Home/Threat Actor/OceanLotus / APT32
Threat Actor

OceanLotus / APT32

oceanlotus_apt32 · vietnam · active since 2012

OceanLotus / APT32 (canonical FireEye / Mandiant naming "APT32" per May 2017 disclosure.

canonical SkyEye Labs / Qihoo 360 original naming "OceanLotus" per May 2015 first public naming.

Microsoft canonical naming "Canvas Cyclone" formerly Bismuth.

alternative naming SeaLotus / ATK17 / APT-C-00) is the Socialist Republic of Vietnam government-aligned cyber-espionage cluster, likely affiliated with the Vietnamese Ministry of Public Security per FireEye/Mandiant analysis, active publicly since at least 2012 with first publicly-tracked operations in 2014 (Electronic Frontier Foundation + AP + Vietnamese activist targeting)

Vietnam-aligned attribution operates at high- confidence assessment level across FireEye/Mandiant + ESET + Kaspersky GReAT + Microsoft Threat Intelligence Center + Volexity + Amnesty International convergent analyses with no formal Vietnamese government acknowledgment.

primary operational mission objectives of intelligence collection from Vietnamese diaspora dissidents + Vietnamese government critics + foreign corporations with Vietnam business interests + ASEAN diplomatic targets + South China Sea negotiation participants + automotive industry intellectual property (Toyota + Honda + BMW 2019 campaign supporting Vietnam's VinFast-era domestic EV manufacturing goals) + COVID-19 pandemic response intelligence (Chinese Ministry of Emergency Management + Wuhan government 2020 targeting) + Philippines government (May 2017 Duterte-Trump + Duterte- Xi Jinping conversation leak)

signature operational tradecraft includes macOS malware capability (operationally distinctive, RARE among APT clusters) with Goopy macOS backdoor abusing Google Docs for C2 + OceanLotus macOS trojan + Bundlore.

custom Windows backdoors WINDSHIELD + PHOREAL + SOUNDBITE (DNS-based) + KOMPROGO + KERRDOWN downloader + Roland framework.

heavily customized Cobalt Strike with malleable C2 profiles mimicking legitimate traffic (Microsoft Update + Google services + CDN)

DLL side-loading via legitimate application binary signature tradecraft.

100+ compromised websites with JavaScript Framework A + Framework B for visitor profiling per Volexity November 2017 OceanLotus Blossoms disclosure; typo-squatting domains.

substantial U.S.-based attack infrastructure.

Facebook CyberOne Group corporate-front linkage December 2020.

Amnesty International February 2021 Vietnamese HRD targeting confirmation.

fills the Vietnam- attributed APT cell in the curated corpus, first Vietnam- aligned cluster in the corpus complementing aoqin_dragon (curated separately as China-attributed targeting Vietnam, opposite attribution direction).

vietnam confidence: high 19 aliases MITRE ATT&CK G0050 ↗
Sigma rules200 YARA rules47 Live IOCs15 CVEs exploited4

Profile

OceanLotus / APT32 (canonical FireEye / Mandiant naming "APT32" per May 2017 disclosure.

canonical SkyEye Labs (Qihoo 360) original naming "OceanLotus" per May 2015 first public naming.

Microsoft canonical naming "Canvas Cyclone" (formerly Bismuth)

alternative naming SeaLotus / ATK17 / APT-C-00) is the Socialist Republic of Vietnam government- aligned cyber-espionage cluster, likely affiliated with the Vietnamese Ministry of Public Security per FireEye / Mandiant analysis. The cluster is active publicly since at least 2012 (multiple sources establish 2012-2014 as earliest tracked activity) with first publicly-tracked operations in 2014 (Electronic Frontier Foundation + AP + Vietnamese activist targeting). Vietnam-aligned attribution operates at high-confidence assessment level across FireEye/Mandiant + ESET + Kaspersky GReAT + Microsoft Threat Intelligence Center + Volexity + Amnesty International convergent analyses, with no formal Vietnamese government acknowledgment. Per FireEye May 2017 canonical disclosure: "APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially- available tools, to conduct targeted operations that are aligned with Vietnamese state interests." Operational phases: (1) EARLIEST OPERATIONAL EMERGENCE (2012-2014). 2014 EFF + AP + Vietnamese activist targeting first publicly tracked. 2014 European corporation compromise prior to Vietnam manufacturing facility construction (FireEye documented). (2) SKYEYE LABS FIRST NAMING (May 2015). Qihoo 360 cybersecurity firm published first OceanLotus naming following research into China-targeting operations. Operationally established cluster's China-targeting pattern (operationally consistent with Vietnam strategic interest in Chinese maritime infrastructure intelligence per South China Sea geopolitical tensions). (3) FIREEYE CANONICAL APT32 DISCLOSURE (May 2017). FireEye Community Protection Event consolidated four previously unrelated clusters into APT32. Twelve prior intrusions linked. Canonical Vietnam-aligned attribution established. (4) VOLEXITY OCEANLOTUS BLOSSOMS ERA (November 2017). 100+ compromised websites for mass digital surveillance. ASEAN summit targeting. JavaScript Framework A + B visitor profiling. Volexity comparison to Turla operational scale. (5) PHILIPPINES PRESIDENTIAL CONVERSATION LEAK (May 2017). Duterte-Trump + Duterte-Xi Jinping conversation files leaked via malware detection platform. (6) AUTOMOTIVE SECTOR CAMPAIGN (February 2019+). Toyota + Honda + BMW compromises supporting Vietnam's domestic vehicle/auto-part manufacturing goals (VinFast EV manufacturer emergence era). (7) COVID-19 PANDEMIC ESPIONAGE (Early 2020). Chinese Ministry of Emergency Management + Wuhan government targeting using COVID-19 lures. (8) FACEBOOK CYBERONE GROUP LINKAGE (December 2020). First publicly-attributed corporate front-organization operational connection. (9) AMNESTY INTERNATIONAL HRD TARGETING DISCLOSURE (February 2021). Vietnamese human rights defenders + non-profit organization targeting documented. (10) CONTINUED OPERATIONS (2022-2026). ThreatBook January 2025 disclosure of Chinese cybersecurity researcher targeting matching APT32 patterns. Sustained operational tempo through 2026.

Signature operational tradecraft
  • macOS malware capability (operationally distinctive, RARE): APT32 is one of a small number of APT groups that develop dedicated macOS malware alongside Windows tooling. Goopy macOS backdoor (abuses Google Docs for C2), OceanLotus macOS trojan (multi-stage implant), Bundlore macOS adware-delivery malware. Operationally extends targeting reach to journalists + activists + creative professionals using macOS.
  • Custom Windows backdoors (signature; cluster-defining): WINDSHIELD (full-featured modular backdoor), PHOREAL (targeted-campaign backdoor), SOUNDBITE (DNS-based backdoor with C2 over DNS queries), KOMPROGO (backdoor payload), KERRDOWN (downloader for additional payloads), Roland (custom malware framework).
  • Heavily customized Cobalt Strike: malleable C2 profiles mimicking legitimate traffic (Microsoft Update, Google services, CDN traffic).
  • DLL side-loading via legitimate application binary: signature tradecraft, phishing documents drop legitimate application binary alongside malicious DLL; Windows automatically loads the DLL.
  • JavaScript Framework A + B for victim profiling: signature 100+ compromised website watering-hole tradecraft with visitor profiling and fingerprinting on each visit.
  • Typo-squatting domains mimicking legitimate services: signature infrastructure tradecraft.
  • Substantial U.S.-based attack infrastructure: per Volexity 2017, "a substantial portion of the attack infrastructure that OceanLotus has been using is located in the United States.".
  • Vietnamese diaspora dissident targeting: signature primary mission objective.
  • ASEAN summit + South China Sea negotiations targeting: signature foreign-policy intelligence collection mission.
  • Foreign corporations with Vietnam business interests targeting: signature economic-intelligence mission.
  • Long-term persistence with patient tradecraft: per Security Scientist case study, 6+ month sustained access with multi-backdoor footholds, lateral movement via stolen credentials + RDP, slow exfiltration to avoid volume-based anomaly detection. The cluster fills the Vietnam-attributed APT cell in this curated corpus, first Vietnam-aligned cluster in the corpus. Operationally distinct from aoqin_dragon (curated separately as China-attributed targeting Vietnam, opposite attribution direction). Operationally significant for representing the Vietnamese state-aligned cyber operations ecosystem and providing regional context for the broader Southeast Asian APT cluster ecosystem.

Aliases

19
apt32apt 32oceanlotusocean lotusocean_lotusoceanlotus groupocean lotus aptbismuthcanvas cyclonecanvas_cyclonesealotussea lotusatk17atk_17apt-c-00apt_c_00oceanlotus_apt32vietnam aptvietnamese apt

Notable Campaigns

11
2022-2026Continued Operations Through 2022-2026
2021Amnesty International Vietnamese Human Rights Defender Targeting (February 2021)
2020COVID-19 Pandemic Espionage, Chinese Ministry of Emergency Management + Wuhan Government (Early 2020)
2020Facebook CyberOne Group Corporate Front Linkage (December 2020)
2019Automotive Sector Campaign, Toyota, Honda, BMW (February 2019+)
2017FireEye Canonical APT32 Disclosure (May 2017)
2017Volexity OceanLotus Blossoms Mass Digital Surveillance Disclosure (November 2017)
2017Philippines Duterte-Trump + Duterte-Xi Jinping Conversation Leak (May 2017)
2015SkyEye Labs (Qihoo 360) First OceanLotus Naming (May 2015)
2014-PresentmacOS Malware Capability, Signature Operational Distinctness
2012-2014OceanLotus Earliest Operational Emergence (2012-2014)

Attribution & Reporting

Attributed by
FireEye / Mandiant / Google Threat IntelligenceESETKaspersky GReATMicrosoft Threat Intelligence CenterVolexityAmnesty International (Security Lab)CybereasonBlackBerry CylanceSkyEye Labs (Qihoo 360, first named OceanLotus May 2015)360 Threat Intelligence Center (APT-C-00 China-side naming)Facebook / Meta (CyberOne Group linkage December 2020)Citizen Lab (University of Toronto)Electronic Frontier Foundation (EFF, first publicly-tracked OceanLotus operations 2014)Nick Carr (FireEye senior manager)Bryce Boland (FireEye)Steven Adair (Volexity president)Romain Dumont (ESET malware researcher)ThreatBook (January 2025 Chinese cybersecurity researcher targeting disclosure)Mandiant (post-2022 Google acquisition)CrowdStrikeSOPHOS X-OpsSentinelOne / SentinelLabsTrend Micro
Key reporting
reportFireEye (Nick Carr et al): Cyber Espionage is Alive and Well, APT32 and the Threat to Global Corporations (May 2017), canonical FireEye APT32 disclosure
reportVolexity (Steven Adair et al): OceanLotus Blossoms, Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society (November 6, 2017), canonical mass-surveillance disclosure
reportAmnesty International (Security Lab): Click and Bait, Vietnamese Human Rights Defenders Targeted with Spyware Attacks (February 24, 2021), canonical HRD targeting investigation
reportFacebook / Meta: CyberOne Group Linkage Disclosure (December 2020)
reportSkyEye Labs (Qihoo 360): OceanLotus First Naming Disclosure (May 2015)
reportESET (Romain Dumont et al): OceanLotus Continued Tracking + macOS Malware Analysis
reportKaspersky GReAT: OceanLotus Operational Analysis
reportMicrosoft Threat Intelligence Center: Bismuth / Canvas Cyclone Operational Tracking
reportCybereason: APT32 Backdoor Access Analysis
reportBlackBerry Cylance: OceanLotus Shellcode and Loader Development Analysis
reportElectronic Frontier Foundation (EFF): 2014 Vietnamese Malware Targeting Foreign Policy Experts and Activists Disclosure (first publicly-tracked OceanLotus operations)
reportThreatBook CTI: Chinese Cybersecurity Researcher Targeting Disclosure (January 2025)
reportMandiant (Google Cloud): APT32 Continued Tracking Post-2022 Acquisition
reportCrowdStrike Global Threat Report: Vietnam-Aligned Cluster Tracking
reportSOPHOS X-Ops: APT32 Operational Profile
reportSentinelLabs: APT32 Operational Analysis
reportTrend Micro: APT32 Adjacent Tracking
reportCheck Point Research: OceanLotus Extending Cyber Espionage Operations (2020)
reportMITRE ATT&CK Group G0050, APT32
reportMalpedia Actor Profile: APT32 / OceanLotus

Operational

State sponsor

Socialist Republic of Vietnam government-aligned cyber- espionage cluster, likely affiliated with the Vietnamese Ministry of Public Security per FireEye / Mandiant analysis. The Vietnam-aligned attribution operates at high-confidence assessment level across multiple major cybersecurity industry analysts (FireEye/Mandiant, ESET, Kaspersky GReAT, Microsoft Threat Intelligence Center, Volexity, Amnesty International) but no formal acknowledgment has been issued by the Vietnamese government. Vietnam-aligned attribution operationally supported by multiple convergent evidence streams: (a) Target selection consistent with Vietnamese government strategic interests: per FireEye May 2017 canonical disclosure, "APT32 leverages a unique suite of fully- featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests." Signature target categories operationally align with Hanoi's foreign-policy interests: foreign diplomats targeting ASEAN summit participants and South China Sea negotiations, domestic political opponents, critics of the Vietnamese government, Vietnamese diaspora activists, dissidents, journalists, human rights defenders, and businesses in sectors strategically important to Vietnam's economic development.

(b) Vietnamese diaspora dissident targeting: per Volexity November 2017 disclosure of OceanLotus Blossoms mass-surveillance campaign documenting 100+ compromised websites: "The overwhelming majority of the websites that have been compromised belong to Vietnamese individuals and organizations that are critical of the Vietnamese Government. The remainder of the compromised websites are tied to one of three countries that share a land border with Vietnam or the Philippines." The signature operational targeting of Vietnamese government critics + diaspora activists + dissident journalists + human rights defenders operationally consistent with Vietnam-aligned domestic- surveillance mission objectives. (c) Amnesty International confirmed pattern (February 2021): per Amnesty International Security Lab investigation: "two HRDs and a non-profit human rights organization from Viet Nam have been targeted by a coordinated spyware campaign." Per Amnesty International: "FireEye describes Ocean Lotus' operations as 'aligned with Vietnamese state interests' based on the list of targeted companies and civil society groups they identified." (d) Facebook CyberOne Group linkage (December 2020): per Amnesty International: "In December 2020, Facebook published a threat report linking Ocean Lotus' activities with a Vietnamese company named CyberOne Group." The Facebook CyberOne Group disclosure operationally established the first publicly-attributed corporate front-organization operational connection for the cluster, though "Amnesty International was unable to independently verify any direct connection between Ocean Lotus and CyberOne or with the Vietnamese authorities." (e) Automotive sector campaign timing aligned with Vietnam strategic economic interests (2019): per FireEye Nick Carr: "FireEye assesses with moderate confidence that APT32's latest activity is in support of the Vietnamese government's stated domestic vehicle and auto part manufacturing goals." The 2019 campaign targeted Toyota, Honda, and BMW with automotive sector lures, timing aligned with Vietnam's strategic push to develop a domestic electric vehicle industry (operationally consistent with VinFast EV manufacturer's emergence era).

(f) Philippines presidential conversation leak: in May 2017, files containing a private conversation between Philippines president Rodrigo Duterte and President Donald Trump were leaked through a malware detection platform. Other classified documents leaked included a conversation between Duterte and China's president Xi Jinping as well as internal documents produced by the Philippine government. Per FireEye Bryce Boland: "fully plausible that APT32 was 'understanding how the organizations within the [Philippine] government operate in order to be better prepared in case of potentially military conflict.'" Operationally consistent with Vietnam strategic interest in Philippines + ASEAN regional military preparedness.

(g) First named by Chinese cybersecurity firm SkyEye Labs (Qihoo 360) May 2015: the cluster was first publicly named "OceanLotus" by SkyEye Labs (Qihoo 360) in May 2015 following research into threat actors targeting Chinese public and private entities including government agencies, research institutes, maritime agencies, sea construction, and shipping enterprises. The China-targeting pattern is operationally distinctive because it operationally contradicts assumptions of Chinese state attribution and operationally supports Vietnam-aligned attribution (Vietnam operationally interested in Chinese maritime infrastructure intelligence per South China Sea geopolitical tensions). Operational significance: OceanLotus / APT32 is operationally one of Southeast Asia's most capable threat groups per industry consensus, Volexity 2017 assessment: "the size and scale of this attack campaign have only previously been rivaled by a Russian APT group commonly referred to as Turla and documented in a report from Symantec called The Waterbug attack group." The cluster operationally demonstrates that mid-tier nation-state actors can develop and sustain sophisticated APT operations comparable to top-tier state- aligned clusters.

Operational distinctness in the curated corpus: aoqin_dragon (curated separately as aoqin_dragon.yaml) is China-attributed targeting Vietnam, operationally distinct attribution direction. OceanLotus / APT32 is the first Vietnam-aligned cluster in the curated corpus and fills the Vietnam- attributed APT cell.

Motivations
vietnam_state_aligned_intelligence_collection, vietnamese_diaspora_dissident_surveillance, vietnamese_government_critic_targeting, foreign_corporation_with_vietnam_business_interests_intelligence, asean_diplomatic_intelligence_collection, south_china_sea_negotiations_intelligence, automotive_industry_intellectual_property_theft_for_domestic_industry, covid_19_pandemic_response_intelligence_collection, regional_southeast_asia_strategic_intelligence, philippines_government_intelligence_collection
Sectors
government_administrationforeign_affairs_ministriesdefense_ministriesasean_member_governmentsphilippines_governmentvietnamese_government_criticsvietnamese_dissidentsvietnamese_diaspora_activistshuman_rights_defendersjournalistsmedia_organizationscivil_society_organizationsnon_governmental_organizationsmanufacturingconsumer_productshospitality_industryautomotive_sectorbanking_and_financial_industriesperipheral_network_security_corporationstechnology_infrastructure_corporationscovid_19_pandemic_response_organizationschinese_cybersecurity_researchers
Regions
vietnamphilippineschinacambodialaosthailandindonesiamalaysiasingaporeasean_region_broadlyunited_statesaustraliagermanyjapaneurope_broadlyvietnamese_diaspora_globally

Techniques Used

60
T1003T1003.001T1005T1010T1016T1018T1020T1021T1021.001T1021.002T1021.004T1027T1027.001T1027.002T1027.005T1027.013T1029T1033T1036T1036.005T1039T1041T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1071.003T1071.004T1074T1074.001T1078T1082T1083T1087T1090T1090.001T1090.002T1102T1102.002T1106T1113T1114T1114.001T1114.002T1119T1129T1133T1140

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)27/60 · 45%
Runtime / container (Falco)6/60 · 10%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)13/60 · 21%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

2 mapped
S0002 · MimikatzS0157 · SOUNDBITE
Other tooling / TTPs (curation, not ATT&CK-mapped):
MACROS ENABLED PHISHING DOCUMENTS

CVEs Exploited

4
CVECVE-2017-11882
CVECVE-2017-8759
CVECVE-2018-20250
CVECVE-2020-1472
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin