APT32

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group has been particularly interested in Vietnam’s emerging automotive industry, with confirmed attacks on one of the largest Japanese automotive manufacturers and its overseas operations in 2019. APT32 has also attacked governments, dissidents, and journalists in Southeast Asian countries, including Vietnam, demonstrating a wide-ranging scope of targets. The primary attack vector used by APT32 involves spear phishing emails containing malicious attachments. These actors leverage ActiveMime files that use social engineering techniques to trick victims into enabling macros. They are associated with several types of malware, including SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, and KOMPROGO. One notable technique employed by APT32 is the use of publicly available exploits for vulnerabilities like CVE-2017-11882, a memory corruption vulnerability present in Microsoft Office software. This allows the group to achieve persistence on compromised systems without leaving traces. APT32 is notorious for heavily obfuscating their backdoors and scripts, a practice observed by Mandiant consultants in April 2017. They implement additional command argument obfuscation and leverage the regsvr32.exe application whitelisting bypass, tactics used by other threat groups like APT19. APT32 uses a combination of custom-developed, open-source, and commercially available tools, making them a sophisticated and persistent cyber threat. Their Command and Control (C2) infrastructure is vast, further highlighting their extensive operational capabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cobalt Kitty
2
Operation Cobalt Kitty, a significant cyber espionage Advanced Persistent Threat (APT), was executed by the OceanLotus Group, also known as APT32, Canvas Cyclone, APT-C-00, and Cobalt Kitty. Active since at least 2012, the group targeted a global corporation in Asia during this operation. Over the c
Oceanlotus Group
2
The OceanLotus Group, also known as APT32, is a threat actor suspected to originate from Vietnam. This group poses a significant threat to foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group operates with a typical 9 AM to 6 PM wo
OceanLotus
2
OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate
SeaLotus
1
None
Charming Kitten
1
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Cobalt Kitty
Windows
Cobalt Strike
Outlook
Facebook
Malware
Cybereason
Beacon
Espionage
Phishing
Fireeye
Exploits
Exploit
Backdoor
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WINDSHIELDUnspecified
1
Windshield is a notorious malware, a harmful program designed to exploit and damage computers or devices. It is one of the signature malware payloads deployed by APT32 operations, alongside KOMPROGO, SOUNDBITE, and PHOREAL. This malicious software can infiltrate systems through suspicious downloads,
SOUNDBITEUnspecified
1
Soundbite is a type of malware, a harmful software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data host
PHOREALUnspecified
1
Phoreal is a type of malware, or malicious software, that is designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware has
KOMPROGOUnspecified
1
Komprogo is a type of malware, a harmful software program designed to exploit and damage computer systems or devices. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or e
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT19Unspecified
1
APT19, also known as the Codoso Team, is a threat actor suspected to be sponsored by the Chinese government to some degree. This group, potentially composed of freelancers, primarily targets the legal and investment sectors. They are known for their use of sophisticated malware like BEACON and COBAL
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2016-7255Unspecified
1
None
CVE-2017-11882Unspecified
1
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful
Source Document References
Information about the APT32 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
4 months ago
Vietnamese Cybergang Nets Financial, Social Media Data
InfoSecurity-magazine
5 months ago
Iranian Hackers Target Israel to Sway Public Opinion in Hamas Conflict
MITRE
7 months ago
Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques « Threat Research Blog
CERT-EU
9 months ago
Hackers target US Facebook biz accounts with potent malware cocktail
CERT-EU
10 months ago
Cybersecurity threatscape of Asia: 2022–2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
a year ago
Does it matter if your company is hacked?
CERT-EU
a year ago
Japan in the Crosshairs of Many State-Sponsored Threat Actors New Report Finds
CERT-EU
a year ago
New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies
MITRE
a year ago
Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations | Mandiant
MITRE
a year ago
Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group
MITRE
a year ago
OceanLotus ships new backdoor using old tricks | WeLiveSecurity
MITRE
a year ago
Fake or Fake: Keeping up with OceanLotus decoys | WeLiveSecurity
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
Tracking OceanLotus’ new Downloader, KerrDown
Securityaffairs
a year ago
Hyundai suffered a data breach that impacted customers in France and Italy