The OceanLotus hacker group, widely tracked as APT32, has initiated a highly targeted surveillance campaign aimed at China’s “Xinchuang” IT ecosystem.
This strategic pivot focuses on compromising indigenized domestic hardware and software frameworks that were specifically designed to establish secure, self-reliant information technology environments.
By exploiting the unique architecture of these domestic systems, the threat actors aim to infiltrate sensitive government and industrial networks that were previously considered hardened against foreign cyber espionage.
The attackers employ a versatile multi-vector approach, utilizing sophisticated spear-phishing lures tailored to the Linux-based architecture of Xinchuang terminals.
#OceanLotus Group Targeting The indigenized Xinchuang system (a Chinese framework for building secure, self-reliant IT ecosystems using domestic hardware and software).
1. Spear-Phishing Lures
Desktop Lures
Desktop files on ICT innovation platforms, similar to LNK files on… pic.twitter.com/szpw2wooTn— blackorbird (@blackorbird) December 8, 2025
These vectors include malicious .desktop files that function similarly to Windows shortcuts, PDF lures that invoke remote documents via WPS Office, and JAR archives that execute directly within pre-installed Java environments.
Desktop Decoy (Source – X)
These initial access methods, often masquerading as official government notices, are meticulously designed to bypass standard security controls by blending in with legitimate administrative workflows and file formats common to the targeted sector.
Blackorbird security analysts identified the malware after observing a distinct pattern of supply chain compromises within the affected networks.
Leveraging suspected zero-day flaws
Their research highlights how the group initially attempts to brute-force internal security servers before leveraging suspected zero-day vulnerabilities to deploy malicious update scripts across the infrastructure.
Epub file vulnerability (Source – X)
This persistence mechanism allows them to maintain long-term, stealthy access to both Linux and Windows terminals, effectively turning trusted internal updates into a distribution channel for their surveillance payloads.
A particularly notable technique involves the exploitation of the N-day vulnerability CVE-2023-52076 in the Atril Document Viewer, a default component in many targeted distributions.
Attackers distribute a malicious EPUB file, such as “Safety Office Inspection Work – Final Version.epub,” which triggers a critical path traversal and arbitrary file write flaw upon opening.
This exploit allows the adversary to bypass file system restrictions and write a persistence mechanism, specifically a file named desktop-service-7803.desktop, directly into the user’s autostart directory without requiring elevated privileges.
Simultaneously, the exploit deposits an encrypted payload file, .icWpnBHQcOKa, into the hidden .config directory to evade visual detection.
When the system reboots or the user logs in, the malicious desktop entry automatically executes, decrypting the hidden payload and launching a Python-based downloader.
JAR Decoy (Source – X)
This multi-stage infection process ensures the malware remains undetected by static analysis tools while establishing a robust, resilient foothold in the targeted environment for continuous data exfiltration.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post OceanLotus Hacker Group Targeting Xinchuang IT Ecosystems to Launch Supply Chain Attacks appeared first on Cyber Security News.
