G0050 · 79 ATT&CK techniques · 0 correlated reports

APT32

Aliases: SeaLotus, OceanLotus, APT-C-00, Canvas Cyclone, BISMUTH

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.

Open interactive actor investigation

ATT&CK techniques

T1550.002
Pass the Hash T1036
Masquerading T1059.007
JavaScript T1047
Windows Management Instrumentation T1072
Software Deployment Tools T1570
Lateral Tool Transfer T1564.004
NTFS File Attributes T1552.002
Credentials in Registry T1055
Process Injection T1216.001
PubPrn T1566.001
Spearphishing Attachment T1135
Network Share Discovery T1033
System Owner/User Discovery T1571
Non-Standard Port T1082
System Information Discovery T1583.001
Domains T1012
Query Registry T1027.010
Command Obfuscation T1059.003
Windows Command Shell T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol T1574.002
DLL Side-Loading T1566.002
Spearphishing Link T1598.003
Spearphishing Link T1087.001
Local Account T1059.001
PowerShell T1003.001
LSASS Memory T1046
Network Service Discovery T1608.004
Drive-by Target T1041
Exfiltration Over C2 Channel T1036.004
Masquerade Task or Service T1003
OS Credential Dumping T1078.003
Local Accounts T1589
Gather Victim Identity Information T1070.006
Timestomp T1189
Drive-by Compromise T1218.011
Rundll32 T1059
Command and Scripting Interpreter T1112
Modify Registry T1071.003
Mail Protocols T1560
Archive Collected Data T1204.001
Malicious Link T1071.001
Web Protocols T1036.005
Match Legitimate Name or Location T1070.004
File Deletion T1070.001
Clear Windows Event Logs T1027.011
Fileless Storage T1105
Ingress Tool Transfer T1053.005
Scheduled Task T1036.003
Rename System Utilities T1543.003
Windows Service T1608.001
Upload Malware T1222.002
Linux and Mac File and Directory Permissions Modification T1569.002
Service Execution T1018
Remote System Discovery T1218.005
Mshta T1083
File and Directory Discovery T1059.005
Visual Basic T1588.002
Tool T1021.002
SMB/Windows Admin Shares T1550.003
Pass the Ticket T1583.006
Web Services T1505.003
Web Shell T1564.001
Hidden Files and Directories T1016
System Network Configuration Discovery T1027.001
Binary Padding T1049
System Network Connections Discovery T1564.003
Hidden Window T1027.013
Encrypted/Encoded File T1056.001
Keylogging T1589.002
Email Addresses T1218.010
Regsvr32 T1068
Exploitation for Privilege Escalation T1585.001
Social Media Accounts T1137
Office Application Startup T1203
Exploitation for Client Execution T1204.002
Malicious File T1547.001
Registry Run Keys / Startup Folder T1102
Web Service T1087
Account Discovery

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research