top of page
Image by Jay Dinh

OceanLotus

Malware Dissection Playbook

Backdoor used by OceanLotus for long-term access in SEA espionage campaigns. APT32 has repeatedly leveraged modular backdoors with persistence in SEA ops.

Analysis

  1. Malicious document or installer drops loader.

  2. Loader decrypts & installs backdoor DLL.

  3. Backdoor establishes persistence.

  4. Begins modular tasking (discovery, file exfil, command exec).

Execution Chain

Persistence

  • Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msupdate

  • Fake scheduled tasks (“Adobe Acrobat Update Task”)

Evasion

  • Beacon jitter with randomized delays

  • Domain fronting through CDN providers

  • Obfuscated strings and config data

Networking

  • HTTPS C2 with retries and randomized beacon slots

  • Spoofed User-Agent strings (legit browser values)

  • Multiple fallback domains for resiliency

IOC's and Artifacts 

This collection highlights key artifacts and IOCs we consider most relevant for analysts developing detection rules or conducting research. For YARA rules, please refer to the community repository.

 

Note: We do not publish or accept file hashes unless they are used to illustrate a specific malware technique or reference research (either our own analysis or external sources). Our focus is on dynamic detection logic and deeper research, rather than relying solely on static indicators.

File Artifacts

  • %ProgramData%\Microsoft\Network\msnet.dll (Backdoor DLL) - %AppData%\Roaming\Windows\svchost.exe (Loader)

 

Registry Persistence

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msupdate

 

Scheduled Tasks

  • Adobe Acrobat Update Task (fake)

 

Domains

  • hxxp://office365-update.com 

  • hxxp://news-servercdn.com

IPs

  • hxxp://118.27.45.213

  • hxxp://103.15.28.9

​

Patterns 

  • HTTPS beaconing with randomized jitter

  • Domain fronting with CDN infrastructure

Refrences:

FireEye/Mandiant – OceanLotus (APT32): New Tools, Same Old Tricks (deep dive into backdoor capabilities).
ESET – OceanLotus: Stealthy Backdoor in SEA (technical analysis of persistence + evasion).
Kaspersky Securelist – APT32/OceanLotus: Stealth Attacks Against SEA
MITRE ATT&CK – Group profile for APT32 

Volexity – OceanLotus Targeting Vietnamese and SEA Governments 
Cylance – APT32 Campaigns Against SEA Journalists and NGOs.PwC Threat Intel –

​

"Our analysts have also gathered research on domains and malware behavior, along with reference articles pertaining to OceanLotus."

bottom of page