APT32
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 3 reports, 103 attack patterns (mitre), 18 malware, 5 sectors, 1 countries, 100 indicators, 3 vulnerabilities (cve), 5 tool
Aliases
SeaLotus APT-C-00 Canvas Cyclone BISMUTH OceanLotus
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (3)
-
1 CVE 16 MITREs 5 Malwares 16 Observables 1 APT
-
AlienVault Confidence 100 16 MITREs 1 Malware 10 IOCs 10 Observables 1 APT· threat-report
-
17 MITREs 1 Malware 1 APT
Attack patterns (MITRE) (103)
-
-
-
-
-
-
-
-
-
-
-
-
Command Obfuscation uses
Malware (18)
-
ZiChatBot usesFamily
-
OSX_OCEANLOTUS.D uses
-
SOUNDBITE - S0157 usesFamily
-
Tromas usesFamily
-
PHOREAL - S0158 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KOMPROGO uses
-
SPECTRALVIPER usesFamily
-
WINDSHIELD - S0155 usesFamily
-
Denis - S0354 usesFamily
-
Cobalt Strike usesFamily
-
Kerrdown uses
-
RotaJakiro uses
Sectors (5)
-
Government targets
-
Construction targets
-
Technology targets
-
Transportation targets
-
Finance targets
Countries (1)
-
China targets
Indicators (100)
-
tsworthoa.comindicates -
cdn-ampproject.comindicates -
tips-renew.webhop.infoindicates -
10cm.mypets.wsindicates -
s-adroll.comindicatesstix 100/100· Valid until 06/11/2026 · Source: AlienVault -
daichungvienvinhthanh.comindicatesstix 100/100· Valid until 06/11/2026 · Source: AlienVault -
stix 100/100· Valid until 12/08/2026 · Source: AlienVault
-
stix 100/100· Valid until 10/07/2026 · Source: AlienVault
-
keoucha.comindicates -
ad-appier.comindicates -
confusion-cerulean-samba.glitch.meindicates -
metacachecdn.comindicatesstix 100/100· Valid until 06/11/2026 · Source: AlienVault
Vulnerabilities (CVE) (3)
Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related …
- Published
- 03/11/2021
- Modified
- 20/12/2025
F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
- Attack vector
- Local
- Complexity
- Low
- Published
- 15/11/2017
- Modified
- 29/05/2026
Tool (5)
-
Arp usesThe MITRE Corporation Confidence 100
[Arp](https://attack.mitre.org/software/S0099) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
netsh usesThe MITRE Corporation Confidence 100
[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)