{ "id": "65ac1d92-b22a-486b-b793-ea75ffc7bad6", "created_at": "2026-04-06T00:13:45.514207Z", "updated_at": "2026-04-10T03:36:22.051205Z", "deleted_at": null, "sha1_hash": "c340ee8a35dd62395f18fa4979462ddcacf07944", "title": "Tracking OceanLotus’ new Downloader, KerrDown", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2760247, "plain_text": "Tracking OceanLotus’ new Downloader, KerrDown\r\nBy Vicky Ray, Kaoru Hayashi\r\nPublished: 2019-02-01 · Archived: 2026-04-05 17:55:42 UTC\r\nOceanLotus (AKA APT32) is a threat actor group known to be one of the most sophisticated threat\r\nactors originating out of south east Asia. Multiple attack campaigns have been reported by number of security\r\norganizations in the last couple of years, documenting the tools and tactics used by the threat\r\nactor. While OceanLotus’ targets are global, their operations are mostly active within the APAC region which\r\nencompasses targeting private sectors across multiple industries, foreign governments, activists, and dissidents\r\nconnected to Vietnam. \r\nThis blog will cover a new custom downloader malware family we’ve named\r\n“KerrDown” which OceanLotus have been actively using since at least early 2018. We also show how the jaccard-index algorithm was used to quickly find similarities between the new KerrDown malware family within our\r\ndatasets. This method has proven to be very useful to extract similarities from large sample datasets\r\nand connecting attack campaigns together. Given the large number of “KerrDown” samples found, we were also\r\nable to discern possible patterns in OceanLotus’ working hours and days of a week which is discussed in the later\r\nsections of this blog. \r\nWe identified two methods to deliver the KerrDown downloader to targets. One is using the Microsoft Office\r\nDocument with a malicious macro and the other is RAR archive which contains a legitimate program with DLL\r\nside-loading. For RAR archive files, the file names used to trick targets are all in Vietnamese as shown in Figure\r\n11. Our analysis shows that the primary targets of the ongoing campaign discussed in this blog are either in\r\nVietnam or Vietnamese speaking individuals.  \r\nMalicious Document\r\nOur analysis began with an active mime document, something we've seen OceanLotus use before but this time\r\ninvolving a new payload, KerrDown. The lure hash is \r\n(SHA256:89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3) \r\nFigure 1 below shows a snapshot of the lure file. Once the victim opens the lure document, which includes an\r\nimage file with a message in Vietnamese which that asks the victim to enable macros to view the contents of the\r\nfile. At first glance the document may look like there is no other content other than the notification to enable\r\nmacros. However, a closer look reveals two different base64 blobs inserted in the page in separate tables and the\r\nfont size has been changed to 1 which may deceive victims to overlook the content. Another reason for this\r\ntechnique may be that many automated tools are able to detect the presence of an embedded binary within the\r\nstreams of such files and this technique may allow them to go undetected.  \r\nDelivery Document Analysis\r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 1 of 15\n\nFigure 1: Lure document\r\nOnce we increase the font size, the base64 blobs are visible in two different tables. Once decoded you can see the\r\nMZ header of the PE DLL at the beginning of each table, as shown in Figure 2.   \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 2 of 15\n\nFigure 2: Base64 encoded pedll files embedded as text in the document. \r\nFigure 3 shows a code excerpt from the embedded macro that checks which base64 blob should be decoded based\r\non the iCheck variable, a Boolean value which is set to true if the victim system is running on a 64-bit system and\r\nfalse on a 32-bit system. If the system is found to be 64-bit, the base64 encoded blob on the left is\r\ndecoded otherwise the base64 encoded blob on the right is decoded. \r\nFigure 3: Base64 blob selection based on system check \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 3 of 15\n\nWe also noticed that the actors reused the VBS decode function published by Motobit. Figure 4 shows the\r\ncomparison between the base64 function used in the macro code and the VBS base64 decoder function published\r\nby Motobit. \r\n \r\nFigure 4: Base64 decoder comparison \r\nSimilarity Analysis of KerrDown Samples using Jaccard-Index \r\nOnce we decoded and extracted both DLL files from the document we used a similarity analysis\r\nalgorithm using the Jaccard index to check the binaries against known set of malware families used\r\nby OceanLotus  which yielded no matches with any previous OceanLotus malware families. However, we were\r\nable to find multiple other samples in our datasets using the imphash value of the KerrDown samples and the\r\naccompanying C2 domains. Given the high number of samples found, we again used a similarity analysis\r\nalgorithm using Jaccard Index to extract similarities between all the samples found. At this stage we were not sure\r\nif the DLL files were a backdoor or had any other functionality. Hence, we included a few\r\nother known OceanLotus malware family samples used no earlier than 2017 to our similarity test, and in most\r\ncases samples which were final payloads dropped in victim machines.  One of the main objectives was to quickly\r\ndiscern if KerrDown could have been variants of the known malware families we have been tracking or\r\nwas OceanLotus employing a new malware family in their playbooks and in the recent campaigns. Plotting\r\nthe Jaccard index results using networkx we can quickly visualize the similarities extracted. As you can see from\r\nFigure 5, there is a thick cluster of samples at the top right of the networkx graph which did not have any\r\nsimilarities with the other known OceanLotus malware family samples. Therefore, this observation was helpful\r\nfor us to understand that the samples we were looking into were likely a new malware family being employed by\r\nthe OceanLotus group at the time of analysis, which we have now named KerrDown.\r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 4 of 15\n\nFigure 5: Similarity analysis using Jaccard Index \r\nKerrDown to Cobalt Strike Beacon \r\nAs discussed in the delivery document analysis above, depending on the OS architecture either of the\r\nembedded KerrDown DLLs will be dropped in the victim machine. The DLL is dropped in the directory location\r\n‘Users\\Administrator\\AppData\\Roaming\\’ as ‘main_background.png’. The DLL retrieves the payload\r\nfrom the URL, decrypts it by using DES algorithm and execute it in the memory. Therefore, it is observed that\r\nonly the KerrDown DLL downloader is saved in the system and the payload directly gets executed in the memory\r\nwithout being written in the system. Table 1 shows the URL the downloader will attempt to download the payload\r\nfrom depending on the OS architecture of the victim machine. \r\nOS Architecture  URL  User Agent \r\n32 bit  https://syn.servebbs[.]com/kuss32.gif \r\nMozilla/5.0 (Windows NT 10.0; Win32; x32;\r\nrv:60.0) \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 5 of 15\n\n64 bit  https://syn.servebbs[.]com/kuss64.gif \r\nMozilla/5.0 (Windows NT 10.0; Win64; x64;\r\nrv:60.0) \r\nTable 1 : Payload DLL selection based on architecture \r\nThe link to the final payload of KerrDown was still active during the time of analysis and hence we were able to\r\ndownload a copy which turned out to be a variant of Cobalt Strike Beacon. Cybereason also published previously\r\non OceanLotus using Cobalt Strike in their campaigns and it is interesting to see the use of a new downloader\r\nmalware family being used to still deliver the final payload of Cobalt Strike. As we can see in this case, the\r\npurpose of the malware is to download and execute the Cobalt Strike Beacon payload in memory. Though\r\nCobalt Strike is a commercial penetration testing tool, various threat actors are known to have used it in their\r\ncampaigns.  \r\nRAR Archives with KerrDown \r\nWhile investigating KerrDown we found multiple RAR files containing a variant of the malware. We\r\nhaven’t yet identified the delivery method or targets of this variant. The attacker changed the downloader code by\r\nadding more stages and hiding each stage by compression and encryption. They also changed the way to execute\r\nthe malicious code from an Office macro to the DLL side-loading technique through a legitimate program.  \r\nThe RAR archive\r\n(SHA256:040abac56542a2e0f384adf37c8f95b2b6e6ce3a0ff969e3c1d572e6b4053ff3)\r\nhas the Vietnamese file name ‘Don khieu nai.rar’ which translates to 'Complaint letter' in English. The archive\r\ncontains a legitimate older version of Microsoft Word (Microsoft Word 2007) executable\r\nfile that is named ‘Noi dung chi tiet don khieu nai gui cong ty.exe’ which translates to ‘Learn more about how to\r\nuse your company’ in English. The attacker used the DLL side loading technique to load a malicious DLL by the\r\nolder version of Microsoft Word. When opening the executable file in the archive, it loads the malicious DLL in\r\nthe same directory. The DLL executes multi-stage shellcodes and each shellcode employs various technique to\r\nhide the next stage. The overall installation steps are below: \r\n1. The Microsoft Word exe loads wwlib.dll in the same directory and executes ‘FMain’ function of the DLL.\r\n2. The DLL decodes base64 encoded shellcode in the body and executes it. \r\n3. The shellcode decompresses the second shellcode which is compressed with the open source compression\r\ncode UCL and execute it. \r\n4. The second shellcode decrypts the third shellcode with AES. \r\n5. The third shellcode retrieves the shellcode from the following remote location and executes\r\nit: https://cortanasyn[.]com/Avcv \r\n6. The fourth shellcode loads the embedded Cobalt Strike Beacon DLL in memory and executes it. \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 6 of 15\n\nFigure 6: Execution flow of sideloaded malicious downloader \r\nLooking at the compile timestamps of all the KerrDown samples in our datasets we were able to discern a couple\r\nof observations: \r\nOceanLotus has been using the new downloader in their campaigns since at least March 2018 and\r\ncontinues to actively use it in their campaigns. Figure 7 shows the timeline of the KerrDown samples: \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 7 of 15\n\nFigure 7: Downloader DLL compile time lines \r\nWhile it is already widely believed that the OceanLotus group may originate from Vietnam, we wanted to\r\nfind possible working hour patterns from the samples in our datasets. We plotted the compile times based\r\non GMT +7 and found a clear pattern of the possible working hours of the group. The OceanLotus group\r\nhas a typical 9 AM to 6 PM working pattern with most samples compiled during this period of the\r\nday. Figure 8 shows the malware compilation timestamps in GMT +7 for each unique sample found in our\r\ndataset. \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 8 of 15\n\nFigure 8: Malware compilation times in GMT +7 \r\n We also observed all the samples were compiled during the weekdays - between Monday to Friday.