rp-operation-oceansalt.pdf (5 MB)

McAfee analyzed Operation Oceansalt, a reconnaissance implant campaign that began with Korean-language spear phishing documents and later affected South Korea, the United States, and Canada. Oceansalt reused portions of Seasalt code associated with Comment Crew, but the report argues the evidence could reflect private code access, collaboration, or a false flag rather than a simple return of APT1. The malware sends system data to C2 and can execute commands, while the lure content and Office metadata indicate targeting of Korean-speaking users tied to South Korean public infrastructure and finance topics.