Oceanlotus Group

The OceanLotus Group, also known as APT32, is a threat actor suspected to originate from Vietnam. This group poses a significant threat to foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group operates with a typical 9 AM to 6 PM working pattern on weekdays, indicating a high level of organization. Their activities have been observed in various cyber-espionage operations, such as Operation Cobalt Kitty, where they targeted a global corporation in Asia. They have also attacked governments, dissidents, and journalists in Southeast Asian countries, including Vietnam. During the investigation of Operation Cobalt Kitty, cybersecurity firm Cybereason uncovered new tools in the OceanLotus Group’s attack arsenal. The group has been using a specific type of shellcode consistently in their operations. Additionally, a new malware family named KerrDown was discovered, which is believed to be employed by the OceanLotus Group. The group's modus operandi and tools served as behavioral fingerprints that were instrumental in attributing the large-scale cyber espionage APT to the OceanLotus Group. Despite rumors and speculations in the InfoSec community, there's no publicly available evidence confirming that the OceanLotus Group is a nation-state threat actor as of the time of writing. However, the group's capabilities and working methods are well-documented and pose a considerable threat to entities doing business or preparing to invest in Vietnam. In addition, Cybereason managed to attribute a previously unreported backdoor variant, "Denis," to the OceanLotus Group, further demonstrating their sophisticated cyber-espionage capabilities.