>samit_hota
Back to adversary profiles
G0050HighActive

APT32 (OceanLotus): A Persistent Threat to Southeast Asian Interests

Samit Hota·
Suspected Origin
Suspected Vietnam
Motivation
Espionage, Intelligence Gathering, Stealing Intellectual Property, Domestic Surveillance, Strategic, Political, Economic Goals
Aliases
SeaLotus, OceanLotus, APT-C-00, Canvas Cyclone, BISMUTH
Target Sectors
Governments, Private Corporations (Manufacturing, Consumer Products, Hospitality, Automotive, IT Infrastructure, Telecommunications, Aviation, Financial Services, Real Estate, Transport, Construction), Dissidents, Journalists, Human Rights Organizations, Civil Society Groups, Cybersecurity Professionals, Education, Banking
Associated Malware
WINDSHIELD, KOMPROGO, SOUNDBITE, PHOREAL, SPECTRALVIPER, ZiChatBot, Cobalt Strike, Kasperagent, Cobalt Kitty, Monero Coin Miners
#threat-actor#g0050

Overview

APT32, publicly known by various aliases such as OceanLotus, SeaLotus, APT-C-00, Canvas Cyclone, and BISMUTH, is a highly sophisticated and persistent cyber espionage group. We assess with high confidence that this group operates in alignment with Vietnamese state interests, having been active since at least 2012, with documented activities dating back to 2014. Their primary motivation is cyber espionage, focusing on intelligence gathering, stealing intellectual property, and conducting surveillance to support Vietnam’s strategic, political, and economic objectives.

Historically, APT32 has concentrated its operations on entities within Southeast Asia, including Vietnam, the Philippines, Laos, and Cambodia, but its reach has extended globally. Their typical targets are diverse and strategically chosen, encompassing foreign governments, various private sector industries (such as manufacturing, consumer products, hospitality, automotive, IT infrastructure, telecommunications, aviation, financial services, real estate, transport, and construction), as well as individuals like dissidents, journalists, human rights organizations, civil society groups, and, more recently, cybersecurity professionals. This wide targeting scope underscores their commitment to national interests, often reflecting geopolitical sensitivities and economic development goals.

Tactics & Techniques

APT32 employs a broad array of sophisticated tactics, techniques, and procedures (TTPs) to achieve its objectives, constantly evolving its methods to evade detection and maintain persistence. For initial access, spearphishing remains a staple, with emails often containing malicious attachments or links leading to compromised websites or credential harvesting pages. They are also adept at watering hole attacks, compromising websites frequented by their targets to infect visitors. In recent years, APT32 has diversified its initial access vectors to include exploiting public-facing applications, leveraging 0-day and N-day vulnerabilities, compromising IoT devices, and executing complex supply-chain attacks. This includes compromising legitimate software update servers and distributing backdoored plugins through trusted platforms like GitHub.

Once initial access is gained, APT32 utilizes various execution methods, such as DLL side-loading, and abusing legitimate Windows utilities like regsvr32.exe, rundll32.exe, PubPrn.vbs, and PowerShell scripts often loaded via scheduled tasks or Windows services. For persistence, they frequently establish scheduled tasks, modify registry keys, or create new Windows services to ensure their malicious payloads are executed at intervals or upon system startup.

Defense evasion is a hallmark of APT32’s operations. They employ sophisticated obfuscation techniques, including Base64 encoding and leveraging frameworks like Invoke-Obfuscation and Dont-Kill-My-Cat (DKMC), to conceal their PowerShell scripts and other payloads. The group also uses garbage code to mislead analysis, hides files and windows, utilizes NTFS alternate data streams, and abuses legitimately signed executables for DLL side-loading. Living-off-the-land techniques, using native system tools for post-exploitation activity, are commonly observed to blend in with legitimate network activity.

For credential access, APT32 is known to deploy tools like Mimikatz, Windows Credential Dumper, and Outlook Credential Dumper, alongside techniques such as pass the hash and pass the ticket. They also harvest browser-stored credentials and cookies. Discovery within compromised networks involves commands like ipconfig /all, netstat -anpo tcp, and whoami, as well as querying the Windows Registry to gather system information, OS versions, and computer names. Lateral movement is achieved through methods such as pass the hash/ticket, Windows Management Instrumentation (WMI), and leveraging hidden network shares.

