The OceanLotus group, also known as APT32, is an offensive cybersecurity organization that has been known to conduct cyber intrusion and espionage campaigns since 2013 (Carr 2017). One of its earliest operations was captured by the digital rights organization, the Electronic Frontier Foundation (EFF), after staff members received phishing emails with malware that was traced back to the group (Galperin and Marquis-Boire 2014). In January 2025, the threat intelligence company ThreatBook reported that Chinese cybersecurity researchers were targeted in an intrusion campaign with attack patterns that matched with previous APT32 attacks (ThreatBook CTI 2025). While APT32’s tactics, techniques, and procedures have been extensively documented (Carr 2017, MITRE 2024), the group’s motivations for its specific targeting have remained nebulous.
Analyzing APT32’s attacks and targets reveals that the group is a Vietnamese state-sponsored group. First, its targeting of political dissidents since 2013 aligns with the Vietnamese government’s proclivity to control the press and suppress political rivals. Furthermore, the group’s campaigns against foreign enterprises and agencies demonstrate a level of sophistication that would indicate state sponsorship. Last, its targeting of government officials would suggest an alignment with the Vietnamese government’s geopolitical priorities.
Targeting of Political Dissidents
The first link that suggests a strong association between APT32 and the Vietnamese government lies in the group’s proclivity to target political dissidents. APT32 was reported to have been conducting surveillance on Vietnamese political activists between 2018 and 2020 (Amnesty International 2021). Malware analysis revealed that the group was behind the targeting of both individuals and organizations. Among the individuals included Bui Thanh Hieu, a pro-democracy blogger based in Vietnam, as well as another anonymous blogger. The organization, Vietnamese Overseas Initiative for Conscience Empowerment (VOICE), was also targeted. Users were sent a phishing email requesting them to review the attached document (Amnesty International 2021). After users did so, the document would automatically download other tools granting APT32 administrative access to monitor the user’s computer and access sensitive files (MITRE 2024). The breadth of APT32’s targeting demonstrates its ability to coordinate as a group to target multiple political adversaries.
These targeted attacks indicate a strong alignment with Vietnamese state interests as the targeting aligns with Vietnam’s history of suppressing political dissidents. Bui has been known publish blogs that have criticized the Vietnamese government’s geopolitical conduct in the South China Sea (Amnesty International 2021). In 2009, police arrested Bui and charged him with “conducting propaganda against the Socialist Republic of Vietnam” under Vietnam’s national criminal code (Amnesty International 2009, Vietnam Penal Code 1999). While he was released after detainment for 10 days, he was later temporarily detained again in 2013 (Amnesty International 2021). The Vietnamese government’s persistence in surveilling and suppressing political dissidents is enforced by the fact that 187 activists are currently known to be in prison (Project88 2023). It is clear that the Vietnamese government has a demonstrated motivation to monitor and suppress free speech. Thus, the alignment of activities between APT32 and the Vietnamese government suggests a strong political association between the two actors.
Targeting of Enterprises and Agencies
The second link that suggests that the group is associated with the Vietnamese government has been the complexity and scale of its campaigns. In 2017, the security company Cybereason published a report detailing a recent data exfiltration campaign carried out by APT32 on a global corporation based in Asia (Dahan 2017a). Security analysts from Cybereason discovered that more than 40 computers were infected and that the company had been infiltrated for more than a year. The analysts discovered that APT32 utilized commercial penetration tools such as Mimikatz and customized them to evade antivirus detection (Dahan 2017a). Furthermore, the group also used tactics that had not been documented before to gain backdoor access to the victims’ computers (Dahan 2017b). The combination of customizing public technologies as well as developing unique tools for penetration suggests that APT32 has the technical ability to operate as an organization backed by the state.
In a separate 2017 threat intelligence report published by Volexity, the group had a mass surveillance campaign attributed to it that targeted various agencies and organizations across Southeast Asia (Lassalle, Koessel, and Adair 2017). Similar to Cybereason, Volexity also reported customized versions of commercial penetration tools such as Cobalt Strike. At least 100 websites across Southeast Asia were compromised as part of this campaign, spanning government, military, and commercial sectors (Lassalle, Koessel, and Adair 2017). These websites were compromised such that site visitors could be identified and tracked by the group, with certain individuals of interest subject to subsequent phishing attempts. The fact that both campaigns reported by Cybereason and Volexity were conducted concurrently demonstrates that APT32 is operationally sophisticated. These two campaigns would suggest that APT32 is not only aligned in interests with the Vietnamese government but also has the technical capacity to be supported by the Vietnamese government.
Targeting of Government Officials
The last link that suggests the group is associated with the Vietnamese government is their targeting of government officials. In May 2017, files containing a private conversation between the Philippines president Rodrigo Duterte and President Donald Trump were leaked through a malware detection platform (Bing 2017). Other classified documents were leaked, including a conversation between Duterte and China’s president Xi Jinping as well as internal documents produced by the Philippines National Security Council (Bing 2017). The attack was attributed to APT32 after forensic analysis discovered that the lure documents used had signatures that could be traced back to the group (Bing 2017).
