Advanced Persistent Threat 32 – Chinese State-Sponsored
Executive Summary
APT32 (also known as OceanLotus, APT32, OceanLotus, G0015) is a Chinese state-sponsored advanced persistent threat group primarily focused on espionage, critical infrastructure targeting, and telecommunications. This report covers their operations as of 2026, including their recent campaigns, tools, TTPs, and target sectors.
Basic Information
- Name: APT32 (OceanLotus)
- Aliases: APT32, OceanLotus, G0015
- MITRE ATT&CK Group ID: G0015
- Country of Origin: China
- Threat Level: HIGH
- Primary Motivation: State-sponsored espionage, critical infrastructure targeting, telecommunications
Recent Operations (2025-2026)
Telecom Sector (2025-2026):
- Global telecom operator targeting
- Network infrastructure compromise
- Equipment vendor operations
- Supply chain compromise
Government and Military (2025-2026):
- Government institution targeting
- Military organization operations
- Research institute compromise
- Scientific data theft
Energy Sector (2025-2026):
- Energy company operations
- Power grid targeting
- Utility company compromise
- Industrial control system targeting
Primary Tools:
- Cobalt Strike (primary post-exploitation)
- Custom malware (OceanLotus framework)
- Spearphishing campaigns
- Zero-day exploitation
- Credential dumping (Mimikatz, BloodHound)
TTPs (MITRE ATT&CK Mapping)
Initial Access:
- Phishing (Spearphishing Link, Spearphishing Attachment)
- Exploit publicly available vulnerabilities
- Supply chain compromise
Execution:
- Browser Execution
- PowerShell
- Command and Scripting Interpreter
Persistence:
- Boot/Logon Autostart
- Accessibility Features
- Lateral Tool Transfer
Privilege Escalation:
- Exploitation for Privilege Escalation
- Abuse Elevation Control Mechanism
Defense Evasion:
- Indicator Removal
- File and Directory Permissions Modification
- Obfuscated Files or Information
Credential Access:
- Credential Dumping (LSASS Memory)
- Remote Service Discovery
Discovery:
- Active Directory Enumeration
- Network Service Discovery
Lateral Movement:
- Remote Services (RDP, SMB)
- Remote Services (SMB)
Collection:
- Data from Local System
- Data from Network
Exfiltration:
- Exfiltration Over C2 Channel
- Exfiltration Over Alternative Protocol
Known Campaigns (2025-2026)
Operation 1 (2025):
- Target: Global telecom operators
- Impact: Network infrastructure compromise
- Tools: Cobalt Strike, custom malware
Operation 2 (2025):
- Target: Government and military
- Impact: Political influence, information warfare
- Tools: Cobalt Strike, Mimikatz
Operation 3 (2026):
- Target: Energy sector
- Impact: Industrial control system targeting
- Tools: Cobalt Strike, spearphishing
Threat Assessment
Threat Level: HIGH
Primary Targets:
- Telecom sector
- Government and military
- Energy sector
- Critical infrastructure
Capabilities:
- Advanced persistent threat
- Critical infrastructure targeting
- Multi-vector attacks
- Long-term persistence
- Supply chain attacks
Sources
- MITRE ATT&CK G0015
- CISA Advisories
- JSIS Washington.edu
- CISA AA25-239A
- CybelAngel
- CrowdStrike Threat Intelligence
- Mandiant Reports
- FortiGuard Labs
Report Generated: 2026-06-10
Intelligence Freshness: Current (as of June 2026)
Classification: Unclassified