Ethical Hacking News
OceanLotus, a 15-year-old Advanced Persistent Threat (APT) group known for its sophisticated cyber espionage tactics, has recently launched a malicious campaign targeting domestic entities and stock investors in Vietnam. The latest attacks, attributed to OceanLotus, have been linked to the SPECTRALVIPER backdoor and involve a prolonged cyber espionage operation aimed at a Vietnamese infrastructure and transport construction corporation between mid-2024 and February 2026. This article delves into the details of OceanLotus's latest malicious campaign, exploring its tactics, techniques, and procedures (TTPs), as well as providing insights into the potential risks and implications for organizations in Vietnam.
OceanLotus, a 15-year-old APT group, has launched a malicious campaign targeting domestic entities and stock investors in Vietnam. The group's latest attacks utilize the SPECTRALVIPER backdoor and involve a prolonged cyber espionage operation aimed at a Vietnamese infrastructure and transport construction corporation. OceanLotus is shifting its operational focus from external targets to domestic espionage, highlighting its long-standing presence in the region. The group has been linked to several high-profile attacks since December 2020, including the discovery of SPECTRALVIPER in June 2023. OceanLotus exploited FireAnt Metakit, a popular software platform used by stock investors in Vietnam, to serve SPECTRALVIPER to a small subset of users. The attacks demonstrate OceanLotus's ability to conduct targeted supply chain attacks and its adoption of more selective approaches to foreign espionage.
OceanLotus, a 15-year-old Advanced Persistent Threat (APT) group known for its sophisticated cyber espionage tactics, has recently launched a malicious campaign targeting domestic entities and stock investors in Vietnam. The latest attacks, attributed to OceanLotus, have been linked to the SPECTRALVIPER backdoor and involve a prolonged cyber espionage operation aimed at a Vietnamese infrastructure and transport construction corporation between mid-2024 and February 2026.
The two sets of attacks represent a significant shift in operational focus for OceanLotus, with the threat actor placing an increasing emphasis on domestic espionage rather than external targets. The group's history of targeting China has also come to light, highlighting its long-standing presence in the region. However, it is unclear whether this shift represents a temporary adjustment or a long-term strategic change.
In December 2020, Meta linked OceanLotus' activities with a Vietnamese IT company named CyberOne Group, which led to the group going off the grid for nearly three years. The company denied allegations of involvement, but the public exposure sparked concerns about the group's resurgence. Since then, OceanLotus has been linked to several high-profile attacks, including the discovery of SPECTRALVIPER in June 2023.
The latest attack campaign leverages FireAnt Metakit, a popular software platform used by stock investors in Vietnam. The threat actor exploited the legitimate update URL of FireAnt to serve SPECTRALVIPER to a small subset of stock investors. This more selective approach is evident in the use of the FireAnt update server to directly distribute malicious payloads.
However, the update configuration file lacks an integrity validation mechanism, allowing Metakit.exe to execute the malicious downloader as a legitimate update. Once launched, the downloader performed basic host reconnaissance and transmitted collected information via an HTTP POST request to a staging server, requesting the next-stage payload. The payload employed a DLL side-loading chain that used a legitimate binary to launch a rogue DLL, which then injected itself into the OneDrive Sync.Service.exe process.
The backdoor subsequently contacted a command-and-control (C2) server to send encrypted host information. ESET reported that it has not observed any further malicious updates being distributed through the compromised channel since March 9, 2026, raising the possibility that OceanLotus concluded its campaign.
In addition to the FireAnt Metakit supply chain attack, OceanLotus has also been found targeting an unnamed Vietnamese infrastructure and transport construction firm starting as far back as November 2024. The exact initial access pathway used by the threat actor is unclear, but it is suspected to have involved the exploitation of remote code execution vulnerabilities in a public-facing Microsoft SQL server.
The attacks paves the way for the deployment of SPECTRALVIPER using DLL side-loading. Three different variants have been identified across multiple compromised hosts on the same network. The malware contacts the C2 server ("gatewayrvcenter[.]com") to transmit host-profiling data and receive instructions from the operator.
SPECTRALVIPER also facilitates lateral movement and functions as a loader by injecting additional binaries or shellcode retrieved from the C2 server into target processes. ESET's report highlights that OceanLotus has adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets since its physical front company was exposed in 2020.
The threat actor's shift towards domestic espionage raises concerns about the potential for future attacks targeting Vietnamese entities and stock investors. It is essential for organizations in Vietnam to be vigilant and take proactive measures to protect themselves against OceanLotus's advanced threats.
In light of this latest malicious campaign, it is crucial to revisit the strategies employed by security professionals to combat APT groups like OceanLotus. The use of advanced threat intelligence tools, regular software updates, and robust security protocols can help organizations mitigate the risks associated with OceanLotus's attacks.
Furthermore, the discovery of SPECTRALVIPER and its integration into FireAnt Metakit highlights the importance of supply chain security measures to prevent attacks on unsuspecting users. Organizations must prioritize the use of reputable software sources, implement regular vulnerability scanning, and maintain up-to-date systems to minimize the risk of exploitation.
Ultimately, OceanLotus's latest malicious campaign serves as a reminder of the ongoing threat landscape in cybersecurity. As APT groups continue to evolve and adapt their tactics, it is essential for organizations and security professionals to stay vigilant and proactive in protecting against emerging threats like those posed by OceanLotus.
Related Information:
https://www.ethicalhackingnews.com/articles/OceanLotuss-Latest-Malicious-Campaign-A-Shift-Towards-Domestic-Espionage-ehn.shtml
https://thehackernews.com/2026/06/oceanlotus-hits-vietnam-investors-with.html
Published: Thu Jun 11 06:02:49 2026 by llama3.2 3B Q4_K_M
