APT32

Threat Actor updated 7 months ago (2024-05-04T16:41:50.673Z)

Download STIX

Preview STIX

APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group has been particularly interested in Vietnam’s emerging automotive industry, with confirmed attacks on one of the largest Japanese automotive manufacturers and its overseas operations in 2019. APT32 has also attacked governments, dissidents, and journalists in Southeast Asian countries, including Vietnam, demonstrating a wide-ranging scope of targets. The primary attack vector used by APT32 involves spear phishing emails containing malicious attachments. These actors leverage ActiveMime files that use social engineering techniques to trick victims into enabling macros. They are associated with several types of malware, including SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, and KOMPROGO. One notable technique employed by APT32 is the use of publicly available exploits for vulnerabilities like CVE-2017-11882, a memory corruption vulnerability present in Microsoft Office software. This allows the group to achieve persistence on compromised systems without leaving traces. APT32 is notorious for heavily obfuscating their backdoors and scripts, a practice observed by Mandiant consultants in April 2017. They implement additional command argument obfuscation and leverage the regsvr32.exe application whitelisting bypass, tactics used by other threat groups like APT19. APT32 uses a combination of custom-developed, open-source, and commercially available tools, making them a sophisticated and persistent cyber threat. Their Command and Control (C2) infrastructure is vast, further highlighting their extensive operational capabilities.

Description last updated: 2024-04-09T05:15:49.256Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Cobalt Kitty is a possible alias for APT32. Operation Cobalt Kitty, a significant cyber espionage Advanced Persistent Threat (APT), was executed by the OceanLotus Group, also known as APT32, Canvas Cyclone, APT-C-00, and Cobalt Kitty. Active since at least 2012, the group targeted a global corporation in Asia during this operation. Over the c	2
OceanLotus is a possible alias for APT32. OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate	2
Oceanlotus Group is a possible alias for APT32. The OceanLotus Group, also known as APT32, is a threat actor suspected to originate from Vietnam. This group poses a significant threat to foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group operates with a typical 9 AM to 6 PM wo	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Cobalt Kitty

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the APT32 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	7 months ago	Vietnamese Cybergang Nets Financial, Social Media Data
InfoSecurity-magazine	9 months ago	Iranian Hackers Target Israel to Sway Public Opinion in Hamas Conflict
MITRE	a year ago	Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques « Threat Research Blog
CERT-EU	a year ago	Hackers target US Facebook biz accounts with potent malware cocktail
CERT-EU	a year ago	Cybersecurity threatscape of Asia: 2022–2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Does it matter if your company is hacked?
CERT-EU	a year ago	Japan in the Crosshairs of Many State-Sponsored Threat Actors New Report Finds
CERT-EU	a year ago	New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies
MITRE	2 years ago	Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations \| Mandiant
MITRE	2 years ago	Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group
MITRE	2 years ago	OceanLotus ships new backdoor using old tricks \| WeLiveSecurity
MITRE	2 years ago	Fake or Fake: Keeping up with OceanLotus decoys \| WeLiveSecurity
MITRE	2 years ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
MITRE	2 years ago	Tracking OceanLotus’ new Downloader, KerrDown
Securityaffairs	2 years ago	Hyundai suffered a data breach that impacted customers in France and Italy