{ "id": "02f9b79e-dc47-4278-ab98-e79dcc9adec1", "created_at": "2026-04-06T00:14:34.62667Z", "updated_at": "2026-04-10T03:36:21.937066Z", "deleted_at": null, "sha1_hash": "d9e36d91ff8d0676be017c5fe6a78df7dcd45913", "title": "OceanLotus APT Uses Steganography to Shroud Payloads", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 194983, "plain_text": "OceanLotus APT Uses Steganography to Shroud Payloads\r\nBy Lindsey O'Donnell\r\nPublished: 2019-04-03 · Archived: 2026-04-05 18:06:44 UTC\r\nThe OceanLotus APT is using two new loaders which use steganography to read their encrypted payloads.\r\nThe advanced persistent threat (APT) group OceanLotus has switched up its tactics to use steganography to cloak\r\nencrypted payloads within .png image files.\r\nResearchers said that they discovered the OceanLotus APT group – a Vietnam-linked cyber-espionage group also\r\nknown as APT32 – using the tactic to hide their payloads since September 2018. After victims click on malicious\r\nfiles sent via phishing emails, a loader will execute a next-stage encrypted payload that is obfuscated using\r\nsteganography – a method of hiding code within an image. Once decoded, decrypted, and executed, the payload\r\nwill deploy the APT’s backdoor.\r\n“The threat actor will first encode an image with their payload of choice, before distributing it with a simple\r\ndecoder to a target,” Tom Bonner, BlackBerry Cylance director of threat research, told Threatpost. “There are\r\nmany tools that can be used to encode/decode data in images, but the OceanLotus implementation appears to be\r\nbespoke, and therefore not easily prone to detection by standard analysis tools.”\r\nOceanLotus, active since at least 2014, has targeted private sector industries and foreign governments, primarily in\r\nSoutheast Asian countries including Vietnam or the Philippines, according to Bonner. OceanLotus actors are\r\nknown to deliver their malicious attachments via spear phishing emails.\r\nIn the latest campaigns launched by the APT, researchers said that they observed two new obfuscated loaders\r\ndeploying two types of APT32-specific backdoors. These loaders have been observed active since September\r\n2018 – but this is the first time that their existence has been reported, researchers said.\r\nThe first steganography-based loader deploys a version of a backdoor dubbed “Denes.” The malware loader first\r\nattempts to imitate McAfee’s McVsoCfg dynamic link library (DLL) file, researchers said. That tricks the\r\nlegitimate “On Demand Scanner” executable on the system to side-load the malicious file, which then loads a\r\nnext-stage encrypted payload. That payload is stored in a separate .png image file and uses steganography to avoid\r\ndetection.\r\nhttps://threatpost.com/oceanlotus-apt-uses-steganography-to-shroud-payloads/143373/\r\nPage 1 of 3\n\n“The user does not interact with the image (nor is the image sent via email), rather the image is used to hide the\r\npayload from analysts/tools/monitoring software,” Bonner told Threatpost. “In a way, the payload is hiding in\r\nplain sight, as an image carrying a payload will be virtually indistinguishable from an original image.”\r\nResearchers said that one of the payloads they encountered for instance was encoded inside an image of a popular\r\nJapanese mange series character (Kaito Kuroba).\r\nThe encoded payload is also encrypted with AES128 and further obfuscated with XOR in an attempt to fool\r\nsteganography detection tools, researchers said. Once uploaded, the payload is then decrypted.\r\nThe second loader uses the same extraction technique as the first (an executable tricked into side-loading a\r\nmalicious DLL), although  the loader itself differs a bit in\r\nimplementation and loads an updated version of a different backdoor called ‘Remy.’ And while, the DLL loader in\r\nthis instance also loads the next-stage payload using a custom .png steganography method, it also uses a separate\r\n.png image.\r\nHere, the payload is extracted from the .png image after the victim clicks on the phishing email. The .png image\r\nfor this second loader (left) appears to have been taken from an inspirational quotes website, researchers said.\r\nWhile steganography is an old-school tactic, bad actors are continuing to push the boundaries when\r\nusing steganography to conceal their malware. Steganography  has been used in several campaigns over the past\r\nyear, including in uploaded images on trusted Google sites and even in memes on Twitter.\r\nhttps://threatpost.com/oceanlotus-apt-uses-steganography-to-shroud-payloads/143373/\r\nPage 2 of 3\n\nSource: https://threatpost.com/oceanlotus-apt-uses-steganography-to-shroud-payloads/143373/\r\nhttps://threatpost.com/oceanlotus-apt-uses-steganography-to-shroud-payloads/143373/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://threatpost.com/oceanlotus-apt-uses-steganography-to-shroud-payloads/143373/" ], "report_names": [ "143373" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434474, "ts_updated_at": 1775792181, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d9e36d91ff8d0676be017c5fe6a78df7dcd45913.pdf", "text": "https://archive.orkl.eu/d9e36d91ff8d0676be017c5fe6a78df7dcd45913.txt", "img": "https://archive.orkl.eu/d9e36d91ff8d0676be017c5fe6a78df7dcd45913.jpg" } }