Also Known as: OceanLotus Group

First known appearance: 2014

Threat Actors: Vietnamese government (suspected)

Targets: Foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors.

Objective: To gain advantage over global companies doing business in Vietnam.

Overview: Recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business, manufacturing or preparing to invest in the country. While the specific motivation for this activity remains opaque, it could ultimately erode the competitive advantage of targeted organizations.

In addition to targeting of the private sector, this activity represents a threat to civil society and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora could all be targeted. Although targeting of the military and defense industrial base has not yet been identified, the extension of APT32 capabilities in that direction should be anticipated.


Typical attack vectors: APT32 actors leverage ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file typically downloads multiple malicious payloads from a remote server. APT32 actors delivers the malicious attachments via spearphishing emails. Evidence has shown that some may have been sent via Gmail.

APT32 actors design multilingual lure files that contain malicious macros and are tailored to specific victims. These files are created by exporting Word documents into single file web pages. Although the files have “.doc” extensions, they are ActiveMime “.mht” web page archives that contain text, images and macros.