PHOREAL
PHOREAL is a malware family associated with the Vietnam-aligned espionage threat actor APT32, also known as OceanLotus. Reporting cited in the content identifies PHOREAL as one of APT32’s signature malware payloads, alongside WINDSHIELD, KOMPROGO, and SOUNDBITE, and places its use in APT32 intrusions targeting private-sector organizations, foreign governments, dissidents, journalists, and entities with business interests in Vietnam. Specific victim sectors mentioned in the supporting content for APT32 activity include manufacturing, consumer products, hospitality, banking, media, network security, and technology infrastructure, with examples including 2016 targeting of U.S. consumer products organizations.
Capabilities directly attributed to PHOREAL in the content include command-and-control over ICMP, Windows Registry manipulation, and creation of a reverse shell. The content also notes that APT32 backdoors modified the Windows Registry to store backdoor configuration, which is consistent with PHOREAL’s listed Registry manipulation capability, but no more specific registry paths or configuration details are provided for PHOREAL itself.
The broader APT32 intrusion tradecraft described in the source material includes spear-phishing emails delivering ActiveMime ".mht" lure documents disguised as ".doc" files that entice victims to enable macros, after which multiple payloads are downloaded from remote servers. However, the content does not explicitly state that PHOREAL itself is the payload delivered by that vector in every case. No PHOREAL-specific hashes, filenames, domains, IPs, or other unique indicators of compromise are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Some of the key tools in its arsenal include SOUNDBITE (aka Denis), PHOREAL (aka Rizzo), WINDSHIELD (aka Remy), and, more recently, SPECTRALVIPER...
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
5 techniques
Execution
“the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system.”
“delivered as a multi-stage PowerShell script… delivered as shellcode in a PowerShell script…”
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
Defense Impairment
1 technique
Defense Impairment
Command and Control
3 techniques
Command and Control
"Anchor has used ICMP in C2 communications." / "COATHANGER uses ICMP for transmitting configuration information..." / "PHOREAL communicates via ICMP for C2." / "Regin ... can use ICMP to communicate between infected computers." / "Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications."
IOCs tracked for this family
61 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware tool identified as part of OceanLotus's arsenal.
Backdoor using ICMP for C2, with reverse shell capability plus filesystem/registry manipulation, process creation, and file upload.
Malware capable of manipulating the Windows Registry.
Malware/tool capable of creating a reverse shell.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.