Recently, various industry and media sources have publicly reported that OceanLotus, a suspected Vietnam state-sponsored adversary, has conducted multiple targeted intrusions against auto manufacturers. This post examines a second-stage tool, JEShell, used during one such intrusion. JEShell contains code-level overlaps with the OceanLotus KerrDown malware first publicly described in a Medium post and a Palo … Continue reading JEShell: An OceanLotus (APT32) Backdoor