ESET uncovers latest malicious activity in Asia from infamous hacking group, OceanLotus

Analysing the activities of hacking group OceanLotus, known for campaigns targeting eastern Asia, security researchers at ESET have followed one of the group’s latest campaign.

ESET’s research into the group, also known as APT32 or APT C-00, has shown they are using the same tricks but now includes a new backdoor. ESET’s white paper highlights several methods being used to convince the user to execute the backdoor, slow down its analysis and avoid detection.

OceanLotus typically targets company and government networks in East-Asian countries, particularly Vietnam, the Philippines, Laos and Cambodia. Last year, in an incident dubbed Operation Cobalt Kitty, the group targeted the top-level management of a global corporation based in Asia with the goal of stealing proprietary business information.

This new research has shown the group utilising several methods in a bid to trick potential victims into running malicious droppers, including double extension and fake icon applications (e.g. Word, PDF, etc). These droppers are likely to be attached to an email message although ESET have also found fake installers and software updates used to deliver the same backdoor component.

In their latest research paper, ESET shows how Oceanlotus‘ latest backdoor is able to execute its malicious payload on a system. Its process of installation relies heavily on a decoy document sent to a potential person of interest. Multiple layers of in-memory operations and a side-loading technique are used to execute Oceanlotus latest full-featured backdoor.

"Ocean Lotus’ activities demonstrate its intention to remain hidden by picking its targets carefully, but ESET’s research has brought to light the true extent of its intended activites," states Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET.

The group works to limit the distribution of their malware and use several different servers to avoid attracting attention to a single domain or IP address. Through encrypting the payload and coupling this with the use of the side-loading technique, OceanLotus can stay under the radar with malicious activities appearing to have come from the legitimate application.

While the group have managed to some extent to remain concealed, ESET’s research has highlighted their ongoing activity and how they have altered it to remain effective. "ESET’s threat intelligence has provided conclusive data that shows this particular group has worked to continually update their toolkit and are very much still active in their malicious activities," adds Romain Dumont, ESET Malware Researcher.

To read more about ESET’s research into OceanLotus‘ activity visit

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit or follow us on LinkedInFacebook and Twitter.