#Oceanlotus
github.com/blackorbird/AP…

#APT #OceanLotus
Hash：14164d213cc365be86ce2a1277932fee
Danh sach khach hang dien may khu vuc HCM.rar
CC：node.podzone.org

#Darkhotel #Oceanlotus #Patchwork
ref:
github.com/blackorbird/AP…

#APT 32 #OceanLotus #Torii #APT #IoT
C&C:
top.haletteompson[.]com threatbook.io/domain/top.hal…
eu-draytek[.]com threatbook.io/domain/eu-dray…
#CyberAttack #Trojans #malware #threatintelligence #threatintelligence

Today our researchers have found sample which maybe belongs to #Oceanlotus ( #APT32 ) Group
ITW:3510590280406fa30eda94b3ae39058d
filename:TT - PR Advertisement 2022.doc
ITW:BAACA607BCE6BC4AD1DC694984C8DCE5
filename:media.dll
file path:C:\ProgramData\Microsoft Windows Media\media.dll

APT Operation/Group Mid-2022 Summary Report
#Oceanlotus use tinyPortMapper forward traffic to Cobaltstrike sever , and New mips-architecture malware named 'Caja' discovered on controlled devices(IOT/Linux).
github.com/blackorbird/AP…

#OceanLotus botnet : Torii/Caja
eu-draytek[.]com
top[.]haletteompson[.]com
mp.weixin.qq.com/s/v2wiJe-YPG0n…
mp-weixin-qq-com.translate.goog/s/v2wiJe-YPG0n…

If you are so unlucky to missed our talk at #SASatHome on #PhantomLance relations with #OceanLotus , check out our public report:
securelist.com/apt-phantomlan…

#APT #OceanLotus #APT 32 #Threat #Malware

🐻Imitating #APT 29 #CozyBear

📍🇻🇳
💥🌏

⛓️ #Phishing > Fake BMW PDF.LNK > mshta runs .HTA > Persistence > SC is loaded > Cobalt Strike > #C2

🔗Chuangyu 404 Threat Intelligence: mp.weixin.qq.com/s/IB2w86cXcpmG…

#APT #cybercrime #ThreatIntelligence #ThreatHunting #APT 32
I share some #Oceanlotus IOC.
DeliveryInformation.doc, which has some zero detection tag.

Please enjoy it.

docs.google.com/spreadsheets/d…

It looks like an old sample of #OceanLotus #APT has been submitted to VT today:

5b87ef34d174361f35b65c5ee684f1c3
2018年9月工作报告修改意见.doc

9b4c57e61f4df3b546aedf58b2f299cf
Log_Error.jpg

ristineho[.]com

مجموعة القرصنة المعروفة باسم APT32 أو OceanLotus لديها الآن نسخة جديدة من البرامج الضارة لاختراق نظام تشغيل ماك لذلك ننصح الجميع بعدم الضغط فوق الروابط أو تنزيل المرفقات من رسائل البريد الإلكتروني الواردة من مصادر مشبوهة أو غير معروفة

New IOC of #OceanLotus #APT discovered by our analyst. Keep tracking^

198[.]244[.]207[.]133

Check it out: threatbook.io/ip/198.244.207…

#ThreatHunting #ThreatIntelligence #threats #infosec #cybersecurity #cybercrime #SOC #CTI

Malicious Payloads - Hiding beneath the WAV : threatvector.cylance.com/en_us/home/mal… cc Anuj Soni

How the OceanLotus Threat Group leveraged steganography to conceal malicious backdoor payloads within image files : s7d2.scene7.com/is/content/cyl… (pdf)

Get a glimpse inside the mind of the adversary and the techniques being used by OceanLotus (aka APT32) bddy.me/2Z2JgNK

Recent maldoc which targets Japan people, the picture used is from a sample picture for the passport, this remembers oceanlotus group at used it similar samples for their fakes CV.
C2: 103.140.187.183
Ref : app.any.run/tasks/90643f1b…
cc: moto_sato @Rmy

Cat Self (Cat) & Adam Pennington (@_whatshisface) of MITRE explore what’s unique about ATT&CK (@MITREattack) for macOS, and the work they're doing to improve it in '21 🙌🏽🍎

Talk (& title) & delivery: A+++
'Becoming a Yogi on Mac ATT&CK w/ OceanLotus Postures' #OBTS

We have concluded our APT32 (OceanLotus) sample and paper collection.

Check out the papers & samples here: vx-underground.org/apts.html

***Note: More will be added later - much more content to expand 😎

Extracting the #OceanLotus #APT32 VBA project from the Web Archive File using #CyberChef
Sample used: 3510590280406fa30eda94b3ae39058d
First we need to extract the ActiveMime (.mso) from the document. I've used Cerbero from Cerbero Labs and paste the Base64 string into CyberChef.