APT32

Threat Actor updated 23 days ago (2024-11-29T14:04:45.094Z)
Download STIX
Preview STIX
APT32, also known as OceanLotus Group, SeaLotus, APT-C-00, and Cobalt Kitty, is a threat actor suspected to be originating from Vietnam. This group has been active since at least 2012, primarily targeting foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group uses sophisticated methods such as spear phishing emails and ActiveMime files with social engineering techniques to deliver malicious attachments. The associated malware includes SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, and KOMPROGO. Notably, the infection vector of these attacks hasn't been conclusively identified. In 2023, Elastic Lab released a report detailing an attack by OceanLotus (APT32) that utilized a new set of malicious tools called Spectral Viper. The group has a history of attacking governments, dissidents, and journalists in Southeast Asian countries, including Vietnam. Furthermore, APT32 heavily obfuscates their backdoors and scripts, with additional command argument obfuscation observed in April 2017. They leverage both custom-developed, open-source, and commercially available tooling, demonstrating a high level of technical sophistication. Operation Cobalt Kitty was attributed to the OceanLotus Group based on the tools, modus operandi, and IOCs observed. APT32 has attacked a wide range of companies, with a particular focus on Asian targets. In 2019, an anonymous official at one of Japan's largest automotive manufacturers confirmed that APT32 had targeted their company and its overseas operations. The group has shown a special interest in foreign competitors of Vietnam’s emerging automotive industry, posing a significant threat to companies doing business or planning to invest in the country.
Description last updated: 2024-11-28T11:44:42.441Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
OceanLotus is a possible alias for APT32. OceanLotus, also known as APT32, is a threat actor suspected to be linked to Vietnam. This group primarily targets foreign companies operating in sectors such as manufacturing, consumer products, consulting, and hospitality within Vietnam. The group's activities suggest it poses a significant risk t
3
Cobalt Kitty is a possible alias for APT32. Operation Cobalt Kitty, a significant cyber espionage Advanced Persistent Threat (APT), was executed by the OceanLotus Group, also known as APT32, Canvas Cyclone, APT-C-00, and Cobalt Kitty. Active since at least 2012, the group targeted a global corporation in Asia during this operation. Over the c
2
Oceanlotus Group is a possible alias for APT32. The OceanLotus Group, also known as APT32, is a threat actor suspected to originate from Vietnam. This group poses a significant threat to foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group operates with a typical 9 AM to 6 PM wo
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Cobalt Kitty
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the APT32 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more