{ "id": "330e407a-ff14-4159-b5d9-3ad55724dc70", "created_at": "2026-04-06T00:14:39.844974Z", "updated_at": "2026-04-10T03:36:21.88011Z", "deleted_at": null, "sha1_hash": "da3685afbc2e65105173b849ed6c94ef8f422ac5", "title": "Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2447516, "plain_text": "Operation Cobalt Kitty: A large-scale APT in Asia carried out by\r\nthe OceanLotus Group\r\nBy Assaf Dahan\r\nArchived: 2026-04-05 16:13:33 UTC\r\nDubbed Operation Cobalt Kitty, the APT targeted a global corporation based in Asia with the goal of stealing\r\nproprietary business information. The threat actor targeted the company’s top-level management by using spear-phishing attacks as the initial penetration vector, ultimately compromising the computers of vice presidents, senior\r\ndirectors and other key personnel in the operational departments. During Operation Cobalt Kitty, the attackers\r\ncompromised more than 40 PCs and servers, including the domain controller, file servers, Web application server\r\nand database server.\r\nWant to hear about another high-impact operation? Sign up for the Operation Soft Cell webinar\r\nOPERATION COBALT\r\nForensic artifacts revealed that the attackers persisted on the network for at least a year before Cybereason was\r\ndeployed. The adversary proved very adaptive and responded to company’s security measures by periodically\r\nchanging tools, techniques and procedures (TTPs), allowing them to persist on the network for such an extensive\r\nperiod of time. Over 80 payloads and numerous domains were observed in this operation - all of which were\r\nundetected by traditional security products deployed in the company’s environment at the time of the attack.\r\nThe attackers arsenal consisted of modified publicly-available tools as well as six undocumented custom-built\r\ntools, which Cybereason considers the threat actor’s signature tools. Among these tools are two backdoors that\r\nexploited DLL sideloading attack in Microsoft, Google and Kaspersky applications. In addition, they developed a\r\nnovel and stealthy backdoor that targets Microsoft Outlook for command-and-control channel and data\r\nexfiltration.\r\nBased on the tools, modus operandi and IOCs (indicators of compromise) observed in Operation Cobalt Kitty,\r\n Cybereason attributes this large-scale cyber espionage APT to the “OceanLotus Group” (which is also known as,\r\nAPT-C-00, SeaLotus and APT32). For detailed information tying Operation Cobalt Kitty to the OceanLotus\r\nGroup, please see our Attacker’s Arsenal and Threat Actor Profile sections.\r\nCybereason also attributes the recently reported Backdoor.Win32.Denis to the OceanLotus Group, which at the\r\ntime of this report’s writing, had not been officially linked to this threat actor.\r\nFinally, this report offers a rare glimpse into what a cyber espionage APT looks like \"under-the-hood\". Cybereason\r\nwas able to monitor and detect the entire attack lifecycle, from infiltration to exfiltration and all the steps in\r\nbetween.\r\nOur report contains the following detailed sections (PDF):\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 1 of 16\n\nCobalt Kitty Lifecycle: A step-by-step analysis\r\nCobalt Kitty Attacker’s Arsenal: Deep dive into the tools used in the APT\r\nCobalt Kitty Threat Actor Profile and Indicators of Compromise\r\nHigh-level attack outline:  A cat-and-mouse game in four acts\r\nThe following sections outline the four phases of the attack as observed by Cybereason’s analysts, who were\r\ncalled to investigate the environment after the company’s IT department suspected that their network was\r\nbreached but could not trace the source.\r\nPhase one: Fileless operation (PowerShell and Cobalt Strike payloads)\r\nBased on the forensic evidence collected from the environment, phase one was the continuation of the original\r\nattack that began about a year before Cybereason was deployed in the environment. During that phase, the threat\r\nactor operated a fileless PowerShell-based infrastructure, using customized PowerShell payloads taken from\r\nknown offensive frameworks such as Cobalt Strike, PowerSploit and Nishang.\r\nThe initial penetration vector was carried out by social engineering. Carefully selected group of employees\r\nreceived spear-phishing emails, containing either links to malicious sites or weaponized Word documents. These\r\ndocuments contained malicious macros that created persistence on the compromised machine using two scheduled\r\ntasks, whose purpose was to download secondary payloads (mainly Cobalt Strike Beacon):\r\nScheduled task 1: Downloads a COM scriptlet that redirects to Cobalt Strike payload:\r\nScheduled task 2: Uses Javascript to download a Cobalt Strike Beacon:\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 2 of 16\n\nSee more detailed analysis of the malicious documents in our Attack Life Cycle section.\r\nFileless payload delivery infrastructure\r\nIn the first phase of the attack, the attackers used a fileless in-memory payload delivery infrastructure consisting of\r\nthe following components:\r\n1. VBS and PowerShell-based loaders\r\nThe attackers dropped Visual Basic and PowerShell scripts in folders that they created under the ProgramData (a\r\nhidden folder, by default). The attackers created persistence using Windows’ registry, services and scheduled\r\ntasks. This persistence mechanism ensured that the loader scripts would execute either at startup or at\r\npredetermined intervals.\r\nValues found in Windows’ Registry: the VBS scripts are executed by Windows’ Wscript at startup:\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 3 of 16\n\nThe .vbs scripts as well as the .txt files contain the loader’s script, which launches PowerShell with a base64\r\nencoded command, which either loads another PowerShell script (e.g Cobalt Strike Beacon) or fetches a payload\r\nfrom the command-and-control (C\u0026C) server:\r\n2. In-memory fileless payloads from C\u0026C servers\r\nThe payloads served by the C\u0026C servers are mostly PowerShell scripts with embedded base64-encoded payloads\r\n(Metasploit and Cobalt Strike payloads):\r\nExample 1:  PowerShell payload with embedded Shellcode downloading Cobalt Strike Beacon\r\nThe decoded payload is a shellcode, whose purpose is to retrieve a Cobalt Strike Beacon from the C\u0026C server:\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 4 of 16\n\nExample 2: Cobalt Strike Beacon embedded in obfuscated PowerShell\r\nA second type of an obfuscated PowerShell payload consisted of Cobalt Strike’s Beacon payload:\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 5 of 16\n\nLess than 48 hours after Cybereason alerted the company about the breach, the attackers started to change\r\ntheir approach and almost completely abandoned the PowerShell infrastructure that they had been using -\r\nreplacing it with sophisticated custom-built backdoors. The attackers’ remarkable ability to quickly adapt\r\ndemonstrated their skill and familiarity with and command of the company’s network and its operations.\r\nThe attackers most likely replaced the PowerShell infrastructure after the company used both Windows Group\r\nPolicy Object (GPO) and Cybereason’s execution prevention feature to prevent PowerShell execution.\r\nPhase two: Backdoors exploiting DLL-hijacking and using DNS tunneling\r\nAfter realizing that the PowerShell infrastructure had been discovered, the attackers had to quickly replace it to\r\nmaintain persistence and continue the operation. Replacing this infrastructure in 48 hours suggests that the threat\r\nactors were prepared for such a scenario.\r\nDuring the second phase of the attack, the attackers introduced two sophisticated backdoors that they\r\nattempted to deploy on selected targets. The introduction of the backdoors is a key turning point in the\r\ninvestigation since it demonstrated the threat actor’s resourcefulness and skill-set.\r\nAt the time of the attack, these backdoors were undetected and undocumented by any security vendor.\r\nRecently, Kaspersky researchers identified a variant of one of the backdoors as Backdoor.Win32.Denis. The\r\nattackers had to make sure that they remained undetected so the backdoors were designed to be as stealthy as\r\npossible. To avoid being discovered, the malware authors used these techniques:\r\nBackdoors exploiting DLL hijacking against trusted applications\r\nThe backdoor exploited a vulnerability called “DLL hijacking” in order to “hide” the malware inside trusted\r\nsoftware. This technique exploits a security vulnerability found in legitimate software, which allows the attackers\r\nto load a fake DLL and execute its malicious code.\r\nPlease see an analysis of the backdoors in the Attacker’s Arsenal section.\r\nThe attackers exploited this vulnerability against the following trusted applications:\r\nWindows Search (vulnerable applications: searchindexer.exe /searchprotoclhost.exe)\r\nFake DLL: msfte.dll (638b7b0536217c8923e856f4138d9caff7eb309d)\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 6 of 16\n\nGoogle Update (d30e8c7543adbc801d675068530b57d75cabb13f)\r\nFake DLL: goopdate.dll (973b1ca8661be6651114edf29b10b31db4e218f7)\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 7 of 16\n\nKaspersky’s Avpia (691686839681adb345728806889925dc4eddb74e)\r\nFake DLL: product_info.dll (3cf4b44c9470fb5bd0c16996c4b2a338502a7517)\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 8 of 16\n\nBy exploiting legitimate software, the attackers bypassed application whitelisting and legitimate security software,\r\nallowing them to continue their operations without raising any suspicions.\r\nDNS Tunneling as C2 channel -\r\nIn attempt to overcome network filtering solutions, the attackers implemented a stealthier C2 communication\r\nmethod, using “DNS Tunneling” – a method of C2 communicating and data exfiltration using the DNS protocol.