OceanLotus is a cross-platform malware, exists on both Windows and macOS operating system. It is mostly targeting Chinese infrastructure. Except wide range of available commands the malware uses also Anti-Debug and Anti-VM techniques in order to make its detection harder. When executed, the malware will collect the following information from the system:

  • Product Nae and Version
  • Machine name
  • Is the user is root
  • User’s name
  • Username
  • IOPlatformUUID that will be used as unique infection_id

Source: CheckPoint

The malware will create a LaunchAgent in order to persist on the system. Below is available command the malware can receive from the C2, for different OceanLotus variants:

Source: PaloAlto