S0352: OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (`root` or `user`).[1][2][3]
Analyst context for executives and security teams
OSX_OCEANLOTUS.D matters because it is a macOS backdoor described by MITRE as used by APT32, with a plugin architecture based on .dylib files and behavior that adapts depending on whether it has root or user-level permissions. For leaders, the practical issue is whether macOS endpoints are covered with enough telemetry and response capability to investigate backdoor behavior, privilege context, and modular payload activity—not just whether Windows systems are monitored.
Executive priority
Treat this as a macOS resilience and visibility question. Security leaders should confirm that managed detection, incident response, and endpoint controls include macOS evidence collection, privilege-level context, and suspicious dynamic library activity. Because MITRE provides no detection guidance or ATT&CK technique relationships in the supplied object, priority should be on validating coverage assumptions before relying on audit, SOC, or IR readiness claims for macOS environments.
Technical view
SOC and IR teams should validate whether macOS endpoint telemetry can show process execution context, user versus root privilege level, persistence-relevant artifacts, loaded .dylib files, and network behavior associated with backdoor activity. Detection engineering should avoid overfitting to the malware name alone and instead test whether telemetry can support investigation of modular plugin loading and execution under different permission levels. The supplied object does not specify tactics, techniques, or official detections, so local threat hunting should be hypothesis-driven and mapped to observed macOS behaviors in the environment.
Likely telemetry
- macOS endpoint process execution events
- User and root privilege context for executed processes
- Dynamic library loading evidence, especially .dylib activity
- File creation and modification events on macOS endpoints
- Endpoint security alerts from macOS-capable EDR or antivirus controls
Detection direction
- Confirm that macOS endpoints are actually onboarded to detection tooling and are not excluded from SOC monitoring.
- Validate visibility into processes running as root versus standard user accounts, since the malware is described as executing according to access type.
- Hunt for unusual or unauthorized .dylib loading patterns where local baselines make that practical.
- Correlate endpoint file, process, privilege, and network evidence rather than relying on a single indicator or malware family name.
- Document false-positive expectations for legitimate macOS applications that load .dylib files or run privileged helper processes.
Mitigation priorities
- Ensure macOS assets are included in endpoint protection, logging, and incident response procedures.
- Prioritize least-privilege practices and administrative access review for macOS users because execution behavior differs by permission level.
- Maintain inventory and ownership of macOS systems so suspicious backdoor activity can be scoped quickly.
- Validate that incident responders can collect macOS process, file, privilege, and network evidence during triage.
- Use control validation or tabletop exercises to test whether the SOC can investigate modular macOS malware behavior without relying on Windows-centric playbooks.
Analyst notes and limits
The key decision value is coverage validation for macOS backdoor activity. The object supports attention to APT32 association, plugin-style .dylib extensibility, and user/root execution context. It does not provide official detection guidance, tactics, ATT&CK technique relationships, or external reference details in the supplied data.
This take is constrained to the supplied MITRE fields. No external references or relationship context were supplied, and the official detection field is empty. Any assessment of exposure, active exploitation, specific indicators, or confirmed detection coverage requires local telemetry and additional intelligence.
OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (`root` or `user`).[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.CitationTrendMicro MacOS April 2018 |
| Enterprise | T1095 | Non-Application Layer Protocol | OSX_OCEANLOTUS.D has used a custom binary protocol over port 443 for C2 traffic.CitationUnit42 OceanLotus 2017 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via |
| Enterprise | T1070.004 | File Deletion Sub-technique | OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.CitationTrendMicro MacOS April 2018CitationTrend Micro MacOS Backdoor November 2020CitationUnit42 OceanLotus 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.CitationTrendMicro MacOS April 2018CitationTrend Micro MacOS Backdoor November 2020 |
| Enterprise | T1497.001 | System Checks Sub-technique | OSX_OCEANLOTUS.D checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as `sysctl hw.model` and the kernel boot time.CitationUnit42 OceanLotus 2017CitationESET OceanLotus macOS April 2019Citation20 macOS Common Tools and Techniques |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | OSX_OCEANLOTUS.D encrypts data sent back to the C2 using AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.CitationUnit42 OceanLotus 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | OSX_OCEANLOTUS.D uses a decode routine combining bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. This routine is also referenced as the `rotate` function in reporting.CitationUnit42 OceanLotus 2017 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the |
| Enterprise | T1082 | System Information Discovery | OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the |
| Enterprise | T1571 | Non-Standard Port | OSX_OCEANLOTUS.D has used a custom binary protocol over TCP port 443 for C2.CitationUnit42 OceanLotus 2017 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | OSX_OCEANLOTUS.D can create a persistence file in the folder |
| Enterprise | T1105 | Ingress Tool Transfer | OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.CitationTrendMicro MacOS April 2018CitationTrend Micro MacOS Backdoor November 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | OSX_OCEANLOTUS.D uses Word macros for execution.CitationTrendMicro MacOS April 2018 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.CitationTrendMicro MacOS April 2018 |
| Enterprise | T1070.006 | Timestomp Sub-technique | OSX_OCEANLOTUS.D can use the |
| Enterprise | T1071.001 | Web Protocols Sub-technique | OSX_OCEANLOTUS.D can also use use HTTP POST and GET requests to send and receive C2 information.CitationTrend Micro MacOS Backdoor November 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | OSX_OCEANLOTUS.D has used `zlib` to compress all data after 0x52 for the custom TCP C2 protocol.CitationUnit42 OceanLotus 2017 |
| Enterprise | T1543.004 | Launch Daemon Sub-technique | If running with |
| Enterprise | T1027.002 | Software Packing Sub-technique | OSX_OCEANLOTUS.D has a variant that is packed with UPX.CitationESET OceanLotus macOS April 2019 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.CitationTrendMicro MacOS April 2018CitationTrend Micro MacOS Backdoor November 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file `com.apple.openssl.plist` which executes OSX_OCEANLOTUS.D from the user's `~/Library/OpenSSL/` folder upon user login.CitationUnit42 OceanLotus 2017 |
| Enterprise | T1005 | Data from Local System | OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.CitationTrend Micro MacOS Backdoor November 2020 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | OSX_OCEANLOTUS.D has used AES in CBC mode to encrypt collected data when saving that data to disk.CitationUnit42 OceanLotus 2017 |
| Enterprise | T1129 | Shared Modules | For network communications, OSX_OCEANLOTUS.D loads a dynamic library (`.dylib` file) using `dlopen()` and obtains a function pointer to execute within that shared library using `dlsym()`.CitationUnit42 OceanLotus 2017 |
| Enterprise | T1553.001 | Gatekeeper Bypass Sub-technique | OSX_OCEANLOTUS.D uses the command |
| Enterprise | T1059.001 | PowerShell Sub-technique | OSX_OCEANLOTUS.D uses PowerShell scripts.CitationTrendMicro MacOS April 2018 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | OSX_OCEANLOTUS.D has disguised it's true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.CitationTrend Micro MacOS Backdoor November 2020 |
Groups, software, and campaigns
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.1 | Current bundle | 30d25441b35e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 OceanLotus 2017
Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
Open source URL -
[2]
TrendMicro MacOS April 2018
Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
Open source URL -
[3]
Trend Micro MacOS Backdoor November 2020
Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
Open source URL -
[4]
Backdoor.MacOS.OCEANLOTUS.F
(Citation: Trend Micro MacOS Backdoor November 2020)
-
[5]
OSX_OCEANLOTUS.D
(Citation: TrendMicro MacOS April 2018)
-
[6]
mitre-attack S0352Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.