\r\nTo ensure that the DNS traffic would not be filtered, the attackers configured the backdoor to communicate with\r\nGoogle and OpenDNS DNS servers, since most organizations and security products will not filter traffic to those\r\ntwo major DNS services.\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 9 of 16\n\nThe screenshot below shows the traffic generated by the backdoor and demonstrates DNS Tunneling for C2\r\ncommunication. As shown, while the destination IP is “8.8.8.8” – Google’s DNS server – the malicious domain is\r\n“hiding” inside the DNS packet:\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 10 of 16\n\nPhase three: Novel MS Outlook backdoor and lateral movement spree\r\nIn the third phase of the operation, the attackers harvested credentials stored on the compromised machines and\r\nperformed lateral movement and infected new machines. The attackers also introduced a very rare and stealthy\r\ntechnique to communicate with their servers and exfiltrate data using Microsoft Outlook.\r\nOutlook macro backdoor\r\nIn a relentless attempt to remain undetected, the attackers devised a very stealthy C2 channel that is hard to detect\r\nsince it leverages an email-based C2 channel. The attackers installed a backdoor macro in Microsoft Outlook\r\nthat enabled them to execute commands, deploy their tools and steal valuable data from the compromised\r\nmachines.\r\nFor a detailed analysis of the Outlook backdoor, please see the Attacker’s Arsenal section.\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 11 of 16\n\nThis technique works as follows:\r\n1. The malicious macro scans the victim’s Outlook inbox and looks for the strings “$$cpte” and “$$ecpte”.\r\n2. Then the macro will open a CMD shell that will execute whatever instruction / command is in between the\r\nstrings.\r\n3. The macro deletes the message from inbox to ensure minimal risk of exposure.\r\n4. The macro searches for the special strings in the “Deleted Items” folder to find the attacker’s email address\r\nand sends the data back to the attackers via email.\r\n5. Lastly, the macro will delete any evidence of the emails received or sent by the attackers.\r\nCredential dumping and lateral movement\r\nThe attackers used the famous Mimikatz credential dumping tool as their main tool to obtain credentials\r\nincluding user passwords, NTLM hashes and Kerberos tickets. Mimikatz is a very popular tool and is detected by\r\nmost antivirus vendors and other security products. Therefore, the attackers used over 10 different customized\r\nMimikatz payloads, which were obfuscated and packed in a way that allowed them to evade antivirus detection.\r\nThe following are examples of Mimikatz command line arguments detected during the attack:  \r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 12 of 16\n\nThe stolen credentials were used to infect more machines, leveraging Windows built-in tools as well as pass-the-ticket and pass-the-hash attacks.\r\nPhase four: New arsenal and attempt to restore PowerShell infrastructure\r\nAfter a four week lull and no apparent malicious activity, the attackers returned to the scene and introduced new\r\nand improved tools aimed at bypassing the security mitigations that were implemented by the company’s IT team.\r\nThese tools and methods mainly allowed them to bypass the PowerShell execution restrictions and password\r\ndumping mitigations.\r\nDuring that phase, Cybereason found a compromised server that was used as the main attacking machine, where\r\nthe attackers stored their arsenal in a network share, which made it easier to spread their tools to other machines\r\non the network. The attackers’ arsenal consisted:\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 13 of 16\n\nNew variants of Denis and Goopy backdoors\r\nPowerShell Restriction Bypass Tool - Adapted from PSUnlock Github project.\r\nPowerShell Cobalt Strike Beacon - New payload + new C2 domain\r\nPowerShell Obfuscator - All the new PowerShell payloads are obfuscated using a publicly available\r\nscript adapted from a Daniel Bohannon’s GitHub project.\r\nHookPasswordChange - Inspired by tools found on GitHub, this tool alerts the attackers if a password has\r\nbeen changed. Using this tool, the attackers could overcome a password reset. The attackers modified their\r\ntool.\r\nCustomized Windows Credentials Dumper - A PowerShell password dumper that is based on a known\r\npassword dumping tool, using PowerShell bypass and reflective loading. The attackers specifically used it\r\nto obtain Outlook passwords.\r\nCustomized Outlook Credentials Dumper - Inspired by known Outlook credentials dumpers.\r\nMimikatz - PowerShell and Binary versions, with multiple layers of obfuscation.\r\nPlease see the Attacker’s Arsenal section for detailed analysis of the tools.