OceanLotus APT32 behind Torii IoT Botnet

Updated on 2022-12-07

Chinese security firm Antiy has confirmed the use of the Torii botnet by Vietnamese APT group OceanLotus. Last month, both Weibu and QiAnXin said that OceanLotus operators appear to be using the Torii IoT botnet to disguise the origin of their attacks.

Updated on 2022-11-15: OceanLotus attacks

Chinese security firm QiAnXin published a report on Monday about recent attacks of OceanLotus, a Vietnamese state-sponsored group, that have targeted Chinese organizations through 2021. The report details the group’s use of three zero-days, one in an unnamed antivirus product and two zero-days in an unnamed workstation management system. QiAnXin also confirmed a Weibu report from earlier this month that claimed that OceanLotus was using IoT devices as a springboard for their attacks. The Weibu report specifically linked OceanLotus to the Torii botnet. Read more:

• Operation(Đường chín đoạn) typhoon：觊觎南海九段线的赛博海莲
• 曝光！“海莲花”组织运营的物联网僵尸网络Torii

Overview: Torii and Ocean Lotus

In a report on Wednesday, Chinese IT company Weibu claimed that OceanLotus, a Vietnamese cyber-espionage group, is behind Torii, an IoT botnet that was first seen back in 2018. Weibu researchers say that OceanLotus, also known as APT32, has been using systems infected by Torii to hide their operations, such as attacks and command-and-control traffic. Read more:

• 曝光！“海莲花”组织运营的物联网僵尸网络Torii
• Torii botnet – Not another Mirai variant