A high-tech cybersecurity scene featuring a mysterious group of hackers called 'Lotus Bane.' They are shown working in a dimly lit room with multiple screens displaying data on Vietnam's financial entities. The group's logo, 'Lotus Bane,' is prominently displayed on the wall. The atmosphere is tense, with an air of secrecy and urgency, and the hackers are focused on their mission to infiltrate the targeted financial organizations.

APT Group ‘Lotus Bane’ Is Responsible for Latest Attacks on Vietnam’s Financial Institutions

First discovered in March 2023, Lotus Bane was an as-yet-undocumented threat actor that targeted a financial business in Vietnam.

The hacker gang was categorized as an advanced persistent threat group by gang-IB, which has its headquarters in Singapore, and is thought to have been operating since at least 2022.

Although the precise details of the infection chain are yet unclear, they entail the usage of a number of harmful artifacts that operate as stepping stones to the subsequent level.

“The cybercriminals used methods such as DLL side-loading and data exchange via named pipes to run malicious executables and create remote scheduled tasks for lateral movement,” the business said.

The Hacker News was informed by Group-IB that Lotus Bane’s methods are similar to those of APT32, Canvas Cyclone (formerly known as Bismuth), and OceanLotus, a threat actor affiliated with Vietnam. This results from named pipes communicating with malware such as PIPEDANCE.

It’s important to remember that PIPEDANCE was initially identified in February 2023 by Elastic Security Labs in relation to a cyberattack that happened in late December 2022 and targeted an unidentified Vietnamese business.

Anastasia Tikhonova, director of Threat Intelligence for APAC at Group-IB, said, “This similarity suggests possible connections with or inspirations from OceanLotus, however, the different target industries make it likely that they are different.”

“Lotus Bane is actively carrying out assaults, with the primary target being the APAC financial industry. The intricacy of their methodology suggests the possibility of wider geographical activities inside APAC, even if the known incident occurred in Vietnam. Although the precise length of their existence before this finding is unknown at this time, further research might provide additional insight into their past.

This trend coincides with the fact that within the previous year, a number of sophisticated persistent threat groups, including Blind Eagle and the Lazarus Group, have targeted financial institutions in North America, Europe, Latin America, and Asia-Pacific (APAC).

UNC1945 is another noteworthy threat organization with a financial motive. It has been noted that UNC1945 targets ATM switch servers in an attempt to infect them with a malicious software known as CAKETAP.

“This malware intercepts data transmitted from the ATM server to the [Hardware Security Module] server and checks it against a set of predefined conditions,” said Group-IB. “If these conditions are met, the data is altered before being sent out from the ATM server.”

In March 2022, Google-owned Mandiant revealed that UNC2891 and UNC1945 had installed the CAKETAP rootkit on Oracle Solaris computers, allowing them to intercept communications from an ATM switching network and make fraudulent card-based cash withdrawals at several banks without authorization.

“The presence and activities of both Lotus Bane and UNC1945 in the APAC region highlight the need for continued vigilance and robust cybersecurity measures,” Tikhonova said. “These groups, with their distinct tactics and targets, underline the complexity of protecting against financial cyber threats in today’s digital landscape.”


Scroll to Top