The campaign reuses a portion of code from the Seasalt implant (circa 2010) that is linked to the Chinese hacking group Comment Crew. Oceansalt appears to have been part of an operation targeting South Korea, United States, and Canada in a well-focused attack.
The campaign takes advantage of flaws in Microsoft Word in an attempt to drop a PowerShell backdoor labeled "POWERSHOWER" onto the infected system. The malware is capable of stealing sensitive information from the compromised machine and uploading to a command and control server under the attackers control. The operation also removes traces of itself including files and registry entries to make post infection analysis difficult.