G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
Analyst context for executives and security teams
APT32 is an ATT&CK group entry for a suspected Vietnam-based threat group active since at least 2014, associated with targeting private sector organizations, foreign governments, dissidents, and journalists, especially in Southeast Asia. For defenders, the practical issue is not just the name: the ATT&CK relationships show a mix of strategic web compromise, credential dumping, discovery, SMB-based lateral movement, command/file obfuscation, and multiple Windows, macOS, and Linux backdoors. This makes APT32 useful as a planning case for validating whether endpoint, identity, network, and web telemetry can connect early access to post-compromise movement.
Executive priority
Prioritize this entry if the organization operates in or supports Southeast Asia, works with government, media, civil society, or sensitive regional business interests, or has executives and users exposed to external web-based targeting. Leadership should ask whether incident response can quickly answer: which users browsed to suspicious compromised sites, which endpoints exposed credentials, which accounts moved over SMB/admin shares, and whether macOS/Linux assets are covered as well as Windows. The value is in resilience and evidence readiness, not assuming this group is currently targeting the organization.
Technical view
ATT&CK provides no official detection text for this group, so validation should be relationship-driven. The supplied relationships connect APT32 to Mimikatz and OS Credential Dumping including LSASS Memory, Windows discovery via registry and network utilities such as Net, Arp, ipconfig, and netsh, Remote System Discovery, SMB/Windows Admin Shares, and stealth techniques including command obfuscation, fileless storage, and encrypted/encoded files. Related malware includes several Windows backdoors, a macOS backdoor, and a Linux backdoor, so SOC coverage should be checked across endpoint platforms where those assets exist. Detection engineering should focus on behavioral chains: suspicious web-origin execution or payload delivery followed by discovery commands, credential access attempts, abnormal SMB/admin-share use, and persistence or backdoor-like process/network activity.
Likely telemetry
- Web proxy, secure web gateway, browser, and DNS logs for strategic web compromise investigation context
- Endpoint process creation and command-line telemetry for Net, Arp, ipconfig, netsh, registry queries, and obfuscated commands
- Windows security and EDR telemetry related to LSASS access, credential dumping behavior, and Mimikatz-like activity
- Authentication, account use, and lateral movement logs, especially SMB and Windows admin share access
- Registry, WMI repository, event log, and other fileless-storage-relevant endpoint evidence where collected
Detection direction
- Do not rely on the group name as a detection strategy; validate coverage for the ATT&CK techniques and software relationships supplied for APT32.
- Correlate discovery utilities and registry queries with preceding suspicious web activity, new processes, or unusual user context to reduce false positives from normal administration.
- Tune detections for LSASS access and credential dumping with attention to legitimate security tools and administrator activity that can resemble Mimikatz testing.
- Review SMB/admin-share detections against identity context: rare source-to-destination pairs, unusual accounts, off-hours access, or access following credential-related alerts are higher value than raw SMB events alone.
- Expect obfuscation and encoded/encrypted files to weaken simple signature matching; prioritize command-line normalization, behavioral analytics, and endpoint evidence preservation.
Mitigation priorities
- Start with credential protection and privileged access controls, because the relationships include OS credential dumping, LSASS Memory, Mimikatz, and SMB/admin-share lateral movement.
- Restrict and monitor administrative shares, remote administration pathways, and unnecessary SMB exposure between workstations and sensitive systems.
- Improve endpoint hardening and EDR visibility for Windows, macOS, and Linux assets where present, with special attention to command execution, registry activity, fileless storage locations, and suspicious network connections.
- Strengthen web browsing defenses and user-risk processes for populations exposed to strategic web compromise risk, including executives, regional staff, journalists, civil society contacts, and government-facing teams where applicable.
- Maintain incident response playbooks that preserve endpoint memory/process data, authentication logs, web logs, DNS, and network metadata needed to reconstruct credential theft and lateral movement.
Analyst notes and limits
This take is based only on the supplied ATT&CK group description, external references, and relationship context. The strongest decision value comes from the pattern of associated behaviors: web compromise leading into discovery, credential access, SMB lateral movement, and backdoor activity across multiple endpoint operating systems. Local prioritization should be driven by geography, sector, sensitive populations, and actual telemetry coverage.
