Security Experts:

Connect with us

Hi, what are you looking for?



Vietnamese Hackers Target Human Rights Defenders: Amnesty

Between February 2018 and November 2020, Vietnam-linked hacking group Ocean Lotus targeted Vietnamese human rights activists in the country and abroad with spyware, a new report from Amnesty International reveals.

Between February 2018 and November 2020, Vietnam-linked hacking group Ocean Lotus targeted Vietnamese human rights activists in the country and abroad with spyware, a new report from Amnesty International reveals.

Also referred to as APT32, APT-C-00, SeaLotus, and Cobalt Kitty, Ocean Lotus is a highly sophisticated group that has been active since at least 2012, mainly focused on media, human rights, and civil society organizations, but also targeting Vietnamese political dissidents, foreign governments and companies.

The recently observed attacks were aimed at Vietnamese activists at home and abroad, clearly falling in line with previously observed targeting.

“The investigation conducted by Amnesty International’s Security Lab revealed that two HRDs and a non-profit human rights organization from Viet Nam have been targeted by a coordinated spyware campaign,” Amnesty reveals.

The first of the targets is blogger and pro-democracy activist Bui Thanh Hieu, also known as Nguoi Buon Gio (The Wind Trader), who covers topics such as social and economic justice, as well as human rights. A critic of the Vietnamese government’s policies, he has been living in Germany since 2013.

Between February 2018 and November 2020, Ocean Lotus also targeted Vietnamese Overseas Initiative for Conscience Empowerment (VOICE), a non-profit human rights organization that provides support to Vietnamese refugees.

Reprisal the organization and its staff faced over the years included harassment, travel bans, and confiscation of passports. Additionally, state-owned media in Vietnam has run a smear campaign against VOICE, calling the organization a terrorist group.

Ocean Lotus also targeted a blogger residing in Vietnam, who spoke out publicly about a January 2020 incident where thousands of security officers raided the Dong Tam village and killed several people.

“Activists and bloggers were at the forefront of the public debate online, prompting a nationwide crackdown on online expression by the government. VOICE and the two bloggers all received emails containing spyware between February 2018 and November 2020,” Amnesty says.

The emails claimed to be carrying an important document, but instead included spyware, either attached or as a link. After execution, the malware would open a decoy document to trick the victim into believing the file was benign. The spyware targeted either macOS or Windows systems.

On Windows machines, a variant of the Ocean Lotus-exclusive malware Kerrdown was being deployed, to fetch additional spyware — in this case Cobalt Strike — thus providing the attackers with full access to the victim system.

On macOS systems, a variant of a spyware exclusively used by Ocean Lotus to target Apple’s desktop platform was used. The malware would offer access to system information, as well as the ability to download, upload, and execute files, or run commands.

“Our investigation was not able to attribute Ocean Lotus’ activities to any company or government entity. However, the extensive list of people and organizations targeted by Ocean Lotus over the years shows that it has a clear focus on targeting human rights and media groups from Viet Nam and neighboring countries. This raises questions about whether Ocean Lotus is linked to Vietnamese state actors,” Amnesty notes.

Related: Operations of Hacker Groups in Vietnam, Bangladesh Disrupted by Facebook

Related: Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China

Related: Vietnamese Spies Rival Notorious Russian Group in Sophistication

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.