{ "id": "57cc3478-4f1f-469c-a0ed-2244742aeaa6", "created_at": "2026-04-06T00:10:26.808042Z", "updated_at": "2026-04-10T13:11:23.603493Z", "deleted_at": null, "sha1_hash": "f9f8af2e6dcf7021bce23bf1ef9be59a6279161f", "title": "OceanLotus: Extending Cyber Espionage Operations Through Fake Websites", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1193153, "plain_text": "OceanLotus: Extending Cyber Espionage Operations Through Fake\r\nWebsites\r\nBy mindgrub\r\nPublished: 2020-11-06 · Archived: 2026-04-05 15:52:24 UTC\r\nSince Volexity’s 2017 discovery that OceanLotus was behind a sophisticated massive digital surveillance campaign, the\r\nthreat group has continued to evolve. In 2019, Volexity gave a presentation at RSA Conference that provided a historic and\r\nup-to-date look at various operations of the Vietnamese threat actor OceanLotus. Notably, the presentation revealed that, for\r\nyears, OceanLotus set up and operated multiple activist, news, and anti-corruption websites. At first glance, it appeared these\r\nwere real websites that had been compromised. These fake websites were convincingly legitimate and allowed OceanLotus\r\nto have full control over the tracking of and attacks against website visitors. The most popular of these websites even had a\r\ncorresponding Facebook page with over 20,000 followers. Shortly after the presentation was given, these websites were shut\r\ndown or abandoned.\r\nHowever, old habits and successful techniques die hard. Volexity has identified multiple new attack campaigns being\r\nlaunched by OceanLotus via multiple fake websites and Facebook pages that have been set up within the last year. In\r\naddition to targeting those within Vietnam, Volexity has seen renewed targeting of OceanLotus’s neighbors throughout\r\nSoutheast Asia. These websites have been observed profiling users, redirecting to phishing pages, and being leveraged to\r\ndistribute malware payloads for Windows and OSX. This post will focus on one of the larger campaigns where OceanLotus\r\nhas leveraged multiple fake news websites to target users.\r\nNewsworthy Websites\r\nThroughout the year, Volexity identified multiple Vietnamese-language news websites that appeared to be compromised, as\r\nthey were being used to load an OceanLotus web profiling framework. The exact functionality varied from site to site, but\r\nthe goal of these frameworks was to gather information about site visitors and, in some cases, deliver malware. This code\r\nappears to be a variation of what Volexity has previously described as Framework A.\r\nHowever, upon closer inspection of the websites, Volexity found the sites were not compromised, instead they were created\r\nand operated by OceanLotus. Each of the websites appears to have had a decent level of effort to build it, as there are\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 1 of 10\n\nnumerous variations in themes, content, and even custom images and slogans.The websites all claim to be news sites and\r\ncontain a great deal of benign content, with no malicious redirects or profiling in place on the vast majority of pages\r\nincluding the main index page. Instead, generally speaking, only a handful of specific articles within each site contain\r\nmalicious content. The sites vary in theme, with some focused on Vietnamese news while others are focused on news\r\nthemed around other Southeast Asian countries.\r\nA list of websites that Volexity has identified is provided below. Each listing includes a thumbnail image that can be clicked\r\nto a see larger screen shot of the website. The majority of these websites are still live at the time of this blog post and\r\nVolexity recommends against visiting them.\r\nWebsite Theme/Notes\r\nbaodachieu.com\r\nThis website covers general news and is written in Vietnamese. It has a custom logo and\r\nslogan indicating it publishes things that others want to hide.\r\nbaomoivietnam.com\r\nThis website covers general news and is written in Vietnamese. It has a custom logo and\r\ntagline indicating it has short and reliable news.\r\nledanvietnam.org\r\nThis website shares “the people’s news” and is written in Vietnamese. It is designed to\r\nprovide news that is different than that of official government news. It has a custom logo and\r\nslogan mentioning truth and responsibility.\r\nnhansudaihoi13.org\r\nThis website is dedicated to news surrounding the upcoming 13th National Congress of the\r\nCommunist Party of Vietnam, which convenes in January 2021. There is no custom logo or\r\nslogan for this website.\r\ntocaoonline.org This website is dedicated to news and the “truth.” The website has a customized header\r\nimage that is displayed on all pages.\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 2 of 10\n\nWebsite Theme/Notes\r\nthamcungbisu.org\r\nThis website covers general news and is written in Vietnamese. There is no custom logo or\r\nslogan for this website. It uses many WordPress defaults to include the website description of\r\n“Just another WordPress site.”