The cybersecurity landscape in Vietnam is facing significant challenges as the threat actor group known as OceanLotus launches targeted attacks on domestic entities. OceanLotus, active since 2012, has been linked to two separate campaigns aimed at Vietnamese companies and stock investors, utilizing a backdoor named SPECTRALVIPER.
OceanLotus’ Cyber Espionage Campaign
Between mid-2024 and February 2026, OceanLotus conducted a cyber espionage operation targeting a Vietnamese infrastructure and transport construction company. Concurrently, they executed a supply chain attack exploiting the FireAnt Metakit platform, a tool commonly used by stock investors in Vietnam. This activity persisted from October 2025 to March 2026, marking a strategic shift towards domestic targets, as noted by ESET, a Slovakian cybersecurity firm.
Historically, OceanLotus has focused on external targets, including China. However, recent attacks indicate a growing inclination towards internal espionage. The group’s tactics were revealed in a report shared with The Hacker News, highlighting their persistent and sophisticated approach.
FireAnt Metakit Supply Chain Attack
The supply chain attack on FireAnt Metakit began in October 2025 and lasted until March 2026. The attackers exploited the software’s update mechanism, which lacked proper integrity validation, to distribute SPECTRALVIPER among a select group of stock investors. According to ESET, this vulnerability allowed the execution of a malicious downloader under the guise of a legitimate update, which then collected host information and initiated further payloads.
The attack utilized a DLL side-loading technique to inject a rogue DLL into the OneDrive.Sync.Service.exe process, enabling the execution of SPECTRALVIPER. This malware communicated with a command-and-control server to exfiltrate encrypted host data.
Targeting Vietnamese Infrastructure Firms
OceanLotus also targeted an unnamed Vietnamese infrastructure and transport construction firm, maintaining covert access from November 2024 to February 2026. Although the precise method of initial access remains unclear, it’s suspected that the group exploited vulnerabilities in a Microsoft SQL server to deploy their backdoor.
SPECTRALVIPER facilitated lateral movement within the network, acting as a loader for additional malicious binaries or shellcode. The malware used DLL side-loading across multiple compromised hosts to communicate with its C2 server, relaying host-profiling data and receiving instructions from its operators.
In light of these attacks, the evidence suggests a potential shift in OceanLotus’s operational patterns. Since the exposure of its physical front company in 2020, the group has adopted a more selective approach, focusing on domestic targets while scaling back on foreign espionage activities.
This evolving threat landscape underscores the importance of robust cybersecurity measures and vigilance among Vietnamese companies and investors to safeguard against sophisticated cyber threats like those posed by OceanLotus.
