#84

APT32

APT

Also Known AsAPT 32APT-32APT-C-00ATK17BISMUTHCanvas CycloneCobalt KittyG0050Ocean BuffaloOcean LotusOceanLotusOceanLotus GroupPOND LOACHSea LotusSeaLotusTIN WOODLAWN

APT32, also known by aliases such as OceanLotus and Canvas Cyclone, is a Vietnamese state-sponsored cyber espionage group that has been active since at least 2013, primarily conducting intelligence gathering, intellectual property theft, and surveillance operations. The group's activities are consistently aligned with Vietnamese national interests, targeting foreign corporations with investments in Vietnam, as well as foreign governments, political dissidents, and journalists, particularly within Southeast Asia. APT32 is characterized by its sophisticated and adaptable operational methodology, often combining a unique suite of custom-developed malware, like WINDSHIELD and KOMPROGO, with commercially available penetration testing tools such as Cobalt Strike and Mimikatz. This hybrid approach underscores a well-resourced development capability and a capacity to continuously evolve its tactics to evade detection, setting it apart through its persistent focus on strategically relevant targets and its adeptness at employing diverse attack vectors.

VNInformation theft and espionage0 victimsFirst seen: 2013-01-01Last seen: 2026-06-04

Target Countries

AustraliaBangladeshChinaGermanyDenmarkIndonesiaIndiaIran, Islamic Republic ofJapanCambodiaKorea, Republic ofMyanmarMalaysiaNetherlandsNepalPhilippinesSingaporeThailandUnited StatesVietnam

Target Sectors

ManufacturingRetailFinanceHealthCare & Social AssistancePublic AdministrationElectrical&Electronical ManufacturingTelecommunicationsNational Security&International AffairsConstruction of BuildingsOther Information ServicesAccommodationOil & GasEducational ServicesSpace & DefenseInsuranceMotor Vehicle ManufacturingComputer Systems Design and Related ServicesAdvertising AgenciesJustice & Safety ActivitiesAccommodation&Food ServicesInformation ServicesComputer Design & ServicesBankingProfessional&Technical ServicesComputer Systems Design Services

Associated Malware

win.ratsnifWINDSHIELDwin.cuegoeMimikatzwin.metaljackjs.cactustorchwin.salgoreaOSX_OCEANLOTUS.Delf.cajawin.strikesuit_giftapk.phantomlance

Related CVEs

CVE-2023-52076CVE-2023-38831CVE-2023-36884CVE-2022-47966CVE-2022-42889CVE-2022-42475CVE-2022-41120CVE-2022-26138CVE-2022-24527CVE-2021-44515CVE-2021-4034CVE-2021-35211CVE-2021-34527CVE-2021-33764CVE-2021-2307CVE-2021-22986CVE-2021-22205CVE-2021-21551CVE-2021-1675CVE-2020-14882

ATT&CK IDs

T1056T1113 - Screen CaptureT1587 - Develop CapabilitiesT1036T1087T1564.004T1057 - Process DiscoveryT1033T1021 - Remote ServicesT1560T1573 - Encrypted ChannelT1170 - MshtaT1547 - Boot or Logon Autostart ExecutionT1046T1574.001T1036.005 - Match Legitimate Name or LocationT1218T1008 - Fallback ChannelsT1503 - Credentials from Web BrowsersT1195 - Supply Chain Compromise