\r\ntinmoivietnam.com\r\nThis website covers general news and is written in Vietnamese. There is no custom logo or\r\nslogan for this website. The domain name is very similar in naming to a non-malicious\r\nwebsite that is accessible via tinmoivietnam.net.\r\nkmernews.com\r\nThis website covers general news and is written in Cambodian. It purports to be an “online\r\nnewspaper” and does not have a custom logo or slogan.\r\nlaostimenews.com\r\nThis website covers general news and is written in English and Laotian. It looks to take much\r\nof its content from the website of the Laotian Times (laotiantimes.com). The website does not\r\nhave a custom logo or slogan.\r\nmalaynews.org This website covers general news and is written in English and Malay. The website does not\r\nhave a custom logo or slogan.\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 3 of 10\n\nWebsite Theme/Notes\r\nphiliippinesnews.net\r\nThis website covers general news and is written in English. The website does not have a\r\ncustom logo or slogan.\r\nkhmer-livenews.com\r\nThis website covers general news and is written in Cambodian. The website does not have a\r\ncustom logo or slogan.\r\nkhmerleaks.com\r\nThis website focuses specifically on Cambodia-centric news and offers content in both\r\nCambodian and English. The slogan for the site is “Stay up to date with the hottest news\r\nabout the country.”\r\nWhile a couple of the websites above may use a similar layout, the vast majority have their own theme and layout which\r\nmakes the sites appear to have nothing to do with one another. The sites also largely stick to a wide variety of news that\r\nwould be interesting to the masses across the different targeted user bases.\r\nHowever, one of the sites is a bit more specific than the rest and is quite political in nature. The website\r\nnhansudaihoi13[.]org pertains to the upcoming 13th Vietnamese Communist Congress where new political leaders will be\r\nelected. This website has a corresponding Facebook page filled with posts copied from other Vietnamese media outlets\r\nfocusing on corruption within Vietnamese politics. The page has over 1,000 likes and interactions from a number of\r\nindividuals in Vietnam. Notably, the Facebook page has a Messenger account associated with it which could be used to send\r\nmessages to individuals of interests.\r\nTargeting Visitors\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 4 of 10\n\nThe websites contain numerous articles and content to make them seem legitimate; in some cases the websites have over\r\n10,000 individual news articles. Volexity has found the content is largely scraped and reposted in full from various other\r\nlegitimate online news outlets. This appears to be done in an automated fashion and most likely through WordPress plugins.\r\nNumerous posted articles and images can be directly tracked back to other online blogs and newspapers; sometimes the\r\nbyline or even watermark in images show directly where the article was sourced. In some cases, only a small number of\r\npages on the site contains malicious code; in other cases, the profiling code is pervasive.\r\nVolexity believes it is likely that individuals are targeted through these websites in two ways. The first is through profiling\r\nframeworks that exist on many of the pages that can be used to identify and evaluate information about users that visit the\r\nwebsite by happenstance. The second is through individually targeting victims who are sent links to specific news\r\ncontaining malware delivery logic through spear phishing and social media messages.\r\nWhen the users visit a page with an infection chain on it, malicious JavaScript is loaded. The exact workflow of the script\r\nvaries between different infected pages but generally there are two parts:\r\n1. A script to capture and store information about the visitor;\r\n2. A second script which socially engineers targets into downloading a fake software update or document. The exact\r\nnature of the malware downloaded is sometimes configured based on the user’s browser and the content.\r\nTo illustrate a real example of how this worked and looked to a website visitor, the following section will use one of the few\r\npages of the fake site baomoivietnam[.]com that was designed to profile visitors and deliver malware or a phishing link. On\r\nthis site, a news story (https://www.baomoivietnam[.]com/dai-hoc-ton-duc-thang-hieu-truong-lam-quyen-de-xay-ra-sai-pham/) about an investigation into potential improper conduct by a university professor in Vietnam contained malicious\r\ncontent. Once the page was accessed, a special OceanLotus server on the hostname cdn.arbenha[.]com would be leveraged\r\nto load malicious JavaScript to load a fake video player. At first, the page would display a dialog indicating that the video\r\nwas loading (Đang tải) as shown in Figure 1 below.