{
	"id": "07a77cc0-b4bf-45fc-b463-f7ea2d85ab35",
	"created_at": "2026-04-06T00:18:12.579001Z",
	"updated_at": "2026-04-10T03:35:59.034928Z",
	"deleted_at": null,
	"sha1_hash": "d93d462bb6257f0eea7fff5f522a324c6cd507a1",
	"title": "Vietnamese Threat Actors APT32 Targets Wuhan Government",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 271693,
	"plain_text": "Vietnamese Threat Actors APT32 Targets Wuhan Government\r\nBy Mandiant\r\nPublished: 2020-04-22 · Archived: 2026-04-05 15:52:18 UTC\r\nWritten by: Scott Henderson, Gabby Roncone, Sarah Jones, John Hultquist, Ben Read\r\nFrom at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against\r\nChinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19\r\ncrisis. Spear phishing messages were sent by the actor to China's Ministry of Emergency Management as well as\r\nthe government of Wuhan province, where COVID-19 was first identified. While targeting of East Asia is\r\nconsistent with the activity we’ve previously reported on APT32, this incident, and other publicly reported\r\nintrusions, are part of a global increase in cyber espionage related to the crisis, carried out by states desperately\r\nseeking solutions and nonpublic information.\r\nPhishing Emails with Tracking Links Target Chinese Government\r\nThe first known instance of this campaign was on Jan. 6, 2020, when APT32 sent an email with an embedded\r\ntracking link (Figure 1) to China's Ministry of Emergency Management using the sender address\r\nlijianxiang1870@163[.]com and the subject 第一期办公设备招标结果报告 (translation: Report on the first\r\nquarter results of office equipment bids). The embedded link contained the victim's email address and code to\r\nreport back to the actors if the email was opened.\r\nFigure 1: Phishing email to China's Ministry of Emergency Management\r\nMandiant Threat Intelligence uncovered additional tracking URLs that revealed targets in China's Wuhan\r\ngovernment and an email account also associated with the Ministry of Emergency Management.\r\nhttps://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html\r\nPage 1 of 5\n\nlibjs.inquirerjs[.]com/script/\u003cVICTIM\u003e@wuhan.gov.cn.png\r\nlibjs.inquirerjs[.]com/script/\u003cVICTIM\u003e@chinasafety.gov.cn.png\r\nm.topiccore[.]com/script/\u003cVICTIM\u003e@chinasafety.gov.cn.png\r\nm.topiccore[.]com/script/\u003cVICTIM\u003e@wuhan.gov.cn.png\r\nlibjs.inquirerjs[.]com/script/\u003cVICTIM\u003e@126.com.png\r\nThe libjs.inquirerjs[.]com domain was used in December as a command and control domain for a METALJACK\r\nphishing campaign likely targeting Southeast Asian countries.\r\nAdditional METALJACK Activity Suggests Campaigns Targeting Mandarin Speakers Interested in\r\nCOVID-19\r\nAPT32 likely used COVID-19-themed malicious attachments against Chinese speaking targets. While we have\r\nnot uncovered the full execution chain, we uncovered a METALJACK loader displaying a Chinese-Language\r\ntitled COVID-19 decoy document while launching its payload.\r\nWhen the METALJACK loader, krpt.dll (MD5: d739f10933c11bd6bd9677f91893986c) is loaded, the export\r\n\"_force_link_krpt\" is likely called. The loader executes one of its embedded resources, a COVID-themed RTF\r\nfile, displaying the content to the victim and saving the document to %TEMP%.\r\nThe decoy document (Figure 2) titled 冠状病毒实时更新：中国正在追踪来自湖北的旅行者, MD5:\r\nc5b98b77810c5619d20b71791b820529 (Translation: COVID-19 live updates: China is currently tracking all\r\ntravelers coming from Hubei Province) displays a copy of a New York Times article to the victim.\r\nhttps://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html\r\nPage 2 of 5\n\nFigure 2: COVID-themed decoy document\r\nThe malware also loads shellcode in an additional resource, MD5: a4808a329b071a1a37b8d03b1305b0cb, which\r\ncontains the METALJACK payload. The shellcode performs a system survey to collect the victim's computer\r\nname and username and then appends those values to a URL string using libjs.inquirerjs[.]com. It then attempts to\r\ncall out to the URL. If the callout is successful, the malware loads the METALJACK payload into memory.\r\nIt then uses vitlescaux[.]com for command and control.\r\nOutlook\r\nThe COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is\r\namplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state\r\nor provincial, and local governments, as well as non-government organizations and international organizations, are\r\nbeing targeted, as seen in reports. Medical research has been targeted as well, according to public statements by a\r\nhttps://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html\r\nPage 3 of 5\n\nDeputy Assistant Director of the FBI. Until this crisis ends, we anticipate related cyber espionage will continue to\r\nintensify globally.\r\nIndicators\r\nType Indicators\r\nDomains\r\nm.topiccore[.]com\r\njcdn.jsoid[.]com\r\nlibjs.inquirerjs[.]com\r\nvitlescaux[.]com\r\nEmail Address lijianxiang1870@163[.]com\r\nFiles\r\nMD5: d739f10933c11bd6bd9677f91893986c\r\nMETALJACK loader\r\nMD5: a4808a329b071a1a37b8d03b1305b0cb\r\nMETALJACK Payload\r\nMD5: c5b98b77810c5619d20b71791b820529\r\nDecoy Document (Not Malicious)\r\nDetecting the Techniques\r\nPlatform Signature Name\r\nEndpoint Security Generic.mg.d739f10933c11bd6\r\nNetwork Security Trojan.Apost.FEC2, Trojan.Apost.FEC3, fe_ml_heuristic\r\nEmail Security Trojan.Apost.FEC2, Trojan.Apost.FEC3, fe_ml_heuristic\r\nHelix  \r\nMandiant Security Validation Actions\r\nA150-096 - Malicious File Transfer - APT32, METALJACK, Download\r\nA150-119 - Protected Theater - APT32, METALJACK Execution\r\nhttps://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html\r\nPage 4 of 5\n\nA150-104 - Phishing Email - Malicious Attachment, APT32, Contact Information Lure\r\nMITRE ATT\u0026CK Technique Mapping\r\nTactic Techniques\r\nInitial Access Spearphishing Attachment (T1193), Spearphising Link (T1192)\r\nExecution Regsvr32 (T1117), User Execution (T1204)\r\nDefense Evasion Regsvr32 (T1117)\r\nCommand and\r\nControl\r\nStandard Cryptographic Protocol (T1032), Custom Command and Control Protocol\r\n(T1094)\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html"
	],
	"report_names": [
		"apt32-targeting-chinese-government-in-covid-19-related-espionage.html"
	],
	"threat_actors": [
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434692,
	"ts_updated_at": 1775792159,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d93d462bb6257f0eea7fff5f522a324c6cd507a1.pdf",
		"text": "https://archive.orkl.eu/d93d462bb6257f0eea7fff5f522a324c6cd507a1.txt",
		"img": "https://archive.orkl.eu/d93d462bb6257f0eea7fff5f522a324c6cd507a1.jpg"
	}
}