The conversation between Duterte and Trump did not concern anything that immediately illuminated APT 32’s motivations; the conversation was primarily concerning Duterte’s assessment over of the nuclear testing activities in the Korean Peninsula (Otto 2017a). Similarly, the document released on Duterte and Xi Jinping only covered talking points for a prospective meeting (Otto 2017b). These leaks indicate that APT32 is not just interested in political dissidents and foreign enterprises, but also for key high-profile political figures. APT32’s record of targeting government officials demonstrate that it is motivated to serve the national interests of the Vietnamese government. Bryce Boland from the cybersecurity firm FireEye noted that it is fully plausible that APT 32 was “understanding how the organizations within the [Philippine] government operate in order to be better prepared in case of potentially military conflict” (Reuters Staff, 2017).
The Challenge of Attribution
With no universally accepted legal framework for the attribution and indictment of cyber organizations, countries may never be formally held accountable for cyberattacks. Even in the case of the 2014 Sony attacks where the FBI formally attributed the attack to the North Korean government (FBI 2014), officials from North Korea still denied the accusations and instead retorted that the U.S. was imposing its imperial agenda (KCNA 2014). Thus, it is vital for threat intelligence analysts to synthesize evidence on threat actors so that they can form a common operating picture of the threat landscape.
The APT32/OceanLotus group’s activities since 2014 has demonstrated an alignment with Vietnamese government state interests. The increase in operational scale and complexity of its operations suggests that APT32 could be classified as a nation-state actor in the modern cybersecurity threat landscape. Thus, APT32 is to be distinguished from other threat actors such as hacktivists or cybercriminals. In doing so, threat intelligence responders and firms can better ascertain motivations for APT32’s operations, predict the group’s next moves, and better safeguard systems and processes from attacks performed by this group in the future.
Sources
Amnesty International. 2009. “Viet Nam Should Release Peaceful Critics.” Amnesty International. https://www.amnesty.org/en/wp-content/uploads/2021/07/asa410052009en.pdf.
———. 2021. “Click and Bait: Vietnamese Human Rights Defenders Targeted with Spyware Attacks.” Amnesty International. February 24, 2021. https://www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/.
Bing, Chris. 2017. “A Stolen Trump-Duterte Transcript Appears to Be Just One Part of a Larger Hacking Story.” CyberScoop. May 31, 2017. https://cyberscoop.com/apt-32-trump-duterte-hacking-xi-jinping-vietnam/.
Carr, Nick. 2017. “Cyber Espionage Is Alive and Well: APT32 and the Threat to Global Corporations.” Google Cloud Blog. Google Cloud. May 14, 2017. https://cloud.google.com/blog/topics/threat-intelligence/cyber-espionage-apt32/.
Dahan, Assaf. 2017a. “Operation Cobalt Kitty: A Large-Scale APT in Asia Carried out by the OceanLotus Group.” Cybereason.com. 2017. https://www.cybereason.com/blog/operation-cobalt-kitty-apt.
———. 2017b. “Operation Cobalt Kitty: Threat Actor Profile & Indicators of Compromise.” Cybereason.com. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part3.pdf.
Galperin, Eva, and Morgan Marquis-Boire. 2014. “Vietnamese Malware Gets Very Personal.” Electronic Frontier Foundation. January 19, 2014. https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal.
KCNA. 2014. “Spokesman of Policy Department of NDC Blasts S. Korean Authorities’ False Rumor about DPRK.” KCNA Watch. July 12, 2014. https://kcnawatch.org/newstream/1451896532-387188787/spokesman-of-policy-department-of-ndc-blasts-s-k/
Lassalle, Dave, Sean Koessel, and Steven Adair. 2017. “OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society.” Volexity. November 6, 2017. https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/.
MITRE. 2024. “APT32.” Mitre.org. 2024. https://attack.mitre.org/groups/G0050/.
Otto, Greg. 2017a. “Telephone Call between the President and Chinese President Xi Jinping on 03 May 2017.” Documentcloud.org. 5, 2017. https://embed.documentcloud.org/documents/3761792-XiDuterte/?embed=1.
———. 2017b. “Phone Call of the President with the POTUS.” Documentcloud.org. May 31, 2017. https://www.documentcloud.org/documents/3761793-TrumpDuterte/.
Project88. 2023. “Database of Persecuted Activists in Vietnam.” Project88. June 19, 2023. https://the88project.org/database/.
Reuters Staff. 2017. “Vietnam-Linked Hackers Likely Targeting Philippines over South China Sea Dispute: FireEye.” Reuters. May 25, 2017. https://www.reuters.com/article/us-cyber-philippines-southchinasea-idUSKBN18L1MR/.
Threatbook CTI. 2025. “APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises.” Threatbook. January 8, 2025. https://threatbook.io/blog/APT32-Poisoning-GitHub,-Targeting-Chinese-Cybersecurity-Professionals-and-Specific-Large-Enterprises.
Vietnam. 1999. Penal Code. No. 15/1999/QH10, enacted December 21, 1999. English translation. United Nations Office on Drugs and Crime. Accessed April 13, 2025. https://sherloc.unodc.org/cld/uploads/res/document/vnm/penal-code_html/Vietnam_Penal_Code_1999.pdf