\r\nAn analysis of this arsenal shows that the attackers went out of their way to restore the PowerShell-based\r\ninfrastructure, even though it had already been detected and shut down once. The attackers’ preference to use a\r\nfileless infrastructure specifically in conjunction with Cobalt Strike is very evident. This could suggest that the\r\nattackers preferred to use known tools that are more expendable rather than using their own custom-built tools,\r\nwhich were used as a last resort.\r\nConclusion\r\nOperation Cobalt Kitty was a major cyber espionage APT that targeted a global corporation in Asia and was\r\ncarried out by the OceanLotus Group. The analysis of this APT proves how determined and motivated the\r\nattackers were. They continuously changed techniques and upgraded their arsenal to remain under the radar. In\r\nfact, they never gave up, even when the attack was exposed and shut down by the defenders.\r\nDuring the investigation of Operation Cobalt Kitty, Cybereason uncovered and analyzed new tools in the\r\nOceanLotus Group’s attack arsenal, such as:\r\nNew backdoor (“Goopy”) using HTTP and DNS Tunneling for C2 communication.\r\nUndocumented backdoor that used Outlook for C2 communication and data exfiltration.\r\nBackdoors exploiting DLL sideloading attacks in legitimate applications from Microsoft, Google and\r\nKaspersky.\r\nThree customized credential dumping tools, which are inspired by known tools.\r\nIn addition, Cybereason uncovered new variants of the “Denis” backdoor and managed to attribute the backdoor\r\nto the OceanLotus Group - a connection that had not been publicly reported before.\r\nThis report provides a rare deep dive into a sophisticated APT that was carried out by one of the most fascinating\r\ngroups operating in Asia. The ability to closely monitor and detect the stages of an entire APT lifecycle - from\r\ninitial infiltration to data exfiltration - is far from trivial.\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 14 of 16\n\nThe fact that most of the attackers’ tools were not detected by the antivirus software and other security products\r\ndeployed in the company’s environment before Cybereason, is not surprising. The attackers obviously invested\r\nsignificant time and effort in keeping the operation undetected, striving to evade antivirus detection.\r\nAs the investigation progressed, some of the IOCs observed in Operation Cobalt Kitty started to emerge in the\r\nwild, and recently some were even reported being used in other campaigns. It is important to remember, however,\r\nthat IOCs have a tendency to change over time. Therefore, understanding a threat actor’s behavioral patterns is\r\nessential in combatting modern and sophisticated APTs. The modus operandi and tools served as behavioral\r\nfingerprints also played an important role in tying Operation Cobalt Kitty to the OceanLotus Group.\r\nLastly, our research provides an important testimony to the capabilities and working methods of the OceanLotus\r\nGroup. Operation Cobalt Kitty is unique in many ways, nonetheless, it is still just one link in the group’s ever-growing chain of APT campaigns. Orchestrating multiple APT campaigns in parallel and attacking a broad\r\nspectrum of targets takes an incredible amount of resources, time, manpower and motivation. This combination is\r\nlikely to be more common among nation-state actors. While the are many rumours and speculations circulating in\r\nthe InfoSec community, at the time of writing, there was no publicly available evidence that can confirm that the\r\nOceanLotus Group is a nation-state threat actor.\r\nUntil such evidence is made public, we will leave it to our readers to judge for themselves.\r\nTo be continued ... Meow.\r\nLearn how to create a closed-loop security process to defend against this type of attack better. Read how to create\r\na closed-loop security process with MITRE ATT\u0026CK.\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 15 of 16\n\nAbout the Author\r\nAssaf Dahan\r\nAssaf has over 15 years in the InfoSec industry. He started his career in the Military forces where he developed\r\nextensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing\r\nmethodologies, and specialized in malware analysis and reverse engineering.\r\nSource: https://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nhttps://www.cybereason.com/blog/operation-cobalt-kitty-apt\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" ], "report_names": [ "operation-cobalt-kitty-apt" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434479, "ts_updated_at": 1775792181, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da3685afbc2e65105173b849ed6c94ef8f422ac5.pdf", "text": "https://archive.orkl.eu/da3685afbc2e65105173b849ed6c94ef8f422ac5.txt", "img": "https://archive.orkl.eu/da3685afbc2e65105173b849ed6c94ef8f422ac5.jpg" } }