OceanLotus Shifts Focus to Domestic Espionage with SPECTRALVIPER Attacks
Severity: High (Score: 76.2)
Sources: Welivesecurity, web.archive.org, securelist.com, www.volexity.com, cloud.google.com
Published: · Updated:
Keywords: oceanlotus, mass, digital, surveillance, asean, nations, external
Severity indicators: ot
Summary
From mid-2024 to early 2026, the Vietnam-aligned APT group OceanLotus has intensified its focus on domestic espionage, utilizing the SPECTRALVIPER backdoor in two major campaigns. The first campaign targeted a Vietnamese infrastructure and transport construction company, while the second involved a supply-chain attack on FireAnt MetaKit, a stock investment platform, affecting investors in Vietnam. The SPECTRALVIPER malware, a sophisticated 64-bit Windows backdoor, was deployed to compromise systems and gather intelligence. This shift in tactics reflects a broader trend of increased domestic monitoring amid Vietnam's anti-corruption efforts. OceanLotus, also known as APT32, has a history of targeting dissidents and foreign corporations, but its recent activities indicate a strategic pivot towards local targets. The group remains active and continues to innovate its malware arsenal, suggesting ongoing threats to Vietnamese entities. Key Points: • OceanLotus has shifted focus from external espionage to domestic targets in Vietnam. • The group deployed the SPECTRALVIPER backdoor in attacks against a construction company and stock investors. • Recent operations align with Vietnam's anti-corruption initiatives, indicating strategic state interests.
Detailed Analysis
**Impact** Two distinct campaigns targeted Vietnamese domestic sectors from mid-2024 to early 2026. A prolonged espionage operation compromised a Vietnamese infrastructure and transport construction company, while a supply-chain attack targeted stock market investors via the FireAnt MetaKit platform. The affected sectors include infrastructure, transport, and financial services within Vietnam. The scope appears selective, with only a few individuals ultimately infected, but the campaigns risk exposure of sensitive corporate and investor data, potentially impacting market integrity and infrastructure projects. **Technical Details** OceanLotus deployed the SPECTRALVIPER backdoor, a heavily obfuscated 64-bit Windows malware with dual communication modes (HTTP and named pipes) and AES-encrypted command exchange using Diffie-Hellman key exchange. Attack vectors included supply-chain compromise of FireAnt MetaKit’s update server and direct intrusions into corporate networks. Techniques observed include LOLBAS abuse (renamed ProcDump), DLL side-loading, and proxy bypass mechanisms. No specific CVEs were mentioned. Infrastructure included malicious update servers and compromised legitimate websites for delivery. Indicators include named pipes such as `\\.\pipe\raSeCIR4gg` and files like `dbg.config`. **Recommended Response** Prioritize monitoring for SPECTRALVIPER indicators, including suspicious named pipe activity and renamed LOLBAS utilities like ProcDump masquerading as windbg.exe. Block and investigate anomalous network communications to known malicious update servers and monitor FireAnt MetaKit update mechanisms for unauthorized changes. Deploy detections for DLL side-loading and proxy bypass techniques. Harden update server infrastructure and validate software update integrity. Maintain vigilance for spear-phishing campaigns delivering ActiveMime files with malicious macros.
