The state-sponsored hacker group known as OceanLotus is using the web archive file format to evade system detection while delivering backdoors for intrusion.

The use of web archive file format

A report from Netskope Threat Labs claims that OceanLotus's campaign is actively using web archive files (.MHT and .MHTML) for its attacks.
  • The attack begins with a RAR compression of a 35–65 MB web archive file laden with a malicious Word document.
  • To bypass the protection of Microsoft Office, the attackers have set the ZoneID property in the file's metadata to 2, portraying it as if it was downloaded from a legitimate source.
  • Opening the web archive file with the infected Word document asks the victim to Enable Content, which eventually opens the way to running malicious VBA macro code.
  • After the payload is executed, the macro code carries out multiple tasks and deletes the original Word file, leading to the decoy document that triggers a fake error pop-up.

Diving deep into the operation

The dropped payload (64-bit DLL) executes every 10 minutes using a scheduled task imitating the WinRAR update check.
  • The backdoor is injected into the rundll32[.]exe running indefinitely inside system memory to avoid detection.
  • The malware collects different information, such as network adapter, a list of system directories and files, username, computer name, and checks the list of running processes.
  • Once the data is gathered, the backdoor adds and encrypts everything inside a single package before being sent to the C2 server.
  • The C2 server is hosted on a cloud hosting and web development collaboration service, known as Glitch.


The OceanLotus group is active again with new tactics and is successfully evading security solutions. It is even using legitimate cloud hosting services such as Glitch for C2 communications to stay undetected. Experts recommend organizations leverage the provided IoCs for detecting and preventing active attacks.

Cyware Publisher