\r\nFigure 1. Fake video player dialog indicating a video is loading\r\nIf the visitor is coming from a Windows system, after a few seconds the video will fail to load. A message will be displayed\r\nindicating that Flash Player is required, along with a button that can be clicked to immediately upgrade. An image of how\r\nthis appears to the visitor is shown in Figure 2 below.\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 5 of 10\n\nFigure 2. Message displayed alerting the user to upgrade Flash Player\r\nThe button would then lead to the download a RAR archive named Adobe_Flash_Install.rar. This archive was designed to\r\nfool the targeted user into infected themselves with a Cobalt Strike implant. Details on the contents of this file are included\r\nlater in this report.\r\nIf a visiting user is on a mobile device that was detected as running iOS or Android, an image is displayed, indicating that\r\nthe requested video contains age-restricted content. The visitor is supposed to “Sign in” to view the content as shown in\r\nFigure 3.\r\nFigure 3. Mobile users presented with “Sign in” message\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 6 of 10\n\nThe SIGN IN button contained a hyperlink to a page on the hostname accounts.gservice[.]reviews. This page was down did\r\nnot return interesting content in any of Volexity’s tests. Volexity believes this page is likely intended to be used for phishing\r\ncredentials.\r\nFinally, if users attempt to access the page using a device for which there is no configured payload, they are advised to\r\naccess the content using a different device. The error this is displayed is shown in Figure 4.\r\nFigure 4. Message displayed to users not on Windows, Android, or iOS devices.\r\nThe appearance of the overlay and the URL for the various buttons shown above are generated according to the visitor’s\r\nbrowser data. A closer look at the payload delivery component of the JavaScript is shown below. It shows the malware\r\ndownload URLs hosted on Dropbox for Windows users, and the identical phishing links for Android and iOS visitors.\r\nvar os_url_mapping = {\r\n‘windows_x86′:’https://www.dropbox[.]com/s/puhwqhjcvn2xuum/Adobe_Flash_Install.rar?dl=1’,\r\n‘windows_x64′:’https://www.dropbox[.]com/s/puhwqhjcvn2xuum/Adobe_Flash_Install.rar?dl=1’,\r\n‘linux_x86’:”,\r\n‘linux_x64’:”,\r\n‘mac_os’:”,\r\n‘android’:’https://accounts.gservice[.]reviews/?\r\nancf_=36562273654a289e0cc0418f1c9d4b\u0026_hhobt=5b878805dc643d7e66d81b45797a3d323baa7def\u0026edobt=5edf2e13′,\r\n‘ios’:’https://accounts.gservice[.]reviews/?\r\nancf_=36562273654a289e0cc0418f1c9d4b\u0026_hhobt=5b878805dc643d7e66d81b45797a3d323baa7def\u0026edobt=5edf2e13′\r\n};\r\nOn other websites, different cloud storage solutions such as Amazon S3 or Google Drive were used to host Windows, OSX,\r\nand Android malware payloads. The OSX and Android implants will be detailed in a future blog.\r\nCobalt Strike: For Red Teams and Nation State Actors\r\nThe Adobe_Flash_install.rar archive that was returned from the baomoivietnam[.]com website contained the files\r\nFlash_Adobe_Install.exe and goopdate.dll. The table below provides some basic information on all three of these files.\r\nFilename SHA256 Notes\r\nAdobe_Flash_Install.rar 230ac0808fde525306d6e55d389849f67fc328968c433a5053d676d688032e6f\r\nRAR file containing\r\nAdobe_Flash_Install.e\r\nand goopdate.dll\r\nFlash_Adobe_Install.exe 69061e33acb7587d773d05000390f9101f71dfd6eed7973b551594eaf3f04193\r\nA legitimate copy of\r\nGoogle’s Update utilit\r\ngoopdate.dll 7fd58fa4c9f24114c08b3265d30be5aa8f6519ebd2310cc6956eda6c6e6f56f0\r\nA malicious DLL\r\ncrafted by the attacker\r\nThe file goopdate.dll has the hidden file attribute set and will not show in Windows Explorer on systems using default\r\nsettings. This results in the user seeing only the Flash_Adobe_Install.exe file to execute in order to install what they believe\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 7 of 10\n\nto be an update to Flash Player. When run, it will automatically load goopdate.dll due to search order hijacking.\r\nGoopdate.dll is a highly obfuscated loader whose ultimate purpose is to load a Cobalt Strike stager into memory and then\r\nexecute it. The Cobalt Strike stager will simply try to download and execute a shellcode from a remote server, in this case\r\nusing the following URL:\r\nsummerevent.webhop[.]net/QuUA\r\nThe table below has the details for the returned file from the Cobalt Strike staging server at the time of analysis.