{ "id": "1b858f6f-e3a3-4183-a8ef-c9662733fa10", "created_at": "2026-04-06T00:11:55.451338Z", "updated_at": "2026-04-10T13:11:38.80258Z", "deleted_at": null, "sha1_hash": "f1a65b93d835ae3e5b7227942485f781b9675a2a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48811, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:10:13 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool HiddenLotus\n Tool: HiddenLotus\nNames HiddenLotus\nCategory Malware\nType Backdoor\nDescription\n(Malwarebytes) So HiddenLotus didn’t seem all that interesting at first, other than as a new\nvariant of the OceanLotus backdoor first seen being used to attack numerous facets of Chinese\ninfrastructure. OceanLotus was last seen earlier this summer, disguised as a Microsoft Word\ndocument and targeting victims in Vietnam.\nBut there was something strange about HiddenLotus. Unlike past malware, this one didn’t\nhave a hidden .app extension to indicate that it was an application. Instead, it actually had a\n.pdf extension. Yet the Finder somehow identified it as an application anyway.\nInformation\nMalpedia Last change to this tool card: 13 May 2020\nDownload this tool card in JSON format\nAll groups using tool HiddenLotus\nChanged Name Country Observed\nAPT groups\n APT 32, OceanLotus, SeaLotus 2013-Aug 2024\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4c6d3007-e655-42e9-81a8-c0096d4ee810\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4c6d3007-e655-42e9-81a8-c0096d4ee810\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4c6d3007-e655-42e9-81a8-c0096d4ee810\r\nPage 2 of 2\n\nAPT groups APT 32, OceanLotus, SeaLotus 2013-Aug 2024 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=4c6d3007-e655-42e9-81a8-c0096d4ee810" ], "report_names": [ "listgroups.cgi?u=4c6d3007-e655-42e9-81a8-c0096d4ee810" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434315, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f1a65b93d835ae3e5b7227942485f781b9675a2a.pdf", "text": "https://archive.orkl.eu/f1a65b93d835ae3e5b7227942485f781b9675a2a.txt", "img": "https://archive.orkl.eu/f1a65b93d835ae3e5b7227942485f781b9675a2a.jpg" } }