Skip to content


OSX_OCEANLOTUS.D is a MacOS backdoor with several variants that has been used by APT32.12

Item Value
ID S0352
Associated Names Backdoor.MacOS.OCEANLOTUS.F
Version 2.2
Created 30 January 2019
Last Modified 14 January 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.2
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell OSX_OCEANLOTUS.D uses PowerShell scripts.1
enterprise T1059.004 Unix Shell OSX_OCEANLOTUS.D uses a shell script as the main executable inside an app bundle and drops an embedded base64-encoded payload to the /tmp folder.24
enterprise T1059.005 Visual Basic OSX_OCEANLOTUS.D uses Word macros for execution.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchAgents.12
enterprise T1543.004 Launch Daemon If running with root permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder /Library/LaunchDaemons.14
enterprise T1005 Data from Local System OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.2
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via chmod.4
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.12
enterprise T1070.006 Timestomp OSX_OCEANLOTUS.D can use the touch -t command to change timestamps.23
enterprise T1105 Ingress Tool Transfer OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.12
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.2
enterprise T1027 Obfuscated Files or Information OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.1
enterprise T1027.002 Software Packing OSX_OCEANLOTUS.D has a variant that is packed with UPX.5
enterprise T1553 Subvert Trust Controls -
enterprise T1553.001 Gatekeeper Bypass OSX_OCEANLOTUS.D uses the command xattr -d to remove the quarantine file attribute used by Gatekeeper.23
enterprise T1082 System Information Discovery OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.123
enterprise T1016 System Network Configuration Discovery OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.12
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as sysctl hw.model.53

Groups That Use This Software

ID Name References
G0050 APT32 16