Nation-State Hackers caught hiding cyber espionage activities behind Crypto Miners

December 15, 2020
hackers cryptominers crypto miners currency OceanLotus APT32 cyber espionage reconnaissance

Bismuth adversaries that are often allegedly linked to OceanLotus or APT32 again resurfaced after the cybersecurity experts connected them to recent unravelled intrusion happened to different organization in France and Vietnam. The group has been known since 2012, is used primarily for cyber espionage of a well-known country for intel gathering.

With the usual approach, cybersecurity experts confirmed that the perpetrators are sending a phishing email to a targeted individual of the company. Using appealing subjects, they were able to persuade the victim to open the attachments that contain the malicious application. Evidence on the report shows established correspondence between adversary and targeted individual with more enticing content that baits the victim. The application will immediately execute a reconnaissance operation to develop a command and control gateway to the adversaries and then further perform a side loading delivery of the arsenal application to the victims’ network to ensure the resiliency of the whole process.

Further in their ingenious plan includes replacing legitimate application on system program with compromise copy that is susceptible to infection of their malware. In-depth analysis of the current attack believes it to be more lethal and silent as the attackers were able to camouflage the cyber espionage operation through cryptocurrency activity. Hence, the more it is difficult for security experts to be able to detect intrusion and activity within the network.

Hiding onto this application is indeed a great idea as this can fool even the latest security software since either they skip it from monitoring since such system program is believed either to be authorized or whitelisted by the administrator. Besides, crypto currency, though mostly connotes to be linked and exploited by many adversaries for its untraceable operation, innocent individuals are hooked onto it as they see it as an investment.


Unknowingly, they are being used for different malicious activity like cyber espionage as a carrier of these threat actors to propagate compromised applications onto the targeted company.


This report was published to provide additional awareness to the greater cyber community, especially to security and system administrators as this newly unravelled operation is a significant threat to many countries and organizations. The public is warned to always (1)scrutinize and be suspicious of emails that came from an unknown sender. (2)Thorough and rigid checks must be done before opening any attachments that these suspicious emails or better yet ignore and immediately delete them. (3)A random security check is also advisable as an adversary also includes checking for security run on the network to avoid detection and ensure all malicious arsenals are inactive during a scheduled task. (4)Limiting access to common users for installing or downloading software that is from the internet and also checking event logger for privilege users for any suspicious activity to be part of monitoring to check if the access has been compromised. (5) Lastly, ensure all applications are up to date and uses the latest security patches as these can secure known and unknown vulnerability of the software.

About the author

Leave a Reply