New macOS backdoor connected to OceanLotus threat group

“A new backdoor which affects the Apple Mac operating system has been discovered by researchers which claim there is a link to the OceanLotus threat group,” Charlie Osborne reports for ZDNet. “The backdoor, identified as OSX_OCEANLOTUS.D, targets MacOS systems which have the Perl programming language installed.”

“Trend Micro believes the backdoor is the work of OceanLotus, also known as SeaLotus and Cobalt Kitty,” Osborne reports. “OceanLotus has been linked to attacks against human rights organizations, media organizations, research institutes, maritime construction firms, and other corporate targets.”

“According to ESET, OceanLotus is likely operating out of Asia and has set its sights not only on high-profile Vietnamese targets, but corporate and government groups based in the Philippines, Laos, and Cambodia,” Osborne reports. “Volexity has worked with a number of human rights and civil society organizations in these areas which appear to have all been targeted by the threat actors since 2015.”

Read more in the full article here.

MacDailyNews Take: Trend Micros says:

The MacOS backdoor was found in a malicious Word document presumably distributed via email. The document bears the filename “2018-PHIẾU GHI DANH THAM DỰ TĨNH HỘI HMDC 2018.doc,” which translates to “2018-REGISTRATION FORM OF HMDC ASSEMBLY 2018.doc.” The document claims to be a registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new MacOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system.

End users can benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats. Enterprises can benefit from Trend Micro’s Smart Protection Suites with XGen™ security, which infuses high-fidelity machine learning into a blend of threat protection techniques to eliminate security gaps across any user activity and any endpoint.

More info and links here.


  1. If I’m sent a Word file, I always contact the sender and explain that they’ve sent me a file in a proprietary format which I am unable to open. i ask them to re-send it in either PDF form or plain text.

    As it happens, Pages can open Word files and does it pretty reliably and without the risk of running anything malicious within the file, but I think it’s better all round if people are discouraged from sending each other Word files unless there are special reasons for doing so, such as a pre-agreed arrangement as part of a collaborative project.

  2. Anyone jumping through those hoops deserves to get owned. Instead of spending your money on Trend Micro, spend it with the ObDev folks, and on a good hardware firewall.

  3. The actual version/strain designation for the thing is up for debate. This may well be OSX.OceanLotus.E of F. Such is the chaotic nature of the anti-malware business.

    In any case, either don’t use Office/Word, or keep the security settings ON until you’ve verified the source AND security of any Office doc. I prefer the former.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.