Vietnamese hacking group OceanLotus uses imitation news sites to spread malware

The latest findings come after Kaspersky uncovered an espionage effort involving the coronavirus pandemic.
Reunification Palace, Ho Chi Minh City, Vietnam. (Wikicommons)

Suspected Vietnamese government-linked hackers are behind a series of fake news websites and Facebook pages meant to target victims with malicious software, according to Volexity research published Friday.

The hackers, known as OceanLotus or APT32, historically have targeted companies that have business interests in Vietnam. In this case, the fake sites and Facebook pages, which were set up within the last year, were intended for targets in Vietnam and across Southeast Asia, according to Volexity researchers.

The attackers appear to have dual aims in their campaign — first, to gather information about the visitors to the fake media sites through a web profiling framework. They also occasionally target victims with malware meant to log targets’ keystrokes.

Earlier this year, Kaspersky researchers revealed the hackers have been using the Google Play Store to disperse malware, suggesting both domestic and foreign intelligence collection requirements. This April, when the coronavirus was spreading around the world, the same group began sending malware to the government of Wuhan, China, where the virus originated, to track the Chinese government’s coronavirus response, according to FireEye.


In this case, OceanLotus is suspected to send victims links to its sites through spearphishing or social media messaging.

The fake sites themselves, which are still active, are not entirely malicious. Much of the content on the fake media pages is benign, focusing on news topics of interest in Vietnam and Southeast Asia, and doesn’t include malicious redirects, Volexity researchers said in a blog post on the matter.
Many of the fake pages, which Volexity recommends not visiting, are written in Vietnamese, but several are also targeted for audiences that speak English, Cambodian, Laotian, and Malay.

OceanLotus has previously resorted to similar tactics. Three years ago, the hackers set up activist and news sites that looked realistic but which were used to target victims in human rights circles, the media, as well as people in the Association of Southeast Asian Nations, according to previous Volexity research. Some of these sites also had corresponding Facebook pages.

But the campaign adds to a growing body of research that shows the suspected Vietnamese government-linked hackers steadily working on their targeting approach, researchers say.

“OceanLotus has continued to evolve the ways in which it seeks to target individuals outside of spear phishing and leveraging compromised websites,” Volexity researchers write in the blog. “This level of effort shows that OceanLotus will go to great lengths to extend its reach and find new ways to compromise individuals and organizations it has set its focus on.”


When targets land on the sites, they are presented with information that is intended to trick them into thinking the content on the site is trustworthy, such as custom logos and slogans that urge users to believe the fake site is “reliable” news. The content on the fake sites appears to be cribbed from legitimate news sites, which appears to have been done through WordPress plugins.

Cobalt Strike, a penetration testing tool that can be used to track keystrokes.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts