MalwareUsed by 1 actorExploits 1 CVE

SOUNDBITE

SOUNDBITE is a malware family associated with the Vietnam-aligned cyber espionage group APT32, also known as OceanLotus. FireEye/Mandiant identified it as one of APT32’s signature malware families, alongside WINDSHIELD, KOMPROGO, and PHOREAL, and reported its use in targeted intrusions against private-sector organizations and other victims aligned with Vietnamese state interests. Reported targeting tied to APT32 activity includes corporations with business interests in Vietnam, particularly in manufacturing, consumer products, hospitality, network security, technology infrastructure, banking, and media, as well as foreign governments, dissidents, journalists, and members of the Vietnamese diaspora. The broader APT32 intrusion activity described in the source material relied heavily on spear-phishing emails delivering ActiveMime '.mht' lure documents disguised as '.doc' files that prompted victims to enable macros and then downloaded multiple payloads; however, the content does not explicitly state that SOUNDBITE itself was always the payload delivered by that vector. High-confidence capabilities directly attributed to SOUNDBITE in the content are enumerating application windows and modifying the Windows Registry. The content also states that an APT32 backdoor modified the Registry to store backdoor configuration, but it does not explicitly confirm that this specific behavior belongs to SOUNDBITE rather than another APT32 implant. FireEye reported SOUNDBITE in APT32 activity affecting consumer products organizations in the Philippines and United States in 2016. An alias relationship is also noted in the content: SOUNDBITE is referred to as 'Denis.' No specific hashes, filenames, mutexes, or command-and-control indicators are provided for SOUNDBITE in the supplied material.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2016-7255Win32k Elevation of Privilege VulnerabilityExploited in the wild

During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.

via web archiveweb.archive.org

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT32

Some of the key tools in its arsenal include SOUNDBITE (aka Denis), PHOREAL (aka Rizzo), WINDSHIELD (aka Remy), and, more recently, SPECTRALVIPER...

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence2

“APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros… APT32 actors continue to deliver the malicious attachments via spear-phishing emails.”

Execution

2 techniques

T1059.005Visual BasicEvidence1

“The Base64 encoded ActiveMime data also contained an OLE file with malicious macros.”

T1204.002Malicious FileEvidence1

“APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros.”

Persistence

1 technique

T1112Modify RegistryEvidence6

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

Stealth

1 technique

T1036MasqueradingEvidence2

“installed one backdoor as a persistent service with a legitimate service name… Another backdoor used an otherwise legitimate DLL filename…”

Defense Impairment

1 technique

T1112Modify RegistryEvidence6

Discovery

3 techniques

T1010Application Window DiscoveryEvidence2

Multiple malware families are described as identifying/enumerating open windows or capturing foreground window titles (e.g., via EnumWindows, GetForegroundWindow, GetWindowText) to understand user activity and provide context for keylogging/screencapture.

T1082System Information DiscoveryEvidence4

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

T1083File and Directory DiscoveryEvidence3

“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”

Command and Control

2 techniques

T1071.004DNSEvidence2

“SOUNDBITE C2 communications via DNS”

T1105Ingress Tool TransferEvidence1

“Upon execution, the initialized file downloads multiple malicious payloads from remote servers.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

61 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

50 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

11 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app2 years ago

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

the hacker newsNews

Jun 11, 2026

OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack

A malware tool identified as part of OceanLotus's arsenal.

web archiveNews

May 14, 2017

Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations " Threat Research Blog | FireEye Inc

Backdoor using DNS for C2, with process creation, file upload, shell command execution, file/directory and registry manipulation, window enumeration, and system information gathering.

mitre attackNews

Jan 25, 2026

Modify Registry, Technique T1112 - Enterprise | MITRE ATT&CK®

Malware capable of modifying the Windows Registry.

mitre attackNews

Jan 25, 2026

Application Window Discovery, Technique T1010 - Enterprise | MITRE ATT&CK®

Enumerates application windows.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching61

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.