G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
Analyst context for executives and security teams
APT32 is an ATT&CK group entry for a suspected Vietnam-based threat group active since at least 2014, associated with targeting private sector organizations, foreign governments, dissidents, and journalists, especially in Southeast Asia. For defenders, the practical issue is not just the name: the ATT&CK relationships show a mix of strategic web compromise, credential dumping, discovery, SMB-based lateral movement, command/file obfuscation, and multiple Windows, macOS, and Linux backdoors. This makes APT32 useful as a planning case for validating whether endpoint, identity, network, and web telemetry can connect early access to post-compromise movement.
Executive priority
Prioritize this entry if the organization operates in or supports Southeast Asia, works with government, media, civil society, or sensitive regional business interests, or has executives and users exposed to external web-based targeting. Leadership should ask whether incident response can quickly answer: which users browsed to suspicious compromised sites, which endpoints exposed credentials, which accounts moved over SMB/admin shares, and whether macOS/Linux assets are covered as well as Windows. The value is in resilience and evidence readiness, not assuming this group is currently targeting the organization.
Technical view
ATT&CK provides no official detection text for this group, so validation should be relationship-driven. The supplied relationships connect APT32 to Mimikatz and OS Credential Dumping including LSASS Memory, Windows discovery via registry and network utilities such as Net, Arp, ipconfig, and netsh, Remote System Discovery, SMB/Windows Admin Shares, and stealth techniques including command obfuscation, fileless storage, and encrypted/encoded files. Related malware includes several Windows backdoors, a macOS backdoor, and a Linux backdoor, so SOC coverage should be checked across endpoint platforms where those assets exist. Detection engineering should focus on behavioral chains: suspicious web-origin execution or payload delivery followed by discovery commands, credential access attempts, abnormal SMB/admin-share use, and persistence or backdoor-like process/network activity.
Likely telemetry
- Web proxy, secure web gateway, browser, and DNS logs for strategic web compromise investigation context
- Endpoint process creation and command-line telemetry for Net, Arp, ipconfig, netsh, registry queries, and obfuscated commands
- Windows security and EDR telemetry related to LSASS access, credential dumping behavior, and Mimikatz-like activity
- Authentication, account use, and lateral movement logs, especially SMB and Windows admin share access
- Registry, WMI repository, event log, and other fileless-storage-relevant endpoint evidence where collected
Detection direction
- Do not rely on the group name as a detection strategy; validate coverage for the ATT&CK techniques and software relationships supplied for APT32.
- Correlate discovery utilities and registry queries with preceding suspicious web activity, new processes, or unusual user context to reduce false positives from normal administration.
- Tune detections for LSASS access and credential dumping with attention to legitimate security tools and administrator activity that can resemble Mimikatz testing.
- Review SMB/admin-share detections against identity context: rare source-to-destination pairs, unusual accounts, off-hours access, or access following credential-related alerts are higher value than raw SMB events alone.
- Expect obfuscation and encoded/encrypted files to weaken simple signature matching; prioritize command-line normalization, behavioral analytics, and endpoint evidence preservation.
Mitigation priorities
- Start with credential protection and privileged access controls, because the relationships include OS credential dumping, LSASS Memory, Mimikatz, and SMB/admin-share lateral movement.
- Restrict and monitor administrative shares, remote administration pathways, and unnecessary SMB exposure between workstations and sensitive systems.
- Improve endpoint hardening and EDR visibility for Windows, macOS, and Linux assets where present, with special attention to command execution, registry activity, fileless storage locations, and suspicious network connections.
- Strengthen web browsing defenses and user-risk processes for populations exposed to strategic web compromise risk, including executives, regional staff, journalists, civil society contacts, and government-facing teams where applicable.
- Maintain incident response playbooks that preserve endpoint memory/process data, authentication logs, web logs, DNS, and network metadata needed to reconstruct credential theft and lateral movement.
Analyst notes and limits
This take is based only on the supplied ATT&CK group description, external references, and relationship context. The strongest decision value comes from the pattern of associated behaviors: web compromise leading into discovery, credential access, SMB lateral movement, and backdoor activity across multiple endpoint operating systems. Local prioritization should be driven by geography, sector, sensitive populations, and actual telemetry coverage.
ATT&CK provides no official detection text and the group object itself lists no platforms or tactics. Platform references here come from related software and techniques, not from the group-level platform field. The supplied relationship list may not be complete for all APT32 activity, and this summary should not be read as a claim of active targeting, active exploitation, or guaranteed detection coverage.
APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1550.002 | Pass the Hash Sub-technique | APT32 has used pass the hash for lateral movement.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1036 | Masquerading | APT32 has disguised a Cobalt Strike beacon as a Flash Installer.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1059.007 | JavaScript Sub-technique | APT32 has used JavaScript for drive-by downloads and C2 communications.CitationCybereason Cobalt Kitty 2017CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1072 | Software Deployment Tools | |
| Enterprise | T1570 | Lateral Tool Transfer | APT32 has deployed tools after moving laterally using administrative accounts.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | APT32 used NTFS alternate data streams to hide their payloads.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | |
| Enterprise | T1055 | Process Injection | APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1216.001 | PubPrn Sub-technique | APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.CitationTwitter ItsReallyNick Status Update APT32 PubPrn |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | |
| Enterprise | T1135 | Network Share Discovery | APT32 used the |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1571 | Non-Standard Port | |
| Enterprise | T1082 | System Information Discovery | APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.[3][6]CitationESET OceanLotus macOS April 2019CitationFireEye APT32 April 2020 |
| Enterprise | T1583.001 | Domains Sub-technique | APT32 has set up and operated websites to gather information and deliver malware.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1012 | Query Registry | |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | APT32 has used cmd.exe for execution.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | |
| Enterprise | T1574.001 | DLL Sub-technique | |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | APT32 has used malicious links to direct users to web pages designed to harvest credentials.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1087.001 | Local Account Sub-technique | APT32 enumerated administrative users using the commands |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1046 | Network Service Discovery | APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | APT32 has stood up websites containing numerous articles and content scraped from the Internet to make them appear legitimate, but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software update.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | |
| Enterprise | T1003 | OS Credential Dumping | |
| Enterprise | T1078.003 | Local Accounts Sub-technique | |
| Enterprise | T1589 | Gather Victim Identity Information | |
| Enterprise | T1070.006 | Timestomp Sub-technique | APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.[1][6]CitationESET OceanLotus macOS April 2019 |
| Enterprise | T1189 | Drive-by Compromise | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | APT32 malware has used rundll32.exe to execute an initial infection process.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1059 | Command and Scripting Interpreter | APT32 has used COM scriptlets to download Cobalt Strike beacons.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1112 | Modify Registry | |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | |
| Enterprise | T1560 | Archive Collected Data | |
| Enterprise | T1204.001 | Malicious Link Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT32's macOS backdoor can receive a “delete” command.CitationESET OceanLotus macOS April 2019 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.CitationTwitter ItsReallyNick APT32 pubprn Masquerade |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1608.001 | Upload Malware Sub-technique | APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | APT32's macOS backdoor changes the permission of the file it wants to execute to 755.CitationESET OceanLotus macOS April 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1018 | Remote System Discovery | APT32 has enumerated DC servers using the command |
| Enterprise | T1218.005 | Mshta Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | |
| Enterprise | T1059.005 | Visual Basic Sub-technique | |
| Enterprise | T1588.002 | Tool Sub-technique | APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.[1][4] |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | |
| Enterprise | T1550.003 | Pass the Ticket Sub-technique | APT32 successfully gained remote access by using pass the ticket.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1583.006 | Web Services Sub-technique | APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.CitationVolexity Ocean Lotus November 2020 |
| Enterprise | T1505.003 | Web Shell Sub-technique | |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | APT32's macOS backdoor hides the clientID file via a chflags function.CitationESET OceanLotus macOS April 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | APT32 used the |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | |
| Enterprise | T1049 | System Network Connections Discovery | APT32 used the |
| Enterprise | T1564.003 | Hidden Window Sub-technique | APT32 has used the WindowStyle parameter to conceal PowerShell windows. [1] CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.[1]CitationGitHub Invoke-Obfuscation[3][4]CitationCybereason Cobalt Kitty 2017[6]CitationESET OceanLotus macOS April 2019 |
Groups, software, and campaigns
S0002: Mimikatz
S0100: ipconfig
S0585: Kerrdown
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0157: SOUNDBITE
S0352: OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (`root` or `user`).[1][2][3]
S0156: KOMPROGO
S0108: netsh
S1078: RotaJakiro
RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (`root` or `user`).[1][2]
S0158: PHOREAL
S0099: Arp
S0155: WINDSHIELD
WINDSHIELD is a signature backdoor used by APT32. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 3e074c293359… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT32 May 2017
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
Open source URL -
[2]
Volexity OceanLotus Nov 2017
Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
Open source URL -
[3]
ESET OceanLotus
Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
Open source URL -
[4]
Cybereason Oceanlotus May 2017
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
Open source URL -
[5]
Amnesty Intl. Ocean Lotus February 2021
Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
Open source URL -
[6]
ESET OceanLotus Mar 2019
Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
Open source URL -
[7]
APT-C-00
(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
-
[8]
APT32
(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
-
[9]
BISMUTH
(Citation: Microsoft Threat Actor Naming July 2023)
-
[10]
Canvas Cyclone
(Citation: Microsoft Threat Actor Naming July 2023)
-
[11]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[12]
OceanLotus
(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: Amnesty Intl. Ocean Lotus February 2021)
-
[13]
SeaLotus
(Citation: Cybereason Oceanlotus May 2017)
-
[14]
mitre-attack G0050Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.