OceanLotus

Threat Actor updated 7 months ago (2024-05-04T19:18:22.339Z)

Download STIX

Preview STIX

OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate an ongoing threat to these businesses operating within the country. OceanLotus employs a range of sophisticated tools in its attack arsenal, as revealed during the investigation of Operation Cobalt Kitty by Cybereason. One significant discovery was the use of macOS Backdoor Malware, a tool linked directly to the OceanLotus Group. Moreover, there appears to be a strong correlation between OceanLotus and another malware entity called RotaJakiro. Despite being implemented in different languages, their function, message format design, and specific implementation bear striking similarities. For instance, both employ the same parameters when encrypting registration packets, suggesting that RotaJakiro could potentially be a Linux version of the OceanLotus. Further analysis has demonstrated shared characteristics between the two entities, such as using DWORD type instruction codes to specify message functions and employing similar encryption/decryption methods. Both RotaJakiro and OceanLotus assign identical message codes to registration packets, and they share the same field values at certain offsets. They also structure their network packets similarly and use separate data structures to hold command and control (C2) session information. These findings significantly increase the likelihood that RotaJakiro and OceanLotus originate from the same source, indicating a high level of sophistication and coordination in their cyber-espionage operations.

Description last updated: 2024-05-04T19:09:56.958Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Cobalt Kitty is a possible alias for OceanLotus. Operation Cobalt Kitty, a significant cyber espionage Advanced Persistent Threat (APT), was executed by the OceanLotus Group, also known as APT32, Canvas Cyclone, APT-C-00, and Cobalt Kitty. Active since at least 2012, the group targeted a global corporation in Asia during this operation. Over the c	2
Turla is a possible alias for OceanLotus. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	2
APT32 is a possible alias for OceanLotus. APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality s	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Backdoor

Cobalt Kitty

Macos

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the OceanLotus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	a year ago	RotaJakiro, the Linux version of the OceanLotus
MITRE	a year ago	The New and Improved macOS Backdoor from OceanLotus
CERT-EU	a year ago	Cybersecurity threatscape of Asia: 2022–2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Fortinet	a year ago	Key Findings from the 1H 2023 FortiGuard Labs Threat Report \| FortiGuard Labs
CERT-EU	a year ago	Cloud Providers Becoming Key Players in Ransomware, Halcyon Warns
CERT-EU	a year ago	Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
CERT-EU	a year ago	Remove OuterSource Mac Virus [Solved]
CERT-EU	a year ago	CorporateGlobe Mac Virus Removal
CERT-EU	a year ago	StoreFlow Mac - Virus Removal
CERT-EU	a year ago	ExperienceSys Virus - Mac Removal Guide
CERT-EU	a year ago	TradeAero Mac Adware - Removal Guide
CERT-EU	a year ago	EssentialPlatform Virus - Mac Removal Guide
CERT-EU	a year ago	Ismilinstite Mac Virus Removal Guide [Working]
CERT-EU	a year ago	DesignationDrive Virus Mac Removal Guide
CERT-EU	a year ago	EnumeratorMachine Virus Mac - How to Remove It
CERT-EU	a year ago	Remove OpticalFraction Mac Virus [Fix Guide]
CERT-EU	a year ago	ElementBrowser Mac Virus Removal
CERT-EU	a year ago	Japan in the Crosshairs of Many State-Sponsored Threat Actors New Report Finds
CERT-EU	a year ago	New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies
MITRE	2 years ago	Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group