Campaigns Target Domestic Entities and Stock Investors
The Vietnam aligned threat actor OceanLotus has been linked to two separate campaigns that deployed the SPECTRALVIPER backdoor against domestic targets. According to cybersecurity firm ESET, the first operation involved a prolonged cyber espionage campaign against a Vietnamese infrastructure and transport construction corporation, active between mid-2024 and February 2026. The second campaign was a supply chain attack targeting FireAnt Metakit, a widely used software platform for stock investors in Vietnam, which ran from October 2025 to March 2026. These attacks mark a notable shift in OceanLotus’s operational focus, placing greater emphasis on domestic espionage rather than external targets.
Tools and Historical Context
OceanLotus, active since 2012, has a history of targeting Chinese entities and employing watering hole attacks to profile visitors, particularly those connected to media, human rights, and civil society. The group has used various tools including SOUNDBITE, PHOREAL, and WINDSHIELD, with SPECTRALVIPER emerging as a newer addition documented by Elastic Security Labs in June 2023. ESET noted that this 15 year old APT group continues to demonstrate aggressive tactics and crafty tooling. The group went largely dormant for nearly three years after Meta linked its activities to CyberOne Group in December 2020, but has since resurfaced with intensified domestic targeting.
Source: The Hacker News
