← threatfilter.dev / all groups / APT32
APT32
Also known as: SeaLotus · OceanLotus · APT-C-00 · Canvas Cyclone · BISMUTH
Overview
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.
Targets
Civil society · Dissidents · Government · Journalists · Private sector
Regions
Association of Southeast Asian Nations · China · Germany · Philippines · United States · Vietnam
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
- Custom malware/implant development — ATT&CK: 10 attributed custom malware families
TTPs — 78 techniques across 14 tactics
Reconnaissance
-
T1589Gather Victim Identity Information -
T1589.002Email Addresses -
T1598.003Spearphishing Link
Resource Development
-
T1583.001Domains -
T1583.006Web Services -
T1585.001Social Media Accounts -
T1588.002Tool -
T1608.001Upload Malware -
T1608.004Drive-by Target
Initial Access
-
T1189Drive-by Compromise -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059Command and Scripting Interpreter -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.007JavaScript -
T1072Software Deployment Tools -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File -
T1569.002Service Execution
Persistence
-
T1137Office Application Startup -
T1505.003Web Shell -
T1543.003Windows Service -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
Stealth
-
T1027.010Command Obfuscation -
T1027.011Fileless Storage -
T1027.013Encrypted/Encoded File -
T1027.016Junk Code Insertion -
T1036Masquerading -
T1036.003Rename Legitimate Utilities -
T1036.004Masquerade Task or Service -
T1036.005Match Legitimate Resource Name or Location -
T1055Process Injection -
T1070.004File Deletion -
T1070.006Timestomp -
T1078.003Local Accounts -
T1216.001PubPrn -
T1218.005Mshta -
T1218.010Regsvr32 -
T1218.011Rundll32 -
T1564.001Hidden Files and Directories -
T1564.003Hidden Window -
T1564.004NTFS File Attributes -
T1574.001DLL
Defense Impairment
-
T1112Modify Registry -
T1222.002Linux and Mac Permissions -
T1685.005Clear Windows Event Logs
Credential Access
-
T1003OS Credential Dumping -
T1003.001LSASS Memory -
T1552.002Credentials in Registry
Discovery
-
T1012Query Registry -
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1046Network Service Discovery -
T1049System Network Connections Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.001Local Account -
T1135Network Share Discovery
Lateral Movement
-
T1021.002SMB/Windows Admin Shares -
T1550.002Pass the Hash -
T1550.003Pass the Ticket -
T1570Lateral Tool Transfer
Collection
-
T1056.001Keylogging -
T1560Archive Collected Data
Command and Control
-
T1071.001Web Protocols -
T1071.003Mail Protocols -
T1102Web Service -
T1105Ingress Tool Transfer -
T1571Non-Standard Port
Exfiltration
Tools & malware (15)
Mimikatz · ipconfig · Kerrdown · Cobalt Strike · SOUNDBITE · OSX_OCEANLOTUS.D · KOMPROGO · netsh · RotaJakiro · PHOREAL · Arp · WINDSHIELD · Denis · Net · Goopy
Reporting (3)
- How Microsoft names threat actors — Microsoft
- Vietnamese activists targeted by notorious hacking group — Amnesty International
- Fake or Fake: Keeping up with OceanLotus decoys — Dumont, R