Discover and read the best of Twitter Threads about #OceanLotus

Most recents (1)

Profile picture
Group-IB Global
@GroupIB_GIB
Facebook’s @ngleicher was right about linking #APT32 to CyberOne and here is why:
As per Group-IB #ThreatIntelligence & #Attribution the domain cbo[.]group had an IP 45[.]61[.]136[.]214 in the A-record. On this IP address, we detected a unique SSH 4b390f0b7125c0d01fe938eb57d24051 Image
According to Group-IB Graph Network Analysis, this fingerprint was also seen on 30 other hosts including on 45[.]61[.]136[.]166 and 45[.]61[.]136[.]65. Both were used to deploy a uniquely configured #CobaltStrike framework, used exclusively by #APT32 aka #OceanLotus Image
All the listed IPs belong to the autonomous network - AS53667 within the range of 45.61[.]128[.]0 to 45[.]61[.]191[.]255. We've also seen #APT32 hosting #CobaltStrike on the 45[.]61[.]139[.]211, which was indicated in the A-record of feeder[.]blogdns[.]com
Read 3 tweets

Related hashtags

#CobaltStrike #APT32 #Attribution #OceanLotus #ThreatIntelligence

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!