Command and Control (C2) communication often relies on custom backdoors utilizing encrypted channels and HTTP/HTTPS over non-standard ports. APT32 also abuses legitimate cloud services like Dropbox, Amazon S3, Google Drive, and Zulip for C2 infrastructure and to host malicious downloads, further complicating detection. Data exfiltration typically occurs over these established C2 channels, sometimes employing techniques like encoding data in DNS packets. Privilege escalation is achieved by exploiting known vulnerabilities, such as CVE-2016-7255. They also engage in victim profiling based on browser and operating system information and register look-alike domains for their phishing operations.

Notable Campaigns

APT32 has a history of high-impact campaigns demonstrating its capabilities and evolving priorities:

  • 2014 Phishing Campaign: One of their earliest documented campaigns involved phishing attacks against staff of a digital rights organization, delivering malware via emails.
  • Industrial Espionage (2016-2018): The group conducted a year-long cyberattack against a global corporation in Asia, focusing on intellectual property and confidential business information. They also engaged in extensive industrial espionage targeting major automobile manufacturers like BMW, Toyota, and Hyundai, which appeared to align with Vietnam’s manufacturing interests.
  • Wuhan COVID-19 Intelligence Collection (January-April 2020): APT32 carried out intrusion campaigns against Chinese targets to collect intelligence on the COVID-19 crisis, including spear-phishing entities like China’s Ministry of Emergency Management and the government of Wuhan.
  • Domestic Surveillance (2018-2020): They conducted surveillance on Vietnamese political activists, including pro-democracy blogger Bui Thanh Hieu and the Vietnamese Overseas Initiative for Conscience Empowerment (VOICE) organization.
  • BISMUTH Coin Mining (July-August 2020): In campaigns linked to their “BISMUTH” alias, the group deployed Monero coin miners targeting both private sector and government institutions in France and Vietnam.
  • NGO and Human Rights Organization Targeting (August 2024): APT32 executed a multi-year intrusion against a Vietnamese human-rights non-profit organization, deploying custom backdoors and employing scheduled tasks for persistence and data theft.
  • Infrastructure and Transport Espionage (Mid-2024 to February 2026): The group conducted a prolonged cyber espionage operation against a Vietnamese infrastructure and transport construction corporation, deploying their SPECTRALVIPER backdoor via DLL side-loading for approximately 15 months.
  • Supply Chain Attacks (2025-2026):
    • GitHub-based Attack (January 2025): APT32 leveraged GitHub infrastructure to target Chinese cybersecurity professionals and FinTech developers by distributing a backdoored Cobalt Strike plugin within a Visual Studio project.
    • FireAnt Metakit Compromise (October 2025 - March 2026): They compromised the update server of FireAnt Metakit, a Vietnamese stock investment software platform, to push malicious updates containing SPECTRALVIPER to a targeted subset of stock investors.

Associated Malware & Tools

APT32 possesses a robust and continually evolving arsenal of custom malware and leverages commercially available tools. Their bespoke backdoor suite is a signature of their operations, including:

  • WINDSHIELD
  • KOMPROGO
  • SOUNDBITE
  • PHOREAL
  • SPECTRALVIPER: A newer, previously undocumented backdoor and loader, first observed in 2023 and heavily used in recent domestic espionage campaigns.
  • ZiChatBot: Another custom backdoor family.
  • Dedicated macOS Backdoor: Demonstrates their cross-platform targeting capabilities.

In addition to their custom toolset, APT32 frequently incorporates commercially available tools and living-off-the-land binaries. These include the Cobalt Strike BEACON for post-exploitation activities, and credential dumping tools like Mimikatz and customized versions of Windows Credential Dumper and Outlook Credential Dumper. Earlier malware identified with the group includes Kasperagent (a downloader) and Cobalt Kitty (a backdoor). During some operations attributed to their BISMUTH alias, they have also deployed Monero coin miners. Their use of public cloud services like Dropbox, Amazon S3, and Google Drive for C2 and delivery further exemplifies their adaptive nature.

Current Status

APT32 remains an active and formidable cyber espionage group. We have observed continuous activity up to March 2026, with recent campaigns indicating a strategic pivot in their operational focus. While still conducting external espionage, particularly within Southeast Asia, there’s a notable and increasing emphasis on domestic intelligence collection inside Vietnam.

This shift is evident in their 2024-2026 operations, which targeted Vietnamese financial services, stock investors, and critical infrastructure (transport and construction sectors). The group continues to demonstrate high technical capability and adaptability, employing advanced tradecraft such as supply-chain compromises (e.g., FireAnt Metakit) and weaponizing trusted developer workflows (e.g., backdoored Cobalt Strike plugins on GitHub). APT32’s ongoing evolution and persistent targeting of sensitive sectors and individuals underscore the sustained risk they pose to organizations operating in and around Southeast Asia, as well as to those involved in politically sensitive areas globally.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call