Threat-actor profile

← Back to main site

Home/ Threat Actors/ APT32

🇻🇳APT32

🇻🇳 APT32 is a tracked threat actor in the Clankerusecase corpus. Attributed to VN. Primary motivation: State. We map 26 detection use cases to this actor across 94 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2026-06-11 to 2026-06-11.

crit 2

View full actor card → All threat actors MITRE ATT&CK group spec (G0050) ↗

26Use cases

2Articles

94Techniques

14IOCs

Known aliases

APT32OceanLotusSeaLotusCobalt KittyAPT-C-00Canvas CycloneBISMUTH

Top techniques

T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1071.001 · Web Protocols

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1012 · Query Registry T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1021 · Remote Services T1021.002 · SMB/Windows Admin Shares T1027 · Obfuscated Files or Information T1027.010 · Command Obfuscation T1027.011 · Fileless Storage T1027.013 · Encrypted/Encoded File T1027.016 · Junk Code Insertion T1033 · System Owner/User Discovery T1036 · Masquerading T1036.003 · Rename Legitimate Utilities T1036.004 · Masquerade Task or Service T1036.005 · Match Legitimate Resource Name or Location T1041 · Exfiltration Over C2 Channel T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1055 · Process Injection T1055.012 · Process Hollowing T1056.001 · Keylogging T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.007 · JavaScript T1068 · Exploitation for Privilege Escalation T1070.004 · File Deletion T1070.006 · Timestomp T1071 · Application Layer Protocol T1071.003 · Mail Protocols T1071.004 · DNS T1072 · Software Deployment Tools T1078.003 · Local Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1087.001 · Local Account T1098.001 · Additional Cloud Credentials T1102 · Web Service T1105 · Ingress Tool Transfer T1112 · Modify Registry T1135 · Network Share Discovery T1137 · Office Application Startup T1189 · Drive-by Compromise T1203 · Exploitation for Client Execution T1204 · User Execution T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1216.001 · PubPrn T1218.005 · Mshta T1218.010 · Regsvr32 T1218.011 · Rundll32 T1219 · Remote Access Tools T1222.002 · Linux and Mac Permissions T1505.001 · SQL Stored Procedures T1505.003 · Web Shell T1528 · Steal Application Access Token T1543.003 · Windows Service T1547.001 · Registry Run Keys / Startup Folder T1550.002 · Pass the Hash T1550.003 · Pass the Ticket T1552.002 · Credentials in Registry T1553.002 · Code Signing T1560 · Archive Collected Data T1564.001 · Hidden Files and Directories T1564.003 · Hidden Window T1564.004 · NTFS File Attributes T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1569.002 · Service Execution T1570 · Lateral Tool Transfer T1571 · Non-Standard Port T1573 · Encrypted Channel T1574.001 · DLL T1574.002 · T1574.002 T1583.001 · Domains T1583.006 · Web Services T1585.001 · Social Media Accounts T1588.002 · Tool T1589 · Gather Victim Identity Information T1589.002 · Email Addresses T1598.003 · Spearphishing Link T1608.001 · Upload Malware T1608.004 · Drive-by Target T1685.005 · Clear Windows Event Logs

Detection use cases (26)

APT32 (OceanLotus / Cobalt Kitty) Outlook Home Page persistence via WebView URL registry key AI · profile SΣDD APT32 DLL side-loading via trusted AV/vendor binary copied to user-writable directory AI · profile SΣDD FireAnt Metakit.exe spawns unsigned setup.exe from update path (SPECTRALVIPER supply-chain delivery) Bespoke DtlCrashCatch.dll image-load by legitimate signed binary (OceanLotus DLL side-load) Bespoke OneDrive.Sync.Service.exe spawned/injected outside legitimate OneDrive chain (SPECTRALVIPER injection target) Bespoke SPECTRALVIPER C2 callout to OceanLotus FireAnt infrastructure Bespoke Public-facing MSSQL sqlservr.exe spawns suspicious child (OceanLotus transport-construction intrusion vector) Bespoke SPECTRALVIPER known-bad SHA1 observed on disk or in process Bespoke Registry Run-key persistence written by SPECTRALVIPER side-load chain Bespoke Beaconing — periodic outbound to small set of destinations Internal Network connections to article IPs / domains Internal Remote service execution — PsExec / SMB lateral movement Internal OAuth consent / suspicious app grant Internal Phishing-link click correlated to endpoint execution Internal Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match

Threat-intel articles (2)

crit OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack · 2026-06-11

crit OceanLotus: From external espionage to domestic targeting · 2026-06-11

Tracked indicators

Domains (6)

coachcybersecurity.com financemachinelearning.c gatewayrvcenter.com leadingfilipinoteams.com mxprodesign.com power-sync-services.com

IP addresses (8)

103.119.47.104 139.162.11.152 139.180.128.42 139.99.33.239 142.91.98.77 166.88.77.186 194.68.26.241 38.60.245.37