oceanlotus

OceanLotus extends cyberespionage through fake websites

Introduction

The threat group has continued to grow since Volexity discovered in 2017 that OceanLotus(APT32) was behind a complex large-scale digital surveillance campaign. In 2019, Volexity gave a speech at the RSA Conference, which provided historical and up-to-date information on vietnam’s various operations that threaten actor OceanLotus. Notably, has set up and operated several activist, news and anti-corruption websites over the years. At first glance, it looks like these are real websites that have been compromised.

These fake sites have compelling legitimacy and allow full control over the tracking and attacks on site visitors. The most popular of these sites even have a corresponding page with more than 20,000 followers. These sites were shut down or abandoned shortly after the presentation.

But old habits and successful techniques will die. Volexity has discovered that has launched several new attacks through a number of fake websites and Facebook pages set up last year. In addition to targeting targets in Vietnam, Volexity has also identified new targets for OceanLotus’s southeast Asian neighbors.

IOCs

thamcungbisu[.]org
baomoivietnam[.]com
baodachieu[.]com
nhansudaihoi13[.]org
tinmoivietnam[.]com
laostimenews[.]com
malaynews[.]org
kmernews[.]com
philiippinesnews[.]net
ledanvietnam[.]org
khmerleaks[.]com
khmer-livenews[.]com
hypepodscase[.]com
arbenha[.]com
gservice[.]reviews
summerevent.webhop[.]net
dance-til-dawn.podzone[.]net
andreagahuvrauvin[.]com
theme.blogwix[.]com
-client[.]com
gusercontent[.]com
serrvice[.]net
yhsetting[.]com
hmacount[.]com
fontloading[.]com
viewerservice[.]com

cbca9a92a6aa067ff4cab8f1d34ec49ffc9a06c90881f48da369c973182ce06d
230ac0808fde525306d6e55d389849f67fc328968c433a5053d676d688032e6f
7fd58fa4c9f24114c08b3265d30be5aa8f6519ebd2310cc6956eda6c6e6f56f0
b48e7a639d2e51e2ae2efdebb0723fe1f8dd84e6
a41b4d3e3b65ed66eb6ea41306031d9d37e06177
b0176c6e3e694be6f4073a1e845aff2c6ec9d6d6
721254f41286717aa1cd9d7d652a9fa1
bd628b4f887070d9f014c3fb72859739
a7d7cde4a86089d58b254d23c026df8c