OceanLotus – Spreading malware via fake news websites

November 18, 2020
oceanlotus fake news websites malware APT32

According to a security research paper published recently, the suspected government-backed hacking group OceanLotus is the culprit of a malware campaign responsible for fake news websites and social media Facebook pages that target malicious software victims.

The hackers behind OceanLotus, aka APT32, have previously targeted foreign companies with business interests and transactions with Vietnam. In this case, the bogus websites and Facebook pages that were set up last year seem to have been targeting people in Vietnam and Southeast Asia, according to the research report.

On further analysis, the attackers seem to have two goals on their cyber-attack campaign. One is to gather data about the fake social media pages’ visitors via a web profiling framework. Another is to deploy malwares on the victim’s devices that are meant to log the user’s keystrokes.

Earlier, cybersecurity researchers revealed that the hackers have been using Google Play Store to distribute malware, impressing that both local domestic and foreign intelligence collection is one of the malware campaigns goals. Last April, right when the COVID19 pandemic is spreading globally, the same hacking group started to send malware to the government in Wuhan, China, where the epidemic originated, aiming to track the Chinese government’s response.

In this case, OceanLotus is sending victims links to its fake websites via spear-phishing or direct messaging on social media.

The fake websites that are still currently active are not entirely malicious. The majority of the still active fake media web pages are benign. The contents focus on news that interests people in Vietnam and Southeast Asia, and these websites don’t include malicious redirects.

Majority of the fake pages that the researchers recommend not to visit are in the Vietnamese language. Several web pages target audiences that speak Malay, English, Cambodian, and Laotian.


The OceanLotus group has continued to evolve their attacks in which it seeks to target users outside of spear phishing and leverages on compromised web pages.


This only shows that the level of effort OceanLotus will go to extend their reach and find new techniques to find new ways to compromise individuals and organizations that it has targetted.

When the victims land on the fake website, they will be presented with information that seemingly came from a dedicated news channel, such as logos and slogans, that urge them to believe it is a reliable and legitimate news report. The contents on the fake websites appear to be from an authentic news outlet, which is done using WordPress plugins.

About the author

Leave a Reply