APT32

APT32, also known as OceanLotus, Ocean Lotus, APT-C-00, BISMUTH, Cobalt Kitty, Canvas Cyclone, Lotus Bane, Ocean Buffalo, Pond Loach, SeaLotus, SectorF01, and TIN Woodlawn, is a Vietnam-aligned cyberespionage threat actor whose operations are described as aligned with the interests of the Vietnamese government. Reporting in the provided content states the group has been active since at least 2012, with Amnesty International noting activity since at least 2014. The group has targeted Vietnamese human rights defenders and civil society, the private sector, domestic Vietnamese entities, stock investors, foreign governments including Laos and Cambodia, NGOs, news agencies, and businesses across sectors including information technology, hospitality, agriculture and commodities, hospitals, retail, automotive, and mobile services. The content describes APT32 using spearphishing attachments to lure users into executing a malicious dropper, hosting payloads on Dropbox, Amazon S3, and Google Drive, and using JavaScript over HTTP or HTTPS to attacker-controlled domains to download additional frameworks and encrypted payloads. It has used COM scriptlets to download Cobalt Strike beacons, heavily obfuscated PowerShell including the WindowStyle parameter to hide execution, Invoke-Obfuscation, and regsvr32.exe "Squiblydoo" to retrieve second-stage payloads. For persistence, APT32 modified Windows Services to ensure PowerShell scripts were loaded and created a Windows service; it also used Registry Run keys to execute PowerShell, VBS scripts, and its backdoor directly. The group has used WMI to deploy tools on remote machines and gather information about the Outlook process. Observed discovery behavior includes listing files and directories, collecting victim usernames, executing whoami, gathering IP configuration with ipconfig /all, and using shellcode to collect usernames. The content also notes a macOS backdoor that hides a clientID file via chflags, and Amnesty International reported OceanLotus malware for both Windows and macOS. In the Amnesty-reported campaign, Windows infections used Kerrdown, described there as used exclusively by OceanLotus, to download additional spyware including Cobalt Strike, while the macOS malware allowed access to system information and supported file download, upload, execution, and command execution. Recent reporting in the provided content attributes two SPECTRALVIPER campaigns to OceanLotus/APT32. One targeted a Vietnamese infrastructure and transport construction corporation from late 2024 to February 2026, likely involving remote code execution vulnerabilities in Microsoft SQL Server and DLL side-loading. The second was a supply-chain attack from October 2025 to March 2026 against FireAnt MetaKit, a platform used by stock investors in Vietnam, in which the group abused the legitimate update URL to selectively deliver SPECTRALVIPER. The malware is described as supporting host reconnaissance, HTTPS-based command and control, orchestration, lateral movement via named pipes, and process injection, including execution in OneDrive.Sync.Service.exe. The reporting characterizes these campaigns as reflecting an increasing emphasis on domestic espionage inside Vietnam.