TIARAS - APT32

Threat Actor Profile

High APT

Description

APT32is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]

Confidence Score

100%

First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 44 minutes ago

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (54)

T1056 - Input Capture

Collection

T1560 - Archive Collected Data

Collection

T1071 - Application Layer Protocol

Command and Control

T1102 - Web Service

Command and Control

T1105 - Ingress Tool Transfer

Command and Control

T1571 - Non-Standard Port

Command and Control

T1003 - OS Credential Dumping

Credential Access

T1552 - Unsecured Credentials

Credential Access

T1027 - Obfuscated Files or Information

Defense Evasion

T1036 - Masquerading

Defense Evasion

T1055 - Process Injection

Defense Evasion

T1070 - Indicator Removal

Defense Evasion

T1078 - Valid Accounts

Defense Evasion

T1112 - Modify Registry

Defense Evasion

T1216 - System Script Proxy Execution

Defense Evasion

T1218 - System Binary Proxy Execution

Defense Evasion

T1222 - File and Directory Permissions Modifica…

Defense Evasion

T1550 - Use Alternate Authentication Material

Defense Evasion

T1564 - Hide Artifacts

Defense Evasion

T1012 - Query Registry

Discovery

T1016 - System Network Configuration Discovery

Discovery

T1018 - Remote System Discovery

Discovery

T1033 - System Owner/User Discovery

Discovery

T1046 - Network Service Discovery

Discovery

T1049 - System Network Connections Discovery

Discovery

T1082 - System Information Discovery

Discovery

T1083 - File and Directory Discovery

Discovery

T1087 - Account Discovery

Discovery

T1135 - Network Share Discovery

Discovery

T1047 - Windows Management Instrumentation

Execution

T1053 - Scheduled Task/Job

Execution

T1059 - Command and Scripting Interpreter

Execution

T1072 - Software Deployment Tools

Execution

T1203 - Exploitation for Client Execution

Execution

T1204 - User Execution

Execution

T1569 - System Services

Execution

T1041 - Exfiltration Over C2 Channel

Exfiltration

T1048 - Exfiltration Over Alternative Protocol

Exfiltration

T1189 - Drive-by Compromise

Initial Access

T1566 - Phishing

Initial Access

T1021 - Remote Services

Lateral Movement

T1570 - Lateral Tool Transfer

Lateral Movement

T1137 - Office Application Startup

Persistence

T1505 - Server Software Component

Persistence

T1543 - Create or Modify System Process

Persistence

T1547 - Boot or Logon Autostart Execution

Persistence

T1574 - Hijack Execution Flow

Persistence

T1068 - Exploitation for Privilege Escalation

Privilege Escalation

T1589 - Gather Victim Identity Information

Reconnaissance

T1598 - Phishing for Information

Reconnaissance

T1583 - Acquire Infrastructure

Resource Development

T1585 - Establish Accounts

Resource Development

T1588 - Obtain Capabilities

Resource Development

T1608 - Stage Capabilities

Resource Development

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': [],
 'description': 'APT32is a suspected Vietnam-based threat group that has been '
                'active since at least 2014. The group has targeted multiple '
                'private sector industries as well as foreign governments, '
                'dissidents, and journalists with a strong focus on Southeast '
                'Asian countries like Vietnam, the Philippines, Laos, and '
                'Cambodia. They have extensively used strategic web '
                'compromises to compromise victims.[1][2][3]',
 'external_references': [{'external_id': 'G0050',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0050/'}],
 'id': 'threat-actor--G0050',
 'metadata': {'crawled_at': '2026-04-29T14:32:45.764369+00:00',
              'mitre_group_id': 'G0050',
              'page_title': 'APT32, SeaLotus, OceanLotus, APT-C-00, Canvas '
                            'Cyclone, BISMUTH, Group G0050 | MITRE ATT&CK®'},
 'name': 'APT32',
 'type': 'threat-actor'}

Quick Actions

Related TTPs (54)

Input Capture
Collection

Archive Collected Data
Collection

Application Layer Protocol
Command and Control

Web Service
Command and Control

Ingress Tool Transfer
Command and Control

View All 54 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (54)

T1056 - Input Capture

T1560 - Archive Collected Data

T1071 - Application Layer Protocol

T1102 - Web Service

T1105 - Ingress Tool Transfer

T1571 - Non-Standard Port

T1003 - OS Credential Dumping

T1552 - Unsecured Credentials

T1027 - Obfuscated Files or Information

T1036 - Masquerading

T1055 - Process Injection

T1070 - Indicator Removal

T1078 - Valid Accounts

T1112 - Modify Registry

T1216 - System Script Proxy Execution

T1218 - System Binary Proxy Execution

T1222 - File and Directory Permissions Modifica…

T1550 - Use Alternate Authentication Material

T1564 - Hide Artifacts

T1012 - Query Registry

T1016 - System Network Configuration Discovery

T1018 - Remote System Discovery

T1033 - System Owner/User Discovery

T1046 - Network Service Discovery

T1049 - System Network Connections Discovery

T1082 - System Information Discovery

T1083 - File and Directory Discovery

T1087 - Account Discovery

T1135 - Network Share Discovery

T1047 - Windows Management Instrumentation

T1053 - Scheduled Task/Job

T1059 - Command and Scripting Interpreter

T1072 - Software Deployment Tools

T1203 - Exploitation for Client Execution

T1204 - User Execution

T1569 - System Services

T1041 - Exfiltration Over C2 Channel

T1048 - Exfiltration Over Alternative Protocol

T1189 - Drive-by Compromise

T1566 - Phishing

T1021 - Remote Services

T1570 - Lateral Tool Transfer

T1137 - Office Application Startup

T1505 - Server Software Component

T1543 - Create or Modify System Process

T1547 - Boot or Logon Autostart Execution

T1574 - Hijack Execution Flow

T1068 - Exploitation for Privilege Escalation

T1589 - Gather Victim Identity Information

T1598 - Phishing for Information

T1583 - Acquire Infrastructure

T1585 - Establish Accounts

T1588 - Obtain Capabilities

T1608 - Stage Capabilities

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (54)

Please wait…