Suspected APT-C-00 Delivers Havoc Trojan

Sept. 22, 2025, 8:12 p.m.

Description

A recent analysis of a suspicious trojan loader reveals similarities to the APT-C-00 (Ocean Lotus) group, a government-backed hacker organization targeting East Asian companies and government agencies. The sample, a DLL file with excellent evasion capabilities, uses hash algorithms to dynamically obtain API functions. It creates a mutex for single-instance execution, validates command-line parameters, adds itself to the registry for persistence, and sets up a VEH exception handler. The loader employs module hollowing to replace code in certmgr.dll with shellcode that reflectively loads the Havoc RAT. The tactics and development environment align with Ocean Lotus' known techniques, including the use of Mingw-w64 and similar initialization processes.

External References

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507399&idx=1&sn=01bd1443bd6fd0c238014d2246c34039&chksm=f9c1eececeb667d81092f39b7b62807e1617b4629ce3364e427c6112f4300a932a2739a33e58&scene=178&cur_album_id=1955835290309230595&search_click_id=#rd
https://otx.alienvault.com/pulse/68d104b5e6c89dbf695047ce
Tags
apt
persistence
trojan
dll sideloading
process hollowing
east asia
2025-09-22
havoc rat

Date

  • Created: Sept. 22, 2025, 8:11 a.m.
  • Published: Sept. 22, 2025, 8:11 a.m.
  • Modified: Sept. 22, 2025, 8:12 p.m.

Attack Patterns

  • Havoc RAT
  • APT-C-00 (Ocean Lotus)

Additional Informations

  • Government