OceanLotus Shifts Focus to Domestic Espionage and Targeted Supply-Chain Attacks
TL;DR
ESET Research reports a strategic realignment by the Vietnamese APT group OceanLotus, observable between 2024 and 2026, emphasizing domestic espionage alongside targeted cyber operations. The group executed two notable campaigns exploiting the SPECTRALVIPER backdoor: one involving a supply-chain attack on a stock investment platform and the other targeting a major infrastructure corporation in Vietnam.
Main Analysis
OceanLotus, also recognized as APT32, has demonstrated significant operational evolution in the last two years. Traditionally focused on broader regional targets, the group now concentrates on more selective domestic espionage, likely motivated by Vietnam’s anti-corruption initiatives. The first identified campaign compromised a Vietnamese infrastructure and transport construction company and continued through early 2026. Concurrently, OceanLotus leveraged a supply-chain attack on the FireAnt MetaKit, a widely used stock investment platform that began in late 2025. Through this tactic, the group aimed to inject its SPECTRALVIPER backdoor into the systems of stock investors during Vietnam’s financial reforms.
The details of these operations reveal a sophisticated approach characterized by tailored malware deployment. In the FireAnt attack, legitimate updates were replaced with malicious payloads containing SPECTRALVIPER, highlighting vulnerabilities such as the lack of integrity validation and SSL/TLS encryption in the update process. The architecture of SPECTRALVIPER, as analyzed, includes advanced capabilities for lateral movement and communication with command-and-control servers, allowing it to operate effectively within compromised networks.
OceanLotus’s activities appear not only as a continuation of its historical targeting patterns but also as a strategic pivot in light of the internal political landscape in Vietnam. The Vietnamese government’s campaign against corruption has sparked increased scrutiny and investigative efforts, likely prompting OceanLotus to align its operational focus on domestic surveillance and espionage.
Defensive Context
Organizations in Vietnam, particularly within the infrastructure and financial sectors, need to be aware of the potential risks posed by OceanLotus’s operational tactics. The group’s selective targeting strategy suggests a calculated approach to exploit vulnerabilities in widely used software and platforms, reflecting a shift toward domestic intelligence operations.
Equally, firms using outdated or poorly secured software—like the FireAnt MetaKit—should recognize the urgency of addressing potential supply-chain vulnerabilities. However, organizations outside Vietnam or those not directly linked to the financial market are less likely to be directly affected by these specific attacks.
Why This Matters
The shift in OceanLotus’s focus poses a significant risk to entities involved in Vietnam’s infrastructure and financial services. Businesses targeting stock market investments are particularly vulnerable due to the opportunistic nature of the FireAnt attack, which was designed to exploit the dynamic environment of ongoing market reforms and increasing regulatory scrutiny.
Defender Considerations
Organizations utilizing FireAnt MetaKit should consider reviewing their update protocols and ensuring proper integrity validation and secure communication channels are in place. The compromised infrastructure also surfaced various command-and-control domains, specifically designed to blend into benign traffic, highlighting the need for vigilant monitoring of network communications.
Indicators of Compromise (IOCs)
- C&C Domains:
- financemachinelearning.com
- gatewayrvcenter.com
- IPs:
- 139.99.33.239
- 142.91.98.77
- Malware Samples:
- SHA-1: 511B77459673EC42163F19E300FF1D233B6C39FB – SPECTRALVIPER downloader from FireAnt
This comprehensive overview emphasizes the evolving threat landscape posed by OceanLotus, underscoring the necessity for tailored defensive measures in response to their increasingly sophisticated and selective targeting strategies.
