Executive Summary
OceanLotus (APT32) is a Vietnam-linked espionage actor with sustained activity in Southeast Asia and beyond. In August 2024 the group executed a multi-year intrusion against a Vietnamese human-rights organization, using custom backdoors, scheduled-task and registry persistence, and selective data theft. In 2025 the group escalated supply-chain/dev-ecosystem tradecraft by distributing a backdoored Cobalt Strike plugin on GitHub that targeted security professionals, demonstrating a shift toward weaponizing trusted developer workflows.
Threat Actor Profile
Attribution & Background
OceanLotus, also tracked as APT32, Cobalt Kitty, and SeaLotus, is a cyber espionage group widely assessed to be linked to Vietnam. The group has been active since at least 2012, with operations primarily targeting political, economic, and security interests in Southeast Asia, though activity has extended globally.
Motivation
APT32’s campaigns align with state-level objectives, focusing on intelligence collection that supports Vietnam’s strategic, political, and economic goals. The group has historically targeted government agencies, foreign corporations, journalists, and dissidents, while in recent years expanding its focus toward NGOs, civil society organizations, and cybersecurity professionals.
Threat Level
OceanLotus (APT32) represents a high-threat, state-aligned espionage actor with both regional focus and global reach. The group’s advanced tradecraft, custom toolset, and persistent targeting of NGOs underscore a sustained risk to organizations that handle sensitive political, human-rights, or regional affairs. Its operations reveal a blend of technical expertise and strategic patience maintaining long-term access to victims while evading detection through stealthy persistence methods and selective data theft.
APT32’s campaigns consistently align with Vietnam’s state-level objectives, supporting the nation’s strategic, political, and economic interests. The actor demonstrates exceptional skill in exploiting trusted ecosystems, including open-source repositories, software supply chains, and legitimate cloud services, to deliver and manage its malware. This combination of technical sophistication, operational discipline, and adaptability makes OceanLotus one of the most capable and resilient APT actors in the Asia-Pacific region, posing a credible and ongoing threat to both regional civil-society groups and global cybersecurity professionals alike.
Initial Access Vectors
NGOs Targeting Campaigns
In 2024, attack chains targeting NGOs and civil-society organizations typically began with highly targeted spear-phishing lures—specially crafted emails or fake invitations sent to specific staff. Those messages delivered malicious attachments or weaponized links that deployed backdoors capable of executing arbitrary shellcode in memory, harvesting credentials and sensitive documents, and establishing long-term covert access.
Backdoored Github Repository
In the 2025 GitHub campaign, OceanLotus (APT32) employed an innovative method of initial access and execution that leveraged software supply chain abuse and developer trust exploitation. The group uploaded a backdoored Cobalt Strike exploit plugin to GitHub, embedding a malicious .suo file within a Visual Studio project.
Custom Backdoors and Toolsets
OceanLotus relies on a modular arsenal combining custom implants with repurposed frameworks such as Cobalt Strike.
Key components observed include:
- Cobalt Strike Beacons configured for encrypted C2 via HTTPS and cloud storage.
- Lightweight loaders that deploy embedded DLL payloads.
- Cookie and credential harvesters targeting every Chrome user profile.
- Persistence utilities that create scheduled tasks and registry run keys for long-term access.
Tactics, Techniques, and Procedures (TTPs)
During the August 2024 campaign targeting Vietnamese NGOs, OceanLotus (APT32) demonstrated a sophisticated use of scheduled tasks, registry-based COM persistence, and living-off-the-land execution to maintain long-term access. The group created multiple user-scoped scheduled tasks such as AdobeUpdateTaskUser<SID>, WinDefenderAntivirusUpdateTaskUser<SID2>Core, and Handler{GUID} to execute malicious payloads at set intervals or on demand.
One task, for instance, launched a malicious Java archive (adobe.jar), which contained an embedded DLL (mi54giwp.dll) designed to load encrypted shellcode from a fake image file (adobe.png). Another task, WinDefenderAntivirusUpdateTaskUser<SID2>Core, executed a VBScript (MSSharePoint.vbs) that authenticated to a remote SFTP server using a private key dropped on disk. This script then downloaded and ran another component (cloud.bat), establishing an additional persistence mechanism that executed every five hours.
The attack chain also leveraged COM object hijacking for stealth, using DllHost.exe as a surrogate process to register and execute a malicious DLL tied to the CLSID {1F7CFAF8-B558-4EBD-9526-203135A79B1D}. This allowed OceanLotus to spawn new scheduled tasks from within legitimate Windows processes, blending malicious activity with normal system behavior.
In this 2025 campaign, OceanLotus (APT32) leveraged GitHub as the delivery platform for a trojanized security tool targeting cybersecurity professionals. The attackers uploaded a malicious version of a Cobalt Strike exploit plugin to a public GitHub repository, embedding a concealed payload inside a .suo (Solution User Options) file within a Visual Studio project.
When victims cloned and compiled the Visual Studio project, the malicious .suo file was automatically executed, triggering the malware. This execution granted OceanLotus initial access to the victim’s environment, allowing the group to exfiltrate sensitive data such as user identities, local environment details, and potentially network credentials.
By targeting a tool commonly used by cybersecurity professionals, OceanLotus aimed to infiltrate organizations indirectly through trusted individuals and research environments. The use of GitHub provided both credibility and distribution reach, while the .suo file abuse ensured stealth by blending into legitimate project files that typically go unnoticed in audits.
Indicators of Compromise (IoCs)
- 190.211.254[.]203
- 45.41.204[.]18
- 45.41.204[.]15
- 178.255.220[.]115
- 103.91.67[.]74
- 154.93.37[.]106
- 193.138.195[.]192
- 38.54.59[.]112
- 51.81.29[.]44
- 300ef93872cc574024f2402b5b899c834908a0c7da70477a3aeeaee2e458a891
- efc373b0cda3f426d25085938cd02b7344098e773037a70404c6028c76cc16fc
- 6c08a004a915ade561aee4a4bec7dc588c185bd945621ec8468575a399ab81f4
- ea8a00813853038820ba50360c5c1d57a47d72237e3f76c581d316f0f1c6e85f
- 0ed2e66f9442a09e04ca33cfcc8429c536f0019a1adfc2db2543a7515ccdea6b
- 1149c398cc37743395327f94b359b363903a64bf322d40f5d76160f92c52fbd1
Conclusion
The recent operations attributed to OceanLotus (APT32) clearly demonstrate the group’s evolution, adaptability, and strategic intent. From the August 2024 campaign targeting Vietnamese human-rights organizations to the 2025 GitHub operation aimed at cybersecurity professionals, OceanLotus has proven its ability to pivot between victim sectors while maintaining a consistent emphasis on stealth, persistence, and intelligence collection.
OceanLotus remains a high-priority adversary due to its combination of targeted intelligence goals, operational patience, and evolving use of trusted ecosystems (open-source platforms and third-party tooling). Defenders should assume developer and research toolchains are potential vectors, prioritize build isolation and provenance checks, hunt for low-and-slow persistence artifacts (scheduled tasks, COM/DllHost misuse), and share IOCs across NGO/CERT communities to reduce collective risk.
