Operation (Giỗ Tổ Hùng Vương) Hurricane: New OceanLotus Group Revealed in Espionage Campaigns
Ddos 
A recent report from Qianxin details the sophisticated cyber-espionage tactics employed by the New OceanLotus group. Active intermittently since mid-2022, the group re-emerged in November 2024, targeting critical sectors such as military, energy, and aerospace industries across East Asia, Central Asia, and Africa.
The report highlights that the New OceanLotus group demonstrated a higher level of offensive capabilities than its predecessors, leveraging multiple zero-day vulnerabilities to infiltrate supply chains. The group’s attack vectors included targeting specific terminals within intranets via malicious updates, exploiting memory techniques like process hollowing and advanced encryption.
One striking detail involves their manipulation of Cobalt Strike, a widely abused penetration testing tool. According to the report, “After the Trojan runs, it will automatically save the current screenshot in PNG format and send it to the C2 server.” This tactic allowed attackers to capture sensitive information from victim machines.
The New OceanLotus deployed memory-resident plugins to execute their campaigns with precision. Key tools included:
- Filename Collection Plugin: This shellcode scans victim devices for sensitive files, encrypts the data using AES-128, and stores it in disguised XML files for later exfiltration.
- Pipeline Trojan: A memory-resident module designed for data transfer and lateral movement, leveraging weak SSH credentials to access intranet servers.
- Dual-Platform Trojan: This advanced malware targets both Windows and Linux environments, exemplifying the group’s ability to infiltrate diverse systems.
The report notes, “The new OceanLotus group uses this special trojan to execute the CMD command to add the root certificate “certutil -addstore “ROOT” client.cer”, After adding, it chooses to land the DLL on the disk. At this time, the DLL is digitally signed and used for EDR-free killing.”
The New OceanLotus group’s operations were reportedly concentrated on collecting intelligence related to energy and military deployments in regions of geopolitical interest, including East Asia and Africa. The report states, the group “massively spied on China’s projects in the fields of energy and military industry in Central Asia, the Middle East, North Asia, and Africa during the period of 2023-2024 and deployment, the victim terminal even contains a list of personnel dispatched outside the country.”
Interestingly, the group’s reactivation in November 2024 coincided with a cybersecurity cooperation agreement between a Southeast Asian country and an external power, suggesting potential state sponsorship.
Donate