New Trend in MSI File Abuse: New OceanLotus Group First to Use MST Files to Deliver Tromas


During recent daily operations, the QiAnXin Threat Intelligence Center discovered that the new OceanLotus group, which we have been continuously tracking since mid-2022, has begun to re-activate and is using a new tactic of MSI file misuse.

Even though the MSI TRANSFORMS technique was theoretically disclosed in 2022, this is the first time that QiAnXin researchers have ever captured an APT campaign targeting a domestic governmental enterprise. The researchers currently divide the APT-Q-31 (OceanLotus) group into two attack sets, after they have observed for a long time that the old and new OceanLotus carry out espionage activities against the country alternately every year through rounds of warfare, and that the two attack sets have completely different TTPs, but share attack resources. The last time the new OceanLotus group was active was at the end of 2023, so far it has been exactly one year.

Read more…
Source: QiAnXin Threat Intelligence Center 


Sign up for our Newsletter


Related:

  • NSA Advocates Data Sharing Framework

    June 23, 2017

    The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys. “We need to conduct defenses in a way that ...