Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0346: OceanSalt

OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]

EnterpriseS0346MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

OceanSalt matters because it represents Windows Trojan activity tied in ATT&CK to phishing attachment delivery, command-shell execution, host discovery, file discovery, file deletion, and encoded command-and-control behavior. For leaders, the practical issue is not the malware name alone; it is whether the organization can prove it would see a suspicious attachment leading to Windows command execution, system and network reconnaissance, cleanup activity, and unusual encoded outbound traffic.

Executive priority

Treat OceanSalt as a validation case for endpoint, email, network, and incident-response readiness. The supplied ATT&CK relationships point to controls and evidence that often decide whether an intrusion is contained early: phishing attachment handling, Windows command-shell monitoring, host discovery visibility, file deletion auditing, and C2 traffic analysis. Executives should ask whether SOC teams can connect these signals into an incident narrative quickly enough to support containment, legal/audit evidence, and business-continuity decisions.

Technical view

OceanSalt is documented by ATT&CK as Windows malware used in a campaign targeting South Korea, the United States, and Canada, with reported code similarity to SpyNote RAT. ATT&CK does not provide an official detection section for this malware, so detection engineering should pivot from the related techniques: T1566.001 Spearphishing Attachment, T1059.003 Windows Command Shell, T1016 System Network Configuration Discovery, T1057 Process Discovery, T1082 System Information Discovery, T1083 File and Directory Discovery, T1070.004 File Deletion, and T1132.002 Non-Standard Encoding. Validate whether alerts correlate attachment-originated execution with command-shell activity, discovery commands or APIs, process and file enumeration, deletion of staging artifacts, and network traffic with unusual or non-standard encoding.

Likely telemetry

  • Email security logs for attachments, delivery disposition, sender metadata, and user interaction evidence
  • Endpoint process creation telemetry on Windows, especially command-shell execution and parent-child process chains
  • Host discovery evidence such as system, process, network configuration, and file or directory enumeration events
  • File system telemetry for creation, modification, and deletion of suspicious files or dropped artifacts
  • Network and proxy telemetry for outbound command-and-control patterns, including traffic using unusual or non-standard encoding

Detection direction

  • Build coverage around the related ATT&CK techniques rather than a malware-name-only signature, because no official ATT&CK detection guidance is supplied for OceanSalt.
  • Correlate spearphishing attachment delivery with subsequent Windows command-shell execution and discovery behavior on the same host or user context.
  • Tune discovery detections to reduce administrative false positives by considering parent process, user role, execution timing, command patterns, and whether activity follows email attachment execution.
  • Review file deletion telemetry for cleanup behavior after execution or discovery, while accounting for normal installer, updater, and administrative maintenance activity.
  • Inspect outbound traffic for unusual encoding or protocol deviations, but avoid assuming maliciousness without host context and supporting process evidence.

Mitigation priorities

  • Prioritize phishing attachment defenses, user reporting workflows, and attachment detonation or inspection where available.
  • Harden and monitor Windows command-shell usage, especially when spawned from email clients, document handlers, archives, scripts, or temporary directories.
  • Ensure endpoint logging captures process creation, command-line context, file activity, and relevant discovery behavior with retention suitable for investigations.
  • Apply least-privilege and administrative control practices so discovery and follow-on actions have reduced reach if a user endpoint is compromised.
  • Maintain network egress monitoring and proxy/DNS visibility sufficient to investigate encoded or unusual outbound communication.
Analyst notes and limits

The decision value of this object is in the behavior cluster ATT&CK relates to OceanSalt: phishing-based initial access, Windows command execution, discovery, cleanup, and encoded C2. The supplied description references a 2018 McAfee report and notes code similarity with SpyNote RAT, which has been linked to APT1; this should not be treated as attribution for every OceanSalt-related event without local evidence.

ATT&CK provides no official detection text, no aliases, and no explicit malware-level tactics for this object. Several relationship descriptions are truncated in the supplied data, and local command examples or indicators are not provided. Coverage claims require environment-specific validation of email, endpoint, file, and network telemetry.

Official MITRE ATT&CK definition

OceanSalt

OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1059.003 Windows Command Shell Sub-technique

OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.CitationMcAfee Oceansalt Oct 2018 OceanSalt has been executed via malicious macros.CitationMcAfee Oceansalt Oct 2018
Enterprise T1132.002 Non-Standard Encoding Sub-technique

OceanSalt can encode data with a NOT operation before sending the data to the control server.CitationMcAfee Oceansalt Oct 2018
Enterprise T1016 System Network Configuration Discovery

OceanSalt can collect the victim’s IP address.CitationMcAfee Oceansalt Oct 2018
Enterprise T1083 File and Directory Discovery

OceanSalt can extract drive information from the endpoint and search files on the system.CitationMcAfee Oceansalt Oct 2018
Enterprise T1070.004 File Deletion Sub-technique

OceanSalt can delete files from the system.CitationMcAfee Oceansalt Oct 2018
Enterprise T1082 System Information Discovery

OceanSalt can collect the computer name from the system.CitationMcAfee Oceansalt Oct 2018
Enterprise T1057 Process Discovery

OceanSalt can collect the name and ID for every process running on the system.CitationMcAfee Oceansalt Oct 2018
Enterprise T1566.001 Spearphishing Attachment Sub-technique

OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.CitationMcAfee Oceansalt Oct 2018
Relationship explorer

All related ATT&CK context

uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1132.002: Non-Standard Encoding Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
821a13e8d1fc64a9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 821a13e8d1fc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    McAfee Oceansalt Oct 2018

    Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.

    Open source URL
  2. [2]
    OceanSalt

    (Citation: McAfee Oceansalt Oct 2018)

  3. [3]
    mitre-attack S0346
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use