ATT&CK provides no official detection text and the group object itself lists no platforms or tactics. Platform references here come from related software and techniques, not from the group-level platform field. The supplied relationship list may not be complete for all APT32 activity, and this summary should not be read as a claim of active targeting, active exploitation, or guaranteed detection coverage.
APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1550.002 | Pass the Hash Sub-technique | APT32 has used pass the hash for lateral movement.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1036 | Masquerading | APT32 has disguised a Cobalt Strike beacon as a Flash Installer.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1059.007 | JavaScript Sub-technique | APT32 has used JavaScript for drive-by downloads and C2 communications.CitationCybereason Cobalt Kitty 2017CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1072 | Software Deployment Tools | APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.CitationFireEye APT32 May 2017 |
| Enterprise | T1570 | Lateral Tool Transfer | APT32 has deployed tools after moving laterally using administrative accounts.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | APT32 used NTFS alternate data streams to hide their payloads.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | APT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry.CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1055 | Process Injection | APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1216.001 | PubPrn Sub-technique | APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.CitationTwitter ItsReallyNick Status Update APT32 PubPrn |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.CitationESET OceanLotusCitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017CitationESET OceanLotus Mar 2019CitationFireEye APT32 April 2020CitationAmnesty Intl. Ocean Lotus February 2021 |
| Enterprise | T1135 | Network Share Discovery | APT32 used the |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1571 | Non-Standard Port | An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.CitationESET OceanLotus Mar 2019 |
| Enterprise | T1082 | System Information Discovery | APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.CitationESET OceanLotusCitationESET OceanLotus Mar 2019CitationESET OceanLotus macOS April 2019CitationFireEye APT32 April 2020 |
| Enterprise | T1583.001 | Domains Sub-technique | APT32 has set up and operated websites to gather information and deliver malware.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1012 | Query Registry | APT32's backdoor can query the Windows Registry to gather system information. CitationESET OceanLotus Mar 2019 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | APT32 has used the `Invoke-Obfuscation` framework to obfuscate their PowerShell.CitationFireEye APT32 May 2017CitationGitHub Invoke-ObfuscationCitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | APT32 has used cmd.exe for execution.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | APT32's backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.CitationESET OceanLotus Mar 2019 |
| Enterprise | T1574.001 | DLL Sub-technique | APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017CitationESET OceanLotus Mar 2019 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | APT32 has sent spearphishing emails containing malicious links.CitationESET OceanLotusCitationCybereason Oceanlotus May 2017CitationFireEye APT32 April 2020CitationVolexity Ocean Lotus November 2020CitationAmnesty Intl. Ocean Lotus February 2021 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | APT32 has used malicious links to direct users to web pages designed to harvest credentials.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1087.001 | Local Account Sub-technique | APT32 enumerated administrative users using the commands |
| Enterprise | T1059.001 | PowerShell Sub-technique | APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.CitationFireEye APT32 May 2017CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1046 | Network Service Discovery | APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | APT32 has stood up websites containing numerous articles and content scraped from the Internet to make them appear legitimate, but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software update.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | APT32's backdoor has exfiltrated data using the already opened channel with its C&C server.CitationESET OceanLotus Mar 2019 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | |
| Enterprise | T1003 | OS Credential Dumping | APT32 used GetPassword_x64 to harvest credentials.CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | APT32 has used legitimate local admin account credentials.CitationFireEye APT32 May 2017 |
| Enterprise | T1589 | Gather Victim Identity Information | APT32 has conducted targeted surveillance against activists and bloggers.CitationAmnesty Intl. Ocean Lotus February 2021 |
| Enterprise | T1070.006 | Timestomp Sub-technique | APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.CitationFireEye APT32 May 2017CitationESET OceanLotus Mar 2019CitationESET OceanLotus macOS April 2019 |