Source articles (8)
- Vietnam — Sg.Finance.Yahoo · 2026-06-11
From mid-2024 to February 2026, Vietnam-aligned APT group OceanLotus compromised the network of a Vietnamese infrastructure and transport construction corporation with its signature implant, SPECTRALV… - OceanLotus: From external espionage to domestic targeting — Welivesecurity · 2026-06-11
Our tracking of OceanLotus activities from 2024–2026 reveals a shift in operational focus. During this period, the Vietnam-aligned OceanLotus adopted a more selective approach to external operations w… - Vietnam — Markets.Businessinsider · 2026-06-11
BRATISLAVA, Slovakia and MONTREAL, June 11, 2026 (GLOBE NEWSWIRE) -- ESET Research’s tracking of OceanLotus activities from 2024–2026 has revealed a shift in operational focus as the Vietnam-aligned g… - Vietnamese government — cloud.google.com · 2026-06-11
Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign gover… - Oceanlotus Blossoms Mass Digital Surveillance And Exploitation Of Asean Nations The Media Human Rights And Civil Society — www.volexity.com · 2026-06-11
In May 2017, Volexity identified and started tracking a very sophisticated and extremely widespread mass digital surveillance and attack campaign targeting several Asian nations, the ASEAN organizatio… - 78203 — securelist.com · 2026-06-11
Network communication is a key function for any malicious program. Yes, there are exceptions, such as cryptors and ransomware Trojans that can do their job just fine without using the Internet. Howeve… - SPECTRALVIPER — www.elastic.co · 2026-06-11
Elastic Security Labs has discovered the SPECTRALVIPER malware targeting a national Vietnamese agribusiness. Elastic Security Labs has been tracking an intrusion set targeting large Vietnamese public… - Fr Autoindustrie Im Visier Von Hackern Bmw Ausgespaeht,rjn Lk D4 — web.archive.org · 2026-06-11
Der Angriff der mutmaßlich vietnamesischen Hackergruppe begann im Frühjahr 2019. Am vergangenen Wochenende nahm der Automobilkonzern aus München die betroffenen Rechner schließlich vom Netz. Zuvor hat…
Timeline
- 2024-06-01 — OceanLotus begins targeting domestic infrastructure: The group compromised a Vietnamese infrastructure and transport construction company using SPECTRALVIPER.
- 2025-10-01 — Supply-chain attack on FireAnt MetaKit: OceanLotus executed a supply-chain attack, compromising software updates to deploy SPECTRALVIPER against investors.
- 2026-01-31 — SPECTRALVIPER malware identified: Elastic Security Labs reported on the SPECTRALVIPER backdoor, detailing its capabilities and methods of operation.
- 2026-06-11 — ESET Research publishes findings: ESET confirms OceanLotus's strategic shift and details the two recent campaigns involving SPECTRALVIPER.
Related entities
- Apt32 (Apt Group)
- OceanLotus (Apt Group)
- OceanLotus Group (Apt Group)
- Turla (Apt Group)
- Waterbug (Apt Group)
- Malware (Attack Type)
- Phishing (Attack Type)
- Ransomware (Attack Type)
- Supply Chain Attack (Attack Type)
- Trojan (Attack Type)
- Worm (Attack Type)
- Ref2754 (Campaign)
- Ref4322 (Campaign)
- BMW (Company)
- FireAnt (Company)
- Hyundai (Company)
- Wuhan Municipal Government (Company)
- China (Country)
- Germany (Country)
- Iran (Country)
- North Korea (Country)
- Philippines (Country)
- Russia (Country)
- Slovakia (Country)
- Vietnam (Country)
- CWE-862 - Missing Authorization (Cwe)
- appointmentmedia.com (Domain)
- cloudflare-api.com (Domain)
- coachcybersecurity.com (Domain)
- financemachinelearning.com (Domain)
- gatewayrvcenter.com (Domain)
- health-ray-id.com (Domain)
- images.chinabytes.info (Domain)
- learning.com (Domain)
- mxprodesign.com (Domain)
- oteams.com (Domain)
- power-sync-services.com (Domain)
- rity.com (Domain)
- welivesecurity.com (Domain)
- y3vyaw9zaxr5.example.com (Domain)
- Agribusiness (Industry)
- Consumer Products (Industry)
- Financial (Industry)
- Financial Services (Industry)
- Government (Industry)
- Hospitality (Industry)
- Manufacturing (Industry)
- 103.119.47.104 (Ipv4)
- 139.162.11.152 (Ipv4)
- 139.99.33.239 (Ipv4)
- 142.91.98.77 (Ipv4)
- 166.88.77.186 (Ipv4)
- 194.68.26.241 (Ipv4)
- 38.60.245.37 (Ipv4)
- 80.255.3.87 (Ipv4)
- Backdoor.Win32.Denis (Malware)
- Backdoor.Win32.Gulpix (Malware)
- China Chopper (Malware)
- Cobalt Strike (Malware)
- Denis (Malware)
- Komprogo (Malware)
- Mirai (Malware)
- Morris Worm (Malware)
- P8loader (Malware)
- Phoreal (Malware)
- PlugX (Malware)
- Powerseal (Malware)
- Soundbite (Malware)
- Spectralviper (Malware)
- Trojan-ArcBomb (Malware)
- