APT32

Active

Also known as: APT32, SeaLotus, OceanLotus, APT-C-00, Canvas Cyclone, BISMUTH

🌍

Other

Active Since

2017

MITRE ID

G0050

Techniques

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)

MITRE ATT&CK Techniques

Recon3

T1589.002Email Addresses

T1589Gather Victim Identity Information

T1598.003Spearphishing Link

Resource6

T1583.001Domains

T1608.004Drive-by Target

T1585.001Social Media Accounts

T1588.002Tool

T1608.001Upload Malware

T1583.006Web Services

Initial3

T1189Drive-by Compromise

T1566.001Spearphishing Attachment

T1566.002Spearphishing Link

Exec12

T1059Command and Scripting Interpreter

T1203Exploitation for Client Execution

T1059.007JavaScript

T1204.002Malicious File

T1204.001Malicious Link

T1059.001PowerShell

T1053.005Scheduled Task

T1569.002Service Execution

+4 more

Persist5

T1574.001DLL

T1137Office Application Startup

T1547.001Registry Run Keys / Startup Folder

T1505.003Web Shell

T1543.003Windows Service

PrivEsc1

T1068Exploitation for Privilege Escalation

Defense24

T1070.001Clear Windows Event Logs

T1027.010Command Obfuscation

T1027.013Encrypted/Encoded File

T1070.004File Deletion

T1027.011Fileless Storage

T1564.001Hidden Files and Directories

T1564.003Hidden Window

T1027.016Junk Code Insertion

+16 more

Creds3

T1552.002Credentials in Registry

T1003.001LSASS Memory

T1003OS Credential Dumping

Discovery10

T1083File and Directory Discovery

T1087.001Local Account

T1046Network Service Discovery

T1135Network Share Discovery

T1012Query Registry

T1018Remote System Discovery

T1082System Information Discovery

T1016System Network Configuration Discovery

+2 more

Lateral2

T1570Lateral Tool Transfer

T1021.002SMB/Windows Admin Shares

Collect2

T1560Archive Collected Data

T1056.001Keylogging

C25

T1105Ingress Tool Transfer

T1071.003Mail Protocols

T1571Non-Standard Port

T1071.001Web Protocols

T1102Web Service

Exfil2

T1041Exfiltration Over C2 Channel

T1048.003Exfiltration Over Unencrypted Non-C2 Protocol

Impact0

Known Victims

live · just now

No victims recorded in ransomware.live for this group.