🇻🇳
APT32
APT Group
Information theft and espionage
8 zero-day CVEs
ETDA ✓
Also Known As 16 names
APT 32
APT-32
APT-C-00
ATK17
BISMUTH
Canvas Cyclone
Cobalt Kitty
G0050
Ocean Buffalo
Ocean Lotus
OceanLotus
OceanLotus Group
POND LOACH
Sea Lotus
SeaLotus
TIN WOODLAWN
Target Countries 20
Countries highlighted in red
Australia
Bangladesh
China
Germany
Denmark
Indonesia
India
Islamic Republic of Iran
Japan
Cambodia
Republic of Korea
Myanmar
Malaysia
Netherlands
Nepal
Philippines
Singapore
Thailand
United States
Vietnam
Sectors Targeted
Telecommunications
Retail
Government
High-Tech
Uyghurs, dissidents and journalists
Financial
Media
Manufacturing
Hospitality
Defense
Details
Origin
🇻🇳 VN
Last Updated
01 Jun 2022
Malware Families 10
metaljack
cactustorch
cuegoe
remy
zhmimikatz
phantomlance
ratsnif
strikesuit_gift
caja
salgorea
MITRE ATT&CK 180
T1001 - Data Obfuscation
T1003 - OS Credential Dumping
T1003.001
T1005 - Data from Local System
T1007 - System Service Discovery
T1008 - Fallback Channels
T1011 - Exfiltration Over Other Network Medium
T1012 - Query Registry
T1014 - Rootkit
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1021 - Remote Services
T1021.002
T1027 - Obfuscated Files or Information
T1027.001
T1027.010
T1027.011
T1027.013
T1027.016
T1029 - Scheduled Transfer
T1030 - Data Transfer Size Limits
T1033 - System Owner/User Discovery
T1036 - Masquerading
T1036.003
T1036.004
T1036.005 - Match Legitimate Name or Location
T1041 - Exfiltration Over C2 Channel
T1046 - Network Service Scanning
T1047 - Windows Management Instrumentation
T1048 - Exfiltration Over Alternative Protocol
T1048.003
T1049 - System Network Connections Discovery
T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task
T1055 - Process Injection
T1056 - Input Capture
T1056.001 - Keylogging
T1057 - Process Discovery
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.003 - Windows Command Shell
T1059.005
T1059.007
T1060 - Registry Run Keys / Startup Folder
T1068 - Exploitation for Privilege Escalation
T1069 - Permission Groups Discovery
T1070 - Indicator Removal on Host
T1070.001
T1070.004
T1070.006
T1071 - Application Layer Protocol
T1071.001 - Web Protocols
T1071.003
T1072
T1078 - Valid Accounts
T1078.003
T1081 - Credentials in Files
T1082 - System Information Discovery
T1083 - File and Directory Discovery
T1085 - Rundll32
T1087 - Account Discovery
T1087.001
T1090 - Proxy
T1095 - Non-Application Layer Protocol
T1102 - Web Service
T1105 - Ingress Tool Transfer
T1106 - Native API
T1110 - Brute Force
T1112 - Modify Registry
T1113 - Screen Capture
T1114 - Email Collection
T1114.001 - Local Email Collection
T1115 - Clipboard Data
T1119 - Automated Collection
T1120 - Peripheral Device Discovery
T1123 - Audio Capture
T1124 - System Time Discovery
T1127 - Trusted Developer Utilities Proxy Execution
T1129 - Shared Modules
T1130 - Install Root Certificate
T1132 - Data Encoding
T1133 - External Remote Services
T1134 - Access Token Manipulation
T1135 - Network Share Discovery
T1136 - Create Account
T1137 - Office Application Startup
T1140 - Deobfuscate/Decode Files or Information
T1170 - Mshta
T1176 - Browser Extensions
T1185 - Man in the Browser
T1187 - Forced Authentication
T1189
T1190 - Exploit Public-Facing Application
T1195 - Supply Chain Compromise
T1199 - Trusted Relationship
T1203
T1204 - User Execution
T1204.001
T1204.002 - Malicious File
T1216
T1216.001
T1217 - Browser Bookmark Discovery
T1218 - Signed Binary Proxy Execution
T1218.005
T1218.007 - Msiexec
T1218.010
T1218.011
T1222
T1222.002
T1485 - Data Destruction
T1486 - Data Encrypted for Impact
T1489 - Service Stop
T1490 - Inhibit System Recovery
T1496 - Resource Hijacking
T1497 - Virtualization/Sandbox Evasion
T1497.003 - Time Based Evasion
T1498 - Network Denial of Service
T1503 - Credentials from Web Browsers
T1505
T1505.003
T1518 - Software Discovery
T1525 - Implant Internal Image
T1529 - System Shutdown/Reboot
T1530 - Data from Cloud Storage Object
T1531 - Account Access Removal
T1539 - Steal Web Session Cookie
T1543 - Create or Modify System Process
T1543.003
T1546 - Event Triggered Execution
T1547 - Boot or Logon Autostart Execution
T1547.001 - Registry Run Keys / Startup Folder
T1548 - Abuse Elevation Control Mechanism
T1550 - Use Alternate Authentication Material
T1550.002
T1550.003
T1552 - Unsecured Credentials
T1552.002
T1553 - Subvert Trust Controls
T1555 - Credentials from Password Stores
T1559 - Inter-Process Communication
T1560 - Archive Collected Data
T1561 - Disk Wipe
T1562 - Impair Defenses
T1562.001 - Disable or Modify Tools
T1564 - Hide Artifacts
T1564.001
T1564.003
T1564.004
T1566 - Phishing
T1566.001
T1566.002
T1568 - Dynamic Resolution
T1569
T1569.002
T1570
T1571 - Non-Standard Port
T1573 - Encrypted Channel
T1574 - Hijack Execution Flow
T1574.001
T1574.002 - DLL Side-Loading
T1583 - Acquire Infrastructure
T1583.001
T1583.006
T1585
T1585.001
T1587 - Develop Capabilities
T1588
T1588.002
T1588.006 - Vulnerabilities
T1589
T1589.002
T1595 - Active Scanning
T1595.002 - Vulnerability Scanning
T1598
T1598.003
T1608
T1608.001
T1608.004
T1685
T1685.005