Threat Intelligence Tarot
Vol. II · 80
Vietnam (Ministry of Public Security, suspected)
G0050
risk 3/5
The Lotus Watcher
APT32
OceanLotus · Canvas Cyclone · Bismuth
Private sectorAutomotiveGovernmentMediaForeign corporations in Vietnam
Active since ~2014 · Espionage, Intellectual property theft, Domestic surveillance
The Lotus blooms quietly beneath the surface of foreign enterprise, its roots threading through corporate networks before the flower is ever seen. Where trade delegations visit, the Watcher has already arrived.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1204.002
Malicious File
Execution
T1059.003
Windows Command Shell
Execution
T1053.005
Scheduled Task
Persistence
T1547.001
Registry Run Keys / Startup Folder
Persistence
T1083
File and Directory Discovery
Discovery
T1105
Ingress Tool Transfer
Command and Control
Notable Operations
  • BMW and Toyota network intrusions (2019)
  • Targeting of Vietnamese journalists and activists
  • COVID-19 research theft attempts
  • Southeast Asian government espionage campaigns
Defenses
Reversed: Their Weakness
Its reliance on spearphishing and consumer malware frameworks makes attribution straightforward. Strong endpoint detection and user awareness training collapse its primary access vectors rapidly.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Jade CensorNext →The Scarlet Reaper
Related Adversaries
The Obsidian Hammer
Onyx Sleet
4 shared TTPs
The Circuit Phantom
BlackTech
4 shared TTPs
The Grudge
Bitter
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.