Oceanlotus Group

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
The OceanLotus Group, also known as APT32, is a threat actor suspected to originate from Vietnam. This group poses a significant threat to foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality sectors. The group operates with a typical 9 AM to 6 PM working pattern on weekdays, indicating a high level of organization. Their activities have been observed in various cyber-espionage operations, such as Operation Cobalt Kitty, where they targeted a global corporation in Asia. They have also attacked governments, dissidents, and journalists in Southeast Asian countries, including Vietnam. During the investigation of Operation Cobalt Kitty, cybersecurity firm Cybereason uncovered new tools in the OceanLotus Group’s attack arsenal. The group has been using a specific type of shellcode consistently in their operations. Additionally, a new malware family named KerrDown was discovered, which is believed to be employed by the OceanLotus Group. The group's modus operandi and tools served as behavioral fingerprints that were instrumental in attributing the large-scale cyber espionage APT to the OceanLotus Group. Despite rumors and speculations in the InfoSec community, there's no publicly available evidence confirming that the OceanLotus Group is a nation-state threat actor as of the time of writing. However, the group's capabilities and working methods are well-documented and pose a considerable threat to entities doing business or preparing to invest in Vietnam. In addition, Cybereason managed to attribute a previously unreported backdoor variant, "Denis," to the OceanLotus Group, further demonstrating their sophisticated cyber-espionage capabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT32
2
APT32, also known as OceanLotus Group, APT-C-00, Canvas Cyclone, and Cobalt Kitty, is a threat actor group suspected to originate from Vietnam. Active since at least 2012, this group has targeted foreign companies investing in Vietnam's manufacturing, consumer products, consulting, and hospitality s
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Espionage
Cobalt Kitty
Backdoor
Apt
Vulnerability
Exploits
Cybereason
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KerrdownUnspecified
1
KerrDown is a custom downloader malware family that has been actively employed by the cyber-espionage group OceanLotus since early 2018. The malware is designed to exploit and damage computer systems, with its delivery primarily facilitated through active mime documents - a method previously observe
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OceanLotusUnspecified
1
OceanLotus, also known as APT32, is a threat actor suspected to be linked with Vietnam. It primarily targets foreign companies involved in manufacturing, consumer products, consulting, and hospitality sectors that are investing or planning to invest in Vietnam. The group's recent activities indicate
SeaLotusUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2017-11882Unspecified
1
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful
Source Document References
Information about the Oceanlotus Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
3 months ago
Vietnamese Cybergang Nets Financial, Social Media Data
MITRE
a year ago
Tracking OceanLotus’ new Downloader, KerrDown
MITRE
a year ago
Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
Fake or Fake: Keeping up with OceanLotus decoys | WeLiveSecurity
MITRE
a year ago
New MacOS Backdoor Connected to OceanLotus Surfaces