The Vietnam-aligned cyber espionage group known as OceanLotus has been linked to two distinct campaigns targeting domestic entities and stock investors, deploying a backdoor named SPECTRALVIPER.
According to ESET, the first campaign involved a prolonged cyber espionage operation against a Vietnamese infrastructure and transport construction corporation from mid-2024 to February 2026. The second campaign, occurring between October 2025 and March 2026, was a supply chain attack leveraging FireAnt Metakit, a popular software platform among Vietnamese stock investors.
These activities indicate a shift in OceanLotus’s focus towards domestic espionage. ESET noted, “Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling.”
Historically, OceanLotus has targeted foreign entities, including Chinese organizations. Their tactics have included watering hole attacks to profile site visitors, focusing on media, human rights, and civil society organizations in 2017 and 2018. They have also targeted Vietnamese human rights defenders and dissidents.
In December 2020, Meta linked OceanLotus’s activities to a Vietnamese IT company named CyberOne Group, also known as CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited. Although the company denied these allegations, the exposure led to the group going dormant for nearly three years.
OceanLotus’s toolkit includes SOUNDBITE (aka Denis), PHOREAL (aka Rizzo), WINDSHIELD (aka Remy), and more recently, SPECTRALVIPER. Elastic Security Labs first documented SPECTRALVIPER in June 2023 during a campaign targeting Vietnamese public companies.
In May 2026, Kaspersky discovered three malicious packages on the Python Package Index (PyPI) repository designed to deliver a previously unknown malware family called ZiChatBot on Windows and Linux systems. The dropper used to deliver this malware shares a “64% similarity” to another dropper used by OceanLotus.
The FireAnt Metakit supply chain attack likely began around October 2, 2025, and lasted until March 2026. The attack exploited the software’s legitimate update URL to serve SPECTRALVIPER to a select group of stock investors, indicating a more targeted approach. The update configuration file lacked an integrity validation mechanism, allowing the malicious downloader to execute as a legitimate update. Once launched, the downloader performed basic host reconnaissance and transmitted the collected information via an HTTP POST request to a staging server.
These developments underscore the evolving tactics of OceanLotus and the increasing sophistication of their cyber espionage operations. Organizations, especially those in Vietnam, should remain vigilant and implement robust security measures to defend against such targeted attacks.
Source: The Hacker News
