APT32

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group has been particularly interested in Vietnam’s emerging automotive industry, with confirmed attacks on one of the largest Japanese automotive manufacturers and its overseas operations in 2019. APT32 has also attacked governments, dissidents, and journalists in Southeast Asian countries, including Vietnam, demonstrating a wide-ranging scope of targets. The primary attack vector used by APT32 involves spear phishing emails containing malicious attachments. These actors leverage ActiveMime files that use social engineering techniques to trick victims into enabling macros. They are associated with several types of malware, including SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, and KOMPROGO. One notable technique employed by APT32 is the use of publicly available exploits for vulnerabilities like CVE-2017-11882, a memory corruption vulnerability present in Microsoft Office software. This allows the group to achieve persistence on compromised systems without leaving traces. APT32 is notorious for heavily obfuscating their backdoors and scripts, a practice observed by Mandiant consultants in April 2017. They implement additional command argument obfuscation and leverage the regsvr32.exe application whitelisting bypass, tactics used by other threat groups like APT19. APT32 uses a combination of custom-developed, open-source, and commercially available tools, making them a sophisticated and persistent cyber threat. Their Command and Control (C2) infrastructure is vast, further highlighting their extensive operational capabilities.
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cobalt Kitty
2
Operation Cobalt Kitty, a significant cyber espionage Advanced Persistent Threat (APT), was executed by the OceanLotus Group, also known as APT32, Canvas Cyclone, APT-C-00, and Cobalt Kitty. Active since at least 2012, the group targeted a global corporation in Asia during this operation. Over the c
OceanLotus
2
OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate
Oceanlotus Group
2
The OceanLotus Group, also known as APT32, is a threat actor suspected to originate from Vietnam. This group poses a significant threat to foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group operates with a typical 9 AM to 6 PM wo
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Cobalt Kitty
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the APT32 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations | Mandiant
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group
MITRE
5 months ago
Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques « Threat Research Blog
Securityaffairs
a year ago
Hyundai suffered a data breach that impacted customers in France and Italy
CERT-EU
a year ago
Japan in the Crosshairs of Many State-Sponsored Threat Actors New Report Finds
MITRE
a year ago
Fake or Fake: Keeping up with OceanLotus decoys | WeLiveSecurity
MITRE
a year ago
Tracking OceanLotus’ new Downloader, KerrDown
MITRE
a year ago
OceanLotus ships new backdoor using old tricks | WeLiveSecurity
CERT-EU
a year ago
New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies
CERT-EU
7 months ago
Hackers target US Facebook biz accounts with potent malware cocktail
DARKReading
a month ago
Vietnamese Cybergang Nets Financial, Social Media Data
CERT-EU
8 months ago
Cybersecurity threatscape of Asia: 2022–2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
InfoSecurity-magazine
3 months ago
Iranian Hackers Target Israel to Sway Public Opinion in Hamas Conflict
CERT-EU
a year ago
Does it matter if your company is hacked?