BRATISLAVA, MONTREAL — June 11, 2026 — ESET Research’s tracking of OceanLotus activities from 2024–2026 has revealed a shift in operational focus as the Vietnam-aligned group adopted a more selective approach to external operations while placing increasing emphasis on domestic espionage. ESET researchers identified two distinct campaigns involving the SPECTRALVIPER backdoor: a supply-chain attack targeting stock market investors in Vietnam, and a prolonged espionage operation against a Vietnamese infrastructure and transport construction company.
Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling. OceanLotus is known for continuously innovating and expanding its arsenal of Windows and Linux backdoors, often implementing unique network protocols or tailoring the data collection capabilities to specific operational objectives.
Between 2017 and 2020, OceanLotus attracted significant public attention following multiple reports detailing its cyberespionage activities. These included large-scale watering-hole attacks targeting Southeast Asia in 2017–2018, intrusions into corporations such as BMW and Hyundai in 2019, and the targeting of a Vietnamese dissident in Germany that same year. The group was also linked to operations against human rights defenders between 2019 and 2020, as well as espionage targeting the Wuhan municipal government in 2020. However, the group’s operations faced a setback in 2020 when Facebook publicly identified the company believed to be used as a front for OceanLotus. Following this exposure, public reporting on the group diminished significantly, and its activities received comparatively little attention for several years.
The first campaign involved the newly discovered compromise of an infrastructure and transport construction corporation. This intrusion began in mid-2024 and persisted through January 2026. The second campaign was a supply-chain attack that began in late 2025 and continued until March 2026. In this operation, OceanLotus compromised the update server of FireAnt MetaKit, a Vietnamese stock investment platform, and replaced legitimate software updates with a malicious payload that ultimately deployed SPECTRALVIPER. This campaign appears to have targeted stock investors and may be linked to Vietnam’s recent efforts to promote securities market reforms, suggesting a possible connection to domestic monitoring or investigative objectives.
In both cases, OceanLotus deployed its signature backdoor, SPECTRALVIPER, on victim’s systems. Notably, an operational security lapse resulted in run-time type information names being left intact in a SPECTRALVIPER sample, enabling us to reconstruct aspects of the backdoor’s internal architecture. Despite the broad potential impact of such an attack, ESET observed only a few individuals who ultimately received SPECTRALVIPER, indicating selective targeting.
Overall, the available evidence points to a potential shift in OceanLotus’s operational patterns. Since the exposure of its physical front company in 2020, the group appears to have adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets.
It is worth noting that OceanLotus’s latest activities seem to align with various recent developments taking place on Vietnam’s domestic scene. In recent years, Vietnamese authorities have embarked upon a major crusade against corruption — a program baptized Blazing Furnace. Similar to Xi Jinping’s big anti-corruption push in China, this effort, launched by the Communist Party of Vietnam, is intended to demonstrate to the population that the party is willing and able to clean up its ranks to maintain its legitimacy. In this context, it seems likely that Vietnam’s security apparatus is now deploying increasingly important resources to fight corruption (and financial crime more broadly). ESET believes that OceanLotus could be somehow associated with these efforts, and that this may be another reason behind the group’s apparent refocus on domestic intelligence and surveillance.
OceanLotus, also known as APT32, is a cyberespionage group reportedly aligned with the interests of the Vietnamese government. According to ESET telemetry, activity attributed to this group dates back to 2012, and possibly earlier. OceanLotus mainly targets China and Southeast Asia (with a focus on Vietnam); it has been associated with a variety of operations, ranging from a massive digital profiling campaign to highly targeted attacks against Vietnamese human-rights activists.
For more details about OceanLotus and its latest campaign, check out the ESET Research blogpost, “OceanLotus: From external espionage to domestic targeting,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
Execution chain of the FireAnt supply-chain attack
ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown—securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。