\r\nSHA256 Notes\r\ncbca9a92a6aa067ff4cab8f1d34ec49ffc9a06c90881f48da369c973182ce06d BEACON binary returned by C2 server\r\nThis payload is configured to talk to the same domain (summerevent.webhop[.]net) using a malleable command-and-control\r\n(C2) profile for Cobalt Strike that impersonates Google’s Safe Browsing service. This malleable C2 profile is used by a wide\r\nvariety of red team and real-world attackers. It is readily available on GitHub and has been used by OceanLotus as far back\r\nas 2017. The payload contained several configuration strings encoded with the single-byte XOR key 0x69.  Interesting and\r\nrelevant decoded strings are listed below:\r\nsummerevent.webhop.net,/safebrowsing/rd/tnOztRgLx1ugKt8uumGcreRFm5CqXD9ge-zzz5sA6WzhC\r\nMozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0\r\n@/safebrowsing/rd/r8l4jO3947jVxa5wBhEijGc0y77iX4oFy\r\nGAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nPREF=ID=\r\nCookie\r\nGAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nU=sRv85UHijBrrWiHz\r\nPREF=ID=‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍\r\nConclusion\r\nOceanLotus has continued to evolve the ways in which it seeks to target individuals outside of spear phishing and leveraging\r\ncompromised websites. The creation and maintenance of several websites, for the purpose of creating a larger online\r\npresence in which the attack chain against visitors can be fully controlled, is not an attack method commonly identified. This\r\nlevel of effort shows that OceanLotus will go to great lengths to extend its reach and find new ways to compromise\r\nindividuals and organizations it has set its focus on.\r\nIndividuals that are at high risk and likely to be targeted by OceanLotus should be particularly careful with respect to\r\nwebsites they are visiting, especially if the websites are suggested or otherwise linked to via e-mail, chat, messaging\r\nservices, or even SMS. Further, regardless of the websites, Volexity recommends these individuals use extreme caution if a\r\nwebsite presents a file for download or requests that they sign in. OceanLotus has used techniques to fool users into\r\nrevealing their credentials, authorizing malicious OAuth access, or downloading malware onto their systems for several\r\nyears.\r\nIndicators of Compromise\r\nValue Type Notes\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 8 of 10\n\nthamcungbisu[.]org Domain\r\nFake site set up by\r\nOceanLotus\r\nbaomoivietnam[.]com Domain\r\nFake site set up by\r\nOceanLotus\r\nbaodachieu[.]com Domain\r\nFake site set up by\r\nOceanLotus\r\nnhansudaihoi13[.]org Domain\r\nFake site set up by\r\nOceanLotus\r\ntinmoivietnam[.]com Domain\r\nFake site set up by\r\nOceanLotus\r\nlaostimenews[.]com Domain\r\nFake site set up by\r\nOceanLotus\r\nmalaynews[.]org Domain\r\nFake site set up by\r\nOceanLotus\r\nkmernews[.]com Domain\r\nFake site set up by\r\nOceanLotus\r\nphiliippinesnews[.]net Domain\r\nFake site set up by\r\nOceanLotus\r\nledanvietnam[.]org Domain\r\nFake site set up by\r\nOceanLotus\r\nkhmerleaks[.]com Domain\r\nFake site set up by\r\nOceanLotus\r\nkhmer-livenews[.]com Domain\r\nFake site set up by\r\nOceanLotus\r\nhypepodscase[.]com Domain\r\nUsed to host OceanLotus\r\nprofiling kit and malware\r\ndelivery JS\r\narbenha[.]com Hostname\r\nUsed to host OceanLotus\r\nprofiling kit and malware\r\ndelivery JS\r\ngservice[.]reviews Domain\r\nLikely used in Android\r\nphishing in SWC context\r\nsummerevent.webhop[.]net Domain Cobalt Strike C2 address\r\ndance-til-dawn.podzone[.]net Domain Cobalt Strike C2 address\r\nandreagahuvrauvin[.]com Domain\r\nOceanLotus DNS\r\nmalware C2 address\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 9 of 10\n\ntheme.blogwix[.]com Hostname\r\nUsed to host OceanLotus\r\nprofiling kit and malware\r\ndelivery JS\r\noutlook-client[.]com Domain\r\nLikely used in phishing in\r\nSWC context\r\ngusercontent[.]com Domain\r\nLikely used in phishing in\r\nSWC context\r\nserrvice[.]net Domain\r\nLikely used in phishing in\r\nSWC context\r\nyhsetting[.]com Domain\r\nLikely used in phishing in\r\nSWC context\r\nhmacount[.]com Domain\r\nLikely used in phishing in\r\nSWC context\r\nfontloading[.]com Domain\r\nLikely used in phishing in\r\nSWC context\r\nviewerservice[.]com Domain\r\nLikely used in phishing in\r\nSWC context\r\ncbca9a92a6aa067ff4cab8f1d34ec49ffc9a06c90881f48da369c973182ce06d SHA256 CobaltStrike Beacon file\r\n230ac0808fde525306d6e55d389849f67fc328968c433a5053d676d688032e6f SHA256 RAR delivery file\r\n7fd58fa4c9f24114c08b3265d30be5aa8f6519ebd2310cc6956eda6c6e6f56f0 SHA256 Loader DLL\r\nSource: https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nhttps://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/" ], "report_names": [ "oceanlotus-extending-cyber-espionage-operations-through-fake-websites" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434226, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9f8af2e6dcf7021bce23bf1ef9be59a6279161f.pdf", "text": "https://archive.orkl.eu/f9f8af2e6dcf7021bce23bf1ef9be59a6279161f.txt", "img": "https://archive.orkl.eu/f9f8af2e6dcf7021bce23bf1ef9be59a6279161f.jpg" } }