Ocean Lotus

Ocean Lotus, also known as APT32, is a Vietnam‑based threat group that specializes in digital surveillance and exploitation operations. The group focuses on infiltrating government entities, military organizations, human rights advocates, civil society groups, and media outlets across multiple Asian nations and the broader ASEAN region. Its activities involve the creation of malicious infrastructure that mimics legitimate services such as Google and Facebook to lure targets. Ocean Lotus employs whitelists for precise targeting, JavaScript‑based social engineering tactics, and custom Google Apps designed to hijack Gmail accounts. These methods enable the group to conduct large‑scale credential theft and maintain persistent access to compromised networks.

The group’s operational scale is evidenced by the compromise of over 100 websites used to host its malicious infrastructure. Ocean Lotus leverages a distributed hosting architecture, spoofed domains, and Let’s Encrypt certificates to obscure its activities and evade detection. It has been observed deploying exclusive backdoors, including Cobalt Strike, to exfiltrate sensitive communications and build detailed profiles of its victims. The group’s headquarters are located in Viet Nam, and its technical sophistication reflects a notable competency in combining web‑based deception with advanced persistence mechanisms. No explicit information about ownership, parent, or subsidiary relationships is provided in the source material.