| Enterprise | T1189 | Drive-by Compromise | APT32 has infected victims by tricking them into visiting compromised watering hole websites.CitationESET OceanLotusCitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | APT32 malware has used rundll32.exe to execute an initial infection process.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1059 | Command and Scripting Interpreter | APT32 has used COM scriptlets to download Cobalt Strike beacons.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1112 | Modify Registry | APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. CitationESET OceanLotus Mar 2019 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | APT32 has used email for C2 via an Office macro.CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1560 | Archive Collected Data | APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration.CitationESET OceanLotus Mar 2019 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.CitationCybereason Cobalt Kitty 2017CitationVolexity Ocean Lotus November 2020CitationAmnesty Intl. Ocean Lotus February 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.CitationVolexity OceanLotus Nov 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT32's macOS backdoor can receive a “delete” command.CitationESET OceanLotus macOS April 2019 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | APT32's backdoor has stored its configuration in a registry key.CitationESET OceanLotus Mar 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.CitationVolexity OceanLotus Nov 2017 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | APT32 has used scheduled tasks to persist on victim systems.CitationFireEye APT32 May 2017CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017CitationESET OceanLotus Mar 2019 |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.CitationTwitter ItsReallyNick APT32 pubprn Masquerade |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1608.001 | Upload Malware Sub-technique | APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | APT32's macOS backdoor changes the permission of the file it wants to execute to 755.CitationESET OceanLotus macOS April 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | APT32's backdoor has used Windows services as a way to execute its malicious payload. CitationESET OceanLotus Mar 2019 |
| Enterprise | T1018 | Remote System Discovery | APT32 has enumerated DC servers using the command |
| Enterprise | T1218.005 | Mshta Sub-technique | APT32 has used mshta.exe for code execution.CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1083 | File and Directory Discovery | APT32's backdoor possesses the capability to list files and directories on a machine. CitationESET OceanLotus Mar 2019 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | APT32 has cleared select event log entries.CitationFireEye APT32 May 2017 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | APT32 has used macros, COM scriptlets, and VBS scripts.CitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1588.002 | Tool Sub-technique | APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.CitationFireEye APT32 May 2017CitationCybereason Oceanlotus May 2017 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | |
| Enterprise | T1550.003 | Pass the Ticket Sub-technique | APT32 successfully gained remote access by using pass the ticket.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1583.006 | Web Services Sub-technique | APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1505.003 | Web Shell Sub-technique | APT32 has used Web shells to maintain access to victim websites.CitationVolexity OceanLotus Nov 2017 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | APT32's macOS backdoor hides the clientID file via a chflags function.CitationESET OceanLotus macOS April 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | APT32 used the |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | APT32 includes garbage code to mislead anti-malware software and researchers.CitationESET OceanLotusCitationESET OceanLotus Mar 2019 |
| Enterprise | T1049 | System Network Connections Discovery | APT32 used the |
| Enterprise | T1564.003 | Hidden Window Sub-technique | APT32 has used the WindowStyle parameter to conceal PowerShell windows. CitationFireEye APT32 May 2017 CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.CitationFireEye APT32 May 2017CitationGitHub Invoke-ObfuscationCitationESET OceanLotusCitationCybereason Oceanlotus May 2017CitationCybereason Cobalt Kitty 2017CitationESET OceanLotus Mar 2019CitationESET OceanLotus macOS April 2019 |
Groups, software, and campaigns
S0002: Mimikatz
S0100: ipconfig
S0585: Kerrdown
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0157: SOUNDBITE
S0352: OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (`root` or `user`).[1][2][3]
S0156: KOMPROGO
S0108: netsh
S1078: RotaJakiro
RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (`root` or `user`).[1][2]
S0158: PHOREAL
S0099: Arp
S0155: WINDSHIELD
WINDSHIELD is a signature backdoor used by APT32. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 3e074c293359… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT32 May 2017
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
Open source URL -
[2]
Volexity OceanLotus Nov 2017
Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
Open source URL -
[3]
ESET OceanLotus
Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
Open source URL -
[4]
APT-C-00
(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
-
[5]
APT32
(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
-
[6]
Amnesty Intl. Ocean Lotus February 2021
Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
Open source URL -
[7]
BISMUTH
(Citation: Microsoft Threat Actor Naming July 2023)
-
[8]
Canvas Cyclone
(Citation: Microsoft Threat Actor Naming July 2023)
-
[9]
Cybereason Oceanlotus May 2017
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
Open source URL -
[10]
ESET OceanLotus Mar 2019
Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
Open source URL -
[11]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[12]
OceanLotus
(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
-
[13]
SeaLotus
(Citation: Cybereason Oceanlotus May 2017)
-
[14]
mitre-attack G0050Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.