392c04\r\nSHA256: 040c1fcec79cd19a6aaedf9cabf3cc21cc6c30e6af4048087995d71fc4571cee\r\nC2: stream.playnetflix[.]com\r\nJEShell contains an encrypted resources with a randomized named and an XOR key (different between samples)\r\nused to decode it. The XOR is performed in a rolling fashion using a “mod” function: the first byte of the\r\nencrypted resource is XORed by the byte representation of the first character of the key, the second byte by the\r\nsecond character, and so on. When the end of the key is reached, it returns to the first letter. By doing this, the\r\nauthors ensure that the decoded resource is not revealed or detected by a brute force mechanism.\r\nhttps://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/\r\nPage 1 of 3\n\nJEShell resource (top, boxed in red) and key (middle, boxed in red) decoded into shellcode (bottom\r\nleft)\r\nThe resource is decoded into a byte array and loaded into memory through one of two workflows. On a 32-bit\r\nsystem, the resource is injected into the memory of the currently running process (Java.exe). On a 64-bit system a\r\nprocess is randomly selected and created from a hardcoded list and the array is injected into that process. The\r\nprocess list used on 64-bit systems in this sample is:\r\n“C:\\\\Windows\\\\SysWOW64\\\\ARP.exe”, “C:\\\\Windows\\\\SysWOW64\\\\at.exe”,\r\n“C:\\\\Windows\\\\SysWOW64\\\\auditpol.exe”, “C:\\\\Windows\\\\SysWOW64\\\\bitsadmin.exe”,\r\n“C:\\\\Windows\\\\SysWOW64\\\\bootcfg.exe”, “C:\\\\Windows\\\\SysWOW64\\\\ByteCodeGenerator.exe”,\r\n“C:\\\\Windows\\\\SysWOW64\\\\cacls.exe”, “C:\\\\Windows\\\\SysWOW64\\\\chcp.com”,\r\n“C:\\\\Windows\\\\SysWOW64\\\\CheckNetIsolation.exe”, “C:\\\\Windows\\\\SysWOW64\\\\chkdsk.exe”,\r\n“C:\\\\Windows\\\\SysWOW64\\\\choice.exe”, “C:\\\\Windows\\\\SysWOW64\\\\cmdkey.exe”,\r\n“C:\\\\Windows\\\\SysWOW64\\\\comp.exe”, “C:\\\\Windows\\\\SysWOW64\\\\diskcomp.com”,\r\n“C:\\\\Windows\\\\SysWOW64\\\\Dism.exe”, “C:\\\\Windows\\\\SysWOW64\\\\esentutl.exe”,\r\n“C:\\\\Windows\\\\SysWOW64\\\\expand.exe”, “C:\\\\Windows\\\\SysWOW64\\\\fc.exe”,\r\n“C:\\\\Windows\\\\SysWOW64\\\\find.exe”, “C:\\\\Windows\\\\SysWOW64\\\\gpresult.exe”\r\n32-bit check and process injection routines for both 32 and 64-bit systems.\r\nhttps://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/\r\nPage 2 of 3\n\nThe injected shellcode contains multiple layers. The first layer dynamically resolves APIs and decodes a second\r\nlayer (a previous post contains suggestions on analyzing shellcode), writing this to a section of virtual memory\r\nand executing it with the Kernel32.CreateThread Windows API call:\r\nThe first-stage shellcode (top left) calling Kernel32.ResumeThread on the second layer of shellcode\r\nwritten to an executable section of memory.\r\nThe second layer of shellcode behaves similarly: it decrypts (via CryptDecrypt) a copy of the Cobalt Strike\r\nBeacon implant into memory that is configured with a modified version of a malleable C2 profile.\r\nSecond layer of shellcode decoding a Cobalt Strike Beacon implant into memory\r\nPost navigation\r\nSource: https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/\r\nhttps://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/\r\nPage 3 of 3\n\n“C:\\\\Windows\\\\SysWOW64\\\\expand.exe”, “C:\\\\Windows\\\\SysWOW64\\\\find.exe”,  “C:\\\\Windows\\\\SysWOW64\\\\fc.exe”, “C:\\\\Windows\\\\SysWOW64\\\\gpresult.exe”  \n32-bit check and process injection routines for both 32 and 64-bit systems.\n   Page 2 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/"
	],
	"report_names": [
		"jeshell-an-oceanlotus-apt32-backdoor"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2439ad53-39cc-4fff-8fdf-4028d65803c0",
			"created_at": "2022-10-25T16:07:23.353204Z",
			"updated_at": "2026-04-10T02:00:04.55407Z",
			"deleted_at": null,
			"main_name": "APT 32",
			"aliases": [
				"APT 32",
				"APT-C-00",
				"APT-LY-100",
				"ATK 17",
				"G0050",
				"Lotus Bane",
				"Ocean Buffalo",
				"OceanLotus",
				"Operation Cobalt Kitty",
				"Operation PhantomLance",
				"Pond Loach",
				"SeaLotus",
				"SectorF01",
				"Tin Woodlawn"
			],
			"source_name": "ETDA:APT 32",
			"tools": [
				"Agentemis",
				"Android.Backdoor.736.origin",
				"AtNow",
				"Backdoor.MacOS.OCEANLOTUS.F",
				"BadCake",
				"CACTUSTORCH",
				"CamCapture Plugin",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Cuegoe",
				"DKMC",
				"Denis",
				"Goopy",
				"HiddenLotus",
				"KOMPROGO",
				"KerrDown",
				"METALJACK",
				"MSFvenom",
				"Mimikatz",
				"Nishang",
				"OSX_OCEANLOTUS.D",
				"OceanLotus",
				"PHOREAL",
				"PWNDROID1",
				"PhantomLance",
				"PowerSploit",
				"Quasar RAT",
				"QuasarRAT",
				"RatSnif",
				"Remy",
				"Remy RAT",
				"Rizzo",
				"Roland",
				"Roland RAT",
				"SOUNDBITE",
				"Salgorea",
				"Splinter RAT",
				"Terracotta VPN",
				"Yggdrasil",
				"cobeacon",
				"denesRAT",
				"fingerprintjs2"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434141,
	"ts_updated_at": 1775792181,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bddc3d85b7f57b186c0bf3e794469bbe0d685368.pdf",
		"text": "https://archive.orkl.eu/bddc3d85b7f57b186c0bf3e794469bbe0d685368.txt",
		"img": "https://archive.orkl.eu/bddc3d85b7f57b186c0bf3e794469bbe0d685368.jpg"
	}
}