OceanLotus

Threat Actor updated 4 days ago (2024-11-29T14:07:44.345Z)
Download STIX
Preview STIX
OceanLotus, also known as APT32, is a threat actor suspected to be linked to Vietnam. This group primarily targets foreign companies operating in sectors such as manufacturing, consumer products, consulting, and hospitality within Vietnam. The group's activities suggest it poses a significant risk to businesses operating or intending to invest in the country. Recent investigations have revealed new tools used by OceanLotus in its cyber-attacks, including macOS backdoor malware, although the infection vector for these attacks remains unidentified. In 2023, a report by Elastic Lab highlighted an attack by OceanLotus that employed a novel set of malicious tools dubbed Spectral Viper. Furthermore, there are striking similarities between the RotaJakiro malware and the macOS version of OceanLotus. Despite being implemented in different languages, their function, message format design, and specific implementation are too alike to be coincidental. For instance, both use the same parameters when encrypting registration packets and share several identical instruction codes. The likelihood that RotaJakiro is a Linux version of OceanLotus is high, given the shared features and functions. Both utilize DWORD type instruction codes to specify message functions and employ a function called rotate() for encryption/decryption. Moreover, they assign identical message codes to registration packets. Additionally, OceanLotus and RotaJakiro share identical field values at certain offsets, which further strengthens the possibility of a common origin. Therefore, the cybersecurity community should remain vigilant to the evolving threat landscape posed by groups like OceanLotus.
Description last updated: 2024-11-28T11:44:35.977Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT32 is a possible alias for OceanLotus. APT32, also known as OceanLotus Group, SeaLotus, APT-C-00, and Cobalt Kitty, is a threat actor suspected to be originating from Vietnam. This group has been active since at least 2012, primarily targeting foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hosp
3
Cobalt Kitty is a possible alias for OceanLotus. Operation Cobalt Kitty, a significant cyber espionage Advanced Persistent Threat (APT), was executed by the OceanLotus Group, also known as APT32, Canvas Cyclone, APT-C-00, and Cobalt Kitty. Active since at least 2012, the group targeted a global corporation in Asia during this operation. Over the c
2
Turla is a possible alias for OceanLotus. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Backdoor
Cobalt Kitty
Macos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the OceanLotus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more