OCEANMAP
OCEANMAP is a malicious C#/.NET malware family associated in multiple reports with APT28 (Fancy Bear/Forest Blizzard/GRU Unit 26165). Public reporting describes it primarily as a backdoor that leverages email as a command-and-control channel, specifically using IMAP and, in some reporting, IMAP drafts for C2. IBM X-Force described OCEANMAP as a more capable successor to CredoMap. Reporting also states that an updated OCEANMAP variant functioned as a stealer, relying on IMAP to exfiltrate credentials stored in web browsers.
Observed delivery and operational context include spear-phishing campaigns. One campaign documented by CERT-UA and analyzed by third parties used phishing emails from compromised accounts, malicious landing pages, WebDAV-hosted .search-ms files, and LNK payloads to execute the MASEPIE Python backdoor; OCEANMAP was referenced in that reporting, but the report explicitly stated that its execution context and direct linkage to that specific campaign could not be reliably confirmed. Other reporting states APT28 used phishing emails to distribute malware families including HeadLace and OCEANMAP, and that OCEANMAP updates were reportedly deployed through STEELHOOK and MASEPIE between December 2023 and February 2024.
Behaviorally, OCEANMAP uses IMAP/IMAPS over attacker-controlled email accounts for C2 or exfiltration. A referenced sample, VMSearch.exe, established persistence by creating an Internet shortcut named EdgeContext.url in the user Startup folder that opened a local file via a file:-type URL. The same reporting states the malware attempted IMAP/S connections to 74.124.219[.]71 and, on failure, to webmail.facadesolutionsuae[.]com, using the email accounts jrb[@]bahouholdings[.]com and qasim.m[@]facadesolutionsuae[.]com as fallback credentials/accounts.
High-confidence indicators directly mentioned in the content include: VMSearch.exe SHA-256 24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04; an older OCEANMAP sample SHA-256 770206424b8def9f6817991e9a5e88dc5bee0adb54fc7ec470b53c847154c22b; persistence artifact EdgeContext.url; network infrastructure 74.124.219[.]71 and webmail.facadesolutionsuae[.]com; and email accounts jrb[@]bahouholdings[.]com and qasim.m[@]facadesolutionsuae[.]com.
Victimology in the surrounding reporting ties APT28 activity involving OCEANMAP and related tooling to Ukrainian government organizations, other sectors in Ukraine, and entities in Europe and other Western countries. Broader APT28 reporting also notes targeting of government, defense, logistics, transportation, IT, diplomatic, energy, and research organizations, but OCEANMAP-specific targeting should be stated more narrowly where directly supported.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...using phishing emails to distribute malware families like HeadLace and OCEANMAP...
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
OCEANMAP : C# backdoor, described by IBM X-Force as a more capable successor of CredoMap, uses IMAP drafts for C2.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Credential Access
1 technique
Credential Access
Command and Control
1 technique
Command and Control
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A C# backdoor using IMAP drafts for command-and-control, described as a more capable successor to CredoMap.
Malware family distributed via phishing in APT28-linked activity (details not provided in the content).
.NET backdoor enabling remote command execution via an email-based C2 channel over IMAPS. Establishes persistence via a Startup-folder Internet Shortcut (EdgeContext.url). Retrieves commands from Drafts, executes via cmd.exe, and can self-modify by patching its own binary to update C2 servers/accounts and beacon interval, relaunching via a _tmp.exe replacement workflow.
Backdoor used by APT28; associated with C2 infrastructure artifacts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.