\r\nTherefore, it is clear that the OceanLotus group works during weekdays and takes a break during the\r\nweekends. Figure 9 shows the samples compiled during the week. \r\nFigure 9: Malware compilation during weekdays \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 9 of 15\n\nConclusion \r\nOceanLotus has been an active threat actor group for a number of years and remains one of the most sophisticated\r\nthreat actors in the APAC region. As we have seen with the new KerrDown downloader being used in their recent\r\ncampaigns, the group continues to build and employ new tools and techniques in their overall operations and\r\nplaybooks. It is therefore imperative to understand and keep a track of the group’s ongoing operations and\r\ncapability to better defend against such threats. Given the high number of samples observed, we were also able\r\nto discern possible working hour patterns which shows us that the group likely has formal working hours and\r\noperating out of a region which is like Vietnam or nearby countries. While most of the targeting\r\nobserved is towards Vietnamese speaking victims, given the known broader geographic and industry wide target\r\nbase of OceanLotus, the group may use similar tools and playbooks against other targets.  \r\n Palo Alto Networks customers are already protected via: \r\n All samples in this report have a malicious verdict in WildFire \r\nDomains have been classified as malicious \r\nAutoFocus tags are available for additional context: OceanLotus and KerrDown. \r\nIndicators of Compromise: \r\nLure Docs: \r\n 73dcbcc47d6bd95dcf031ebbd34ac42301a20ee1143ac130b405e79b4ba40fc8 \r\n89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3 \r\na4a066341b4172d2cb752de4b938bf678ceb627ecb72594730b78bd05a2fad9d \r\n8bf22202e4fd4c005afde2266413cba9d1b749b1a2d75deac0c35728b5eb3af8 \r\ndf8210d20c5eb80d44ba8fa4c41c26c8421dcb20168e4f796e4955e01ebc9e13 \r\n94fab926b73a6a5bc71d655c8d611b40e80464da9f1134bfce7b930e23e273ab \r\n4321a9f95901a77b4acfbaef3596cf681712345e1cbd764873c6643fe9da7331 \r\nKerrDown DLLs: \r\n 4a0309d8043e8acd7cb5c7cfca95223afe9c15a1c34578643b49ded4b786506b \r\n4b431af677041dae3c988fcc901ac8ec6e74c6e1467787bf099c4abd658be5be \r\n4bc00f7d638e042da764e8648c03c0db46700599dd4f08d117e3e9e8b538519b \r\n4e2f8f104e6cd07508c5b7d49737a1db5eeba910adfdb4c19442a7699dc78cfc \r\n4e791f2511c9bd3c63c8e37aa6625d8b590054de9e1cca13a7be2630bc2af9ce \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 10 of 15\n\n539e8a53db3f858914cfe0d2132f11de34a691391ba71673a8b1e61367a963c7 \r\n53cd92f37ffd0822cc644717363ba239d75c6d9af0fa305339eaf34077edd22d \r\n53efaac9244c24fab58216a907783748d48cb32dbdc2f1f6fb672bd49f12be4c \r\n5c18c3e6f7ac0d0ac2b5fa9a6435ee90d6bd77995f85bed9e948097891d42ca2 \r\n5cda7d8294a8804d09108359dd2d96cdf4fdcf22ec9c00f0182d005afff76743 \r\n5f0db8216314da1f128b883b918e5ac722202a2ae0c4d0bf1c5da5914a66778e \r\n6010d44cdca58cdec4559040e08798e7b28b9434bda940da0a670c93c84e33cd \r\n60b65ebb921dca4762aef427181775d10bbffc30617d777102762ab7913a5aa1 \r\n6146aedfe47597606fb4b05458ec4b99d4e1042da7dc974fa33a57e282cd7349 \r\n6245b74b1cc830ed95cb630192c704da66600b90a331d9e6db70210acb6c7dfa \r\n67cd191eb2322bf8b0f04a63a9e7cb7bc52fb4a4444fcb8fed2963884aede3aa \r\n68f77119eae5e9d2404376f2d87e71e4ab554c026e362c57313e5881005ae79e \r\n69e679daaaff3832c39671bf2b813b5530a70fb763d381f9a6e22e3bc493c8a9 \r\n6faa7deb1e1e0c3a7c62c2bb0ecdfa56b6e3ba4fe16971ec4572267ac70b9177 \r\n6fb397e90f72783adec279434fe805c732ddb7d1d6aa72f19e91a1bf585e1ea5 \r\n70db041fb5aadb63c1b8ae57ba2699baa0086e9b011219dcebcccbf632017992 \r\n7673f5468ba3cf01500f6bb6a19ce7208c8b6fc24f1a3a388eca491bc25cd9cd \r\n77805a46f73e118ae2428f8c22ba28f79f7c60aeb6305d41c0bf3ebb9ce70f94 \r\n788265447391189ffc1956ebfec990dc051b56f506402d43cd1d4de96709c082 \r\n7be613237b57fbc3cb83d001efadeed9936a2f519c514ab80de8285bdc5a666c \r\n7dbb7fab4782f5e3b0c416c05114f2a51f12643805d5f3d0cd80d32272f2731a \r\n7ec77e643d8d7cc18cc67c123feceed91d10db1cc9fa0c49164cba35bb1da987 \r\n860f165c2240f2a83eb30c412755e5a025e25961ce4633683f5bc22f6a24ddb6 \r\n868ed69533fac80354a101410d3dd0a66f444385c6611cc85c5b0be49db2d6fd \r\n89759e56d5c23085e47d2be2ce4ad4484dfdd4204044a78671ed434cec19b693 \r\n8b7fb1cd5c09f7ec57ccc0c4261c0b4df0604962556a1d401b9cbfd750df60ba \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 11 of 15\n\n8d6e31c95d649c08cdc2f82085298173d03c03afe02f0dacb66dd3560149184f \r\n942d763604d0aefdff10ce095f806195f351124a8433c96f5590d89d809a562f \r\n98a5f30699564e6d9f74e737a611246262907b9e91b90348f7de53eb4cf32665 \r\n9e6011d6380207e2bf5105cde3d48e412db565b92cdc1b3c6aa15bd7bd4b099f \r\na106e0a6b7cc30b161e5ea0b1ec0f28ab89c2e1eb7ba2d5d409ddbabc3b037e6 \r\na2b905c26e2b92e63de85d83e280249258cb21f300d8c4a3a6bdb488676e9bcf \r\na4a86e96f95f395fcf0ceb6a74a2564f4ba7adbe1b40cc702b054427327a0399 \r\na8192656dd1db0be4cec9d03b4d10e0529d9c52c899eda8d8e72698acfb61419 \r\na8f776bd3a9593e963b567ce790033fec2804ea0afb40a92d40e21d8f33d066f \r\nb4966f8febdba6b2d674afffc65b1df11e7565acbd4517f1e5b9b36a8c6a16ed \r\nbb25f1a73d095d57b2c8c9ac6780e4d412ddf3d9eef84a54903cc8e4eaefc335 \r\nbc82bce004afb6424e9d9f9fc04a84f58edf859c4029eda08f7309dbeec67696 \r\nc30198e0b0e470d4ac8821bd14bb754466e7974f1c20be8b300961e9e89ed1ea \r\ncaabc45e59820a4349db13f337063eddede8a0847ae313d89a800f241d8556c8 \r\nd3ef6643ad529d43a7ec313b52c8396dc52c4daad688360eb207ee91a1caf7b2 \r\ne3c818052237bb4bb061290ab5e2a55c3852c8a3fef16436b1197e8b17de2e18 \r\ne56ffcf5df2afd6b151c24ddfe7cd450f9208f59b5731991b926af0dce24285a \r\ne8704bf6525c90e0f5664f400c3bf8ff5da565080a52126e0e6a62869157dfe3 \r\ne8a454cd8b57a243f0abeec6945c9b10616cfdcc4abfb4c618bfc469d026d537 \r\neac776c3c83c9db1a770ffaf6df9e94611c8293cbd41cb9257148603b8f2be0b \r\nead0f3e6f0ca16b283f09526d09e8e8cba687dab642f0e102e5487cb565bf475 \r\nf011a136996fa53fdbde944da0908da446b9532307a35c44ed08241b5e602cc9 \r\nf2a2f4fa2ed5b2a94720a4661937da97ab21aa198a5f8c83bb6895aa2c398d22 \r\nf62f21ee7e642f272b881827b45ceb643c999a742e1d3eac13d1ba014d1e7f67 \r\nf9f0973dc74716b75291f5a9b2d59b08500882563011d1def2b8d0b1b9bbb8ae \r\nC2: \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 12 of 15\n\ntheme[[.]]blogsite[.]org \r\ncortana[.]homelinux[.]com \r\nword[.]webhop[.]info \r\nwork[.]windownoffice[.]com \r\ncortanasyn[.]com \r\ne[.]browsersyn[.]com \r\nsyn[.]servebbs[.]com \r\nservice[.]windown-update[.]com \r\ncheck[.]homeip[.]net \r\noutlook[.]updateoffices[.]net \r\nmail[.]fptservice[.]net \r\noffice[.]windown-update[.]com \r\ncortanazone[.]com \r\nbeta[.]officopedia[.]com \r\nvideos[.]dyndns[.]org \r\nservice[.]serveftp[.]org \r\nsyn[.]browserstime[.]com \r\ncheck[.]webhop[.]org \r\nristineho[.]com \r\n Appendix A: \r\nCobalt Strike Beacon contains the hard-coded configuration data in its body. JPCERT published an article about\r\nthe structure of the configuration. The sample we obtained has the following configuration (Figure 10) and\r\nconnects to the C2 server, https:// b.cortanazone[.]com. \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 13 of 15\n\nFigure 10: Cobalt Strike Beacon configuration \r\nAppendix B: \r\nFigure 11 shows some of the contents of the individual RAR files. All the .exe files are copies of Windows Word\r\nand the associated ‘wwlib.dll’ file is the malicious downloader DLL KerrDown, which is sideloaded when the .exe\r\nfile gets executed. \r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 14 of 15\n\nFigure 11: RAR archives with malicious DLL for sideloading\r\nSource: https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nhttps://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/" ], "report_names": [ "tracking-oceanlotus-new-downloader-kerrdown" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434425, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c340ee8a35dd62395f18fa4979462ddcacf07944.pdf", "text": "https://archive.orkl.eu/c340ee8a35dd62395f18fa4979462ddcacf07944.txt", "img": "https://archive.orkl.eu/c340ee8a35dd62395f18fa4979462ddcacf07944.jpg" } }