OceanLotus
​​OceanLotus (also tracked as APT32, SeaLotus, Cobalt Kitty, APT-C-00) is a Vietnam-based cyber espionage group active since at least 2012. The group is known for sophisticated spear-phishing campaigns, watering holes, supply chain intrusions, and custom malware families. Its operations target foreign governments, journalists, NGOs, multinational corporations, and Vietnamese dissidents, aligning with the interests of the Vietnamese state.
OceanLotus has deployed advanced malware like Ratsnif, KerrDown, Denes, and Cobalt Strike loaders, alongside custom backdoors for macOS and Windows. The group is notorious for cross-platform toolchains, compromising media and NGO networks, and long-term persistent espionage campaigns across Southeast Asia and beyond.
OceanLotus
Aliases: OceanLotus, APT32, SeaLotus, Cobalt Kitty, APT-C-00
​
Origin: Vietnam
Years Active: 2012 – Present
Motivation: State-linked espionage, domestic surveillance, economic intelligence.
Primary Targets: Foreign governments (esp. SE Asia, China, Laos, Cambodia), multinational firms, NGOs, journalists, Vietnamese dissidents, overseas diaspora
​
Tactics, Techniques, and Procedures (TTPs)
Initial Access: Spear-phishing with malicious docs (Office macros, RTF, LNK); watering hole attacks; supply chain compromises
​​
Malware Families: KerrDown, Denes, Ratsnif, KrDrop, Cobalt Strike loaders, macOS backdoors (OSX.OceanLotus), PhantomNet
​​
Persistence & Evasion: Custom loaders, DLL side-loading, encrypted payload staging, VM/sandbox detection
​​
Post-Exploitation: Credential theft, keylogging, screen capture, data exfiltration to custom C2
​​
C2: HTTPS, DNS tunneling, cloud services, compromised sites
Notable Campaigns & Operations
​​
2014–15 – Early ops: Targeted Chinese entities related to South China Sea disputes
2016 – Media & NGOs: Campaigns against Vietnamese activists, independent journalists, and NGOs
2017 – Cobalt Kitty: Large supply chain attack against Asian corporations
2018 – ASEAN & Foreign Ministries: Targeted Cambodia ahead of elections; also attacks on Laos
2019 – Automotive & Manufacturing: Attacks on foreign corporations for economic espionage
2020 – China-targeted ops: Phishing campaigns against Chinese government orgs, including COVID-19 response teams
2021 – macOS Backdoors: OceanLotus malware uncovered targeting dissidents on Mac devices
2022–24 – Low visibility: Activity observed but more fragmented, still targeting journalists and regional diplomacy
​
Infrastructure & IOCs
​
<Currently Compiling >
​
Regional & Geopolitical Context
Tied to Vietnamese state interests:
Surveillance of dissidents, journalists, activists
Espionage related to South China Sea disputes
Monitoring of Cambodian and Laotian politics
Economic espionage targeting foreign corporations
Distinct from PRC-linked APTs: OceanLotus reflects Hanoi’s intelligence priorities
​​
​​
​​​
Threat Assessment
Sophistication: High – custom cross-platform malware, long-term intrusions, supply chain compromises
Current Activity: Still active as of 2025, though less noisy and more targeted
Risk Profile: Regional governments, NGOs, human rights activists, and global companies with operations in Vietnam
​
​
​
References
FireEye / Mandiant APT32 reports (2017, 2019)
ESET research on OceanLotus macOS malware (2019–2021)
Amnesty International technical reports (2018–2020) on Vietnamese activist targeting
Trend Micro coverage of Ratsnif and KerrDown toolchains
Recorded Future Insikt analysis of OceanLotus geopolitics
Palo Alto Unit 42 reporting on ASEAN intrusions
Citizen Lab reports on Vietnamese surveillance operations
Campaign Timeline
2012-15
Targets: Chinese entities in South China Sea disputes
Method: Phishing + custom backdoors (early OceanLotus malware)
Impact: Espionage on maritime disputes
2015
Targets: Vietnamese bloggers & activists
Method: Malicious Word documents, keyloggers
Impact: Domestic monitoring of dissent
2016
Targets: Journalists, NGOs, human rights groups in Vietnam & abroad
Method: Phishing campaigns w/ KerrDown loader
Impact: Monitoring and suppression of political dissent
2017
Operation Cobalt Kitty
Targets: Asian corporations (supply chain compromise)​
Method: Spear-phishing + RATs + lateral movement
Impact: Months-long infiltration of company networks
2018
Targets: Ministries in Laos & Cambodia; foreign automakers
Method: Watering hole attacks; Cobalt Strike loaders
Impact: Political intel + economic espionage
Ratsniff Malware
Targets: Corporate networks
Method: Custom packet-sniffing backdoor (Ratsnif)
Impact: Network monitoring, data theft
2020
COVID-19 Ops
Targets: Chinese gov orgs & research tied to pandemic
Method: Phishing w/ COVID themes → KerrDown, Denes
Impact: Intelligence collection on outbreak response
2021
Targets: Vietnamese dissidents & NGOs abroad
Method: OceanLotus custom macOS malware (OSX.OceanLotus)
Impact: Surveillance of activists using Apple devices
2022-2024
Targets: Regional NGOs, journalists, Vietnamese diaspora
Method: Spear-phishing; upgraded KerrDown loaders
Impact: Continued monitoring with lower visibility but steady persistence