OceanLotus

Threat Actor updated 23 days ago (2024-11-29T14:07:44.345Z)

Download STIX

Preview STIX

OceanLotus, also known as APT32, is a threat actor suspected to be linked to Vietnam. This group primarily targets foreign companies operating in sectors such as manufacturing, consumer products, consulting, and hospitality within Vietnam. The group's activities suggest it poses a significant risk to businesses operating or intending to invest in the country. Recent investigations have revealed new tools used by OceanLotus in its cyber-attacks, including macOS backdoor malware, although the infection vector for these attacks remains unidentified. In 2023, a report by Elastic Lab highlighted an attack by OceanLotus that employed a novel set of malicious tools dubbed Spectral Viper. Furthermore, there are striking similarities between the RotaJakiro malware and the macOS version of OceanLotus. Despite being implemented in different languages, their function, message format design, and specific implementation are too alike to be coincidental. For instance, both use the same parameters when encrypting registration packets and share several identical instruction codes. The likelihood that RotaJakiro is a Linux version of OceanLotus is high, given the shared features and functions. Both utilize DWORD type instruction codes to specify message functions and employ a function called rotate() for encryption/decryption. Moreover, they assign identical message codes to registration packets. Additionally, OceanLotus and RotaJakiro share identical field values at certain offsets, which further strengthens the possibility of a common origin. Therefore, the cybersecurity community should remain vigilant to the evolving threat landscape posed by groups like OceanLotus.

Description last updated: 2024-11-28T11:44:35.977Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT32 is a possible alias for OceanLotus. APT32, also known as OceanLotus Group, SeaLotus, APT-C-00, and Cobalt Kitty, is a threat actor suspected to be originating from Vietnam. This group has been active since at least 2012, primarily targeting foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hosp	3
Cobalt Kitty is a possible alias for OceanLotus. Operation Cobalt Kitty, a significant cyber espionage Advanced Persistent Threat (APT), was executed by the OceanLotus Group, also known as APT32, Canvas Cyclone, APT-C-00, and Cobalt Kitty. Active since at least 2012, the group targeted a global corporation in Asia during this operation. Over the c	2
Turla is a possible alias for OceanLotus. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Backdoor

Cobalt Kitty

Macos

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the OceanLotus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	24 days ago	Kaspersky report on APT trends in Q3 2024
MITRE	a year ago	RotaJakiro, the Linux version of the OceanLotus
MITRE	a year ago	The New and Improved macOS Backdoor from OceanLotus
CERT-EU	a year ago	Cybersecurity threatscape of Asia: 2022–2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Fortinet	a year ago	Key Findings from the 1H 2023 FortiGuard Labs Threat Report \| FortiGuard Labs
CERT-EU	a year ago	Cloud Providers Becoming Key Players in Ransomware, Halcyon Warns
CERT-EU	a year ago	Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
CERT-EU	a year ago	Remove OuterSource Mac Virus [Solved]
CERT-EU	a year ago	CorporateGlobe Mac Virus Removal
CERT-EU	a year ago	StoreFlow Mac - Virus Removal
CERT-EU	a year ago	ExperienceSys Virus - Mac Removal Guide
CERT-EU	a year ago	TradeAero Mac Adware - Removal Guide
CERT-EU	a year ago	EssentialPlatform Virus - Mac Removal Guide
CERT-EU	a year ago	Ismilinstite Mac Virus Removal Guide [Working]
CERT-EU	a year ago	DesignationDrive Virus Mac Removal Guide
CERT-EU	a year ago	EnumeratorMachine Virus Mac - How to Remove It
CERT-EU	a year ago	Remove OpticalFraction Mac Virus [Fix Guide]
CERT-EU	a year ago	ElementBrowser Mac Virus Removal
CERT-EU	a year ago	Japan in the Crosshairs of Many State-Sponsored Threat Actors New Report Finds
CERT-EU	2 years ago	New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies