The Vietnam-aligned cyber espionage group known as OceanLotus has been implicated in two distinct campaigns targeting domestic entities and stock investors through the deployment of a backdoor named SPECTRALVIPER.
One campaign involved a prolonged cyber espionage operation against a Vietnamese infrastructure and transport construction corporation, spanning from mid-2024 to February 2026. The second campaign was a supply chain attack leveraging FireAnt Metakit, a widely used software platform among Vietnamese stock investors, occurring between October 2025 and March 2026.
These activities indicate a strategic shift by OceanLotus towards domestic espionage, moving away from its previous focus on external targets. The group, active since 2012, has a history of targeting various entities, including those in China.
In December 2020, Meta linked OceanLotus’ activities to a Vietnamese IT company named CyberOne Group, also known as CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited. Although the company denied these allegations, the exposure led to the group going dormant for nearly three years.
OceanLotus’ toolkit includes malware such as SOUNDBITE (also known as Denis), PHOREAL (Rizzo), WINDSHIELD (Remy), and more recently, SPECTRALVIPER. The latter was first documented by Elastic Security Labs in June 2023, when the group resurfaced in a campaign targeting Vietnamese public companies.
In the FireAnt Metakit supply chain attack, which likely began around October 2, 2025, and lasted until March 2026, the attackers exploited the software’s legitimate update URL to distribute SPECTRALVIPER to a select group of stock investors. This method indicates a more targeted approach. The update configuration file lacked an integrity validation mechanism, allowing the malicious payload to be executed as a legitimate update.
These developments underscore the evolving tactics of OceanLotus and highlight the critical need for robust cybersecurity measures, especially in sectors handling sensitive financial data. Organizations must implement stringent software update validation processes and remain vigilant against sophisticated supply chain attacks.
