MalwareUsed by 1 actorExploits 1 CVE

WINDSHIELD

WINDSHIELD is a malware family associated with the Vietnam-aligned threat actor APT32, also known as OceanLotus. Reporting cited in the content describes it as one of APT32’s signature malware payloads, alongside KOMPROGO, SOUNDBITE, and PHOREAL/Denis/Remy, and notes its use in APT32 operations targeting sectors including network security, banking, and consumer products, with examples of activity in Vietnam and against a U.S. consumer products target.

High-confidence behaviors directly mentioned in the content include gathering Windows Registry values to collect system information, collecting the victim username, communicating with command-and-control infrastructure via raw TCP sockets, and deleting files as part of file system interaction. The content specifically states that WINDSHIELD can gather Registry values, gather the victim user name, use TCP raw sockets for C2 traffic, and perform file deletion along with other file system interaction.

The broader APT32 context in the source material indicates the group has conducted cyber-espionage operations aligned with Vietnamese state interests and has targeted private-sector companies, foreign governments, dissidents, journalists, and organizations with business interests in Vietnam. Within that context, WINDSHIELD is presented as a recurring custom backdoor/tool used in those campaigns. No specific standalone infection vector or WINDSHIELD-specific indicators of compromise are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2016-7255Win32k Elevation of Privilege VulnerabilityExploited in the wild

During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.

via web archiveweb.archive.org

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT32

Some of the key tools in its arsenal include SOUNDBITE (aka Denis), PHOREAL (aka Rizzo), WINDSHIELD (aka Remy), and, more recently, SPECTRALVIPER...

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence2

“APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros… APT32 actors continue to deliver the malicious attachments via spear-phishing emails.”

Execution

4 techniques

T1053.005Scheduled TaskEvidence1

“the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system.”

T1059.001PowerShellEvidence1

“delivered as a multi-stage PowerShell script… delivered as shellcode in a PowerShell script…”

T1059.005Visual BasicEvidence1

“The Base64 encoded ActiveMime data also contained an OLE file with malicious macros.”

T1204.002Malicious FileEvidence2

“The Base64 encoded ActiveMime data also contained an OLE file with malicious macros… fake error messages… encourages the recipient to enable content…”

Persistence

1 technique

T1053.005Scheduled TaskEvidence1

“the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system.”

Privilege Escalation

1 technique

T1053.005Scheduled TaskEvidence1

“the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system.”

Stealth

3 techniques

T1036MasqueradingEvidence2

“installed one backdoor as a persistent service with a legitimate service name… Another backdoor used an otherwise legitimate DLL filename…”

T1070.004File DeletionEvidence7

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

T1218.005MshtaEvidence1

“This second task ran ‘mshta.exe’ every 50 minutes…”

Discovery

3 techniques

T1012Query RegistryEvidence4

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

T1033System Owner/User DiscoveryEvidence3

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

T1082System Information DiscoveryEvidence6

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

Command and Control

2 techniques

T1095Non-Application Layer ProtocolEvidence2

“WINDSHIELD… C2 communications via TCP raw sockets”

T1105Ingress Tool TransferEvidence2

“Upon execution, the initialized file downloads multiple malicious payloads from remote servers.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

61 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

50 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

11 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app2 years ago

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

the hacker newsNews

Jun 11, 2026

OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack

A malware tool identified as part of OceanLotus's arsenal.

mitre attack websiteNews

Mar 7, 2018

Query Registry, Technique T1012 - Enterprise | MITRE ATT&CK®

Malware that gathers values from the Windows Registry.

web archiveNews

May 14, 2017

Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations " Threat Research Blog | FireEye Inc

APT32 custom backdoor with TCP raw-socket C2, registry and filesystem manipulation, system information collection, module loading/execution, process termination, and anti-disassembly features.

mitre attackNews

Jan 24, 2026

Query Registry, Technique T1012 - Enterprise | MITRE ATT&CK®

Malware that gathers values from the Windows Registry.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching61

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.