OceanLotus

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate an ongoing threat to these businesses operating within the country. OceanLotus employs a range of sophisticated tools in its attack arsenal, as revealed during the investigation of Operation Cobalt Kitty by Cybereason. One significant discovery was the use of macOS Backdoor Malware, a tool linked directly to the OceanLotus Group. Moreover, there appears to be a strong correlation between OceanLotus and another malware entity called RotaJakiro. Despite being implemented in different languages, their function, message format design, and specific implementation bear striking similarities. For instance, both employ the same parameters when encrypting registration packets, suggesting that RotaJakiro could potentially be a Linux version of the OceanLotus. Further analysis has demonstrated shared characteristics between the two entities, such as using DWORD type instruction codes to specify message functions and employing similar encryption/decryption methods. Both RotaJakiro and OceanLotus assign identical message codes to registration packets, and they share the same field values at certain offsets. They also structure their network packets similarly and use separate data structures to hold command and control (C2) session information. These findings significantly increase the likelihood that RotaJakiro and OceanLotus originate from the same source, indicating a high level of sophistication and coordination in their cyber-espionage operations.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cobalt Kitty
2
Operation Cobalt Kitty, a significant cyber espionage Advanced Persistent Threat (APT), was executed by the OceanLotus Group, also known as APT32, Canvas Cyclone, APT-C-00, and Cobalt Kitty. Active since at least 2012, the group targeted a global corporation in Asia during this operation. Over the c
APT32
2
APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality s
Turla
2
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
RotaJakiro
1
RotaJakiro is a sophisticated malware that has been active since 2018, with four major versions identified until 2021. It stands out among contemporary malicious software due to its advanced features and encryption techniques. RotaJakiro supports 12 functions, three of which are related to the execu
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Cobalt Kitty
Apt
Macos
Cobalt Strike
Windows
Vulnerability
Loader
Cybereason
Payload
Encryption
Cloudzy
State Sponso...
Cybercrime
Espionage
Backdoor
Reconnaissance
Exploits
Linux
Exploit
Downloader
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
StrongPityUnspecified
1
StrongPity is a malicious software (malware) that infiltrates computer systems, typically through suspicious downloads, emails, or websites. The malware has been active for over a decade and is possibly linked to the Turkish government. It's designed to exploit and damage systems, steal personal inf
KerrdownUnspecified
1
KerrDown is a custom downloader malware family that has been actively employed by the cyber-espionage group OceanLotus since early 2018. The malware is designed to exploit and damage computer systems, with its delivery primarily facilitated through active mime documents - a method previously observe
KONNIUnspecified
1
Konni is a malware, short for malicious software, that poses a significant threat to computer systems and data. It's designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Konni can wreak havoc by stealin
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT10Unspecified
1
APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
Lazarus GroupUnspecified
1
The Lazarus Group, a threat actor attributed to North Korea, is renowned for its notorious cyber-exploitation activities. The group has been linked to various high-profile cyber-attacks, including the largest decentralized finance exploit in history, the Ronin exploit of March 2022. This attack led
SidewinderUnspecified
1
The Sidewinder threat actor group, also known as Rattlesnake, BabyElephant, APT Q4, APT Q39, Hardcore Nationalist, HN2, RAZOR Tiger, and GroupA21, is a significant cybersecurity concern with a history of malicious activities dating back to 2012. This report investigates a recent campaign by Sidewind
APT34Unspecified
1
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
KimsukyUnspecified
1
Kimsuky, a threat actor linked to North Korea, has been identified as the perpetrator behind a series of advanced persistent threat (APT) attacks. The group is known for its malicious activities, which typically involve cyber espionage and targeted attacks on high-profile entities. Recently, Kimsuky
APT33Unspecified
1
APT33, an Iran-linked threat actor, has been identified as a significant cyber threat to the Defense Industrial Base sector. The group is known for its sophisticated and malicious activities, which primarily involve executing actions with harmful intent. APT33, like other threat actors, could be a s
APT36Unspecified
1
APT36, also known as Transparent Tribe and Earth Karkaddan, is a notorious threat actor believed to be based in Pakistan. The group has been involved in cyberespionage activities primarily targeting India, with a focus on government, military, defense, aerospace, and education sectors. Their campaig
APT29Unspecified
1
APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, SVR group, and BlueBravo, is a notable threat actor linked to Russia. This group has gained notoriety over the years for its sophisticated cyberattacks against various targets. Recently, APT29 exploited a zero-day vulnerability
Evil CorpUnspecified
1
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
FIN12Unspecified
1
FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
Oceanlotus GroupUnspecified
1
The OceanLotus Group, also known as APT32, is a threat actor suspected to originate from Vietnam. This group poses a significant threat to foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group operates with a typical 9 AM to 6 PM wo
Ref2754Unspecified
1
REF2754 is a cybersecurity threat actor that has been linked with malicious activities targeting primarily Vietnamese entities. This group shares tactical similarities with another threat group referred to as REF4322, which is known for deploying a post-exploitation implant called PHOREAL (also know
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
SeaLotusUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2017-11882Unspecified
1
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful
Source Document References
Information about the OceanLotus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
RotaJakiro, the Linux version of the OceanLotus
MITRE
7 months ago
The New and Improved macOS Backdoor from OceanLotus
CERT-EU
10 months ago
Cybersecurity threatscape of Asia: 2022–2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
Fortinet
a year ago
Key Findings from the 1H 2023 FortiGuard Labs Threat Report | FortiGuard Labs
CERT-EU
a year ago
Cloud Providers Becoming Key Players in Ransomware, Halcyon Warns
CERT-EU
a year ago
Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
CERT-EU
a year ago
Remove OuterSource Mac Virus [Solved]
CERT-EU
a year ago
CorporateGlobe Mac Virus Removal
CERT-EU
a year ago
StoreFlow Mac - Virus Removal
CERT-EU
a year ago
ExperienceSys Virus - Mac Removal Guide
CERT-EU
a year ago
TradeAero Mac Adware - Removal Guide
CERT-EU
a year ago
EssentialPlatform Virus - Mac Removal Guide
CERT-EU
a year ago
Ismilinstite Mac Virus Removal Guide [Working]
CERT-EU
a year ago
DesignationDrive Virus Mac Removal Guide
CERT-EU
a year ago
EnumeratorMachine Virus Mac - How to Remove It
CERT-EU
a year ago
Remove OpticalFraction Mac Virus [Fix Guide]
CERT-EU
a year ago
ElementBrowser Mac Virus Removal
CERT-EU
a year ago
Japan in the Crosshairs of Many State-Sponsored Threat Actors New Report Finds
CERT-EU
a year ago
New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies
MITRE
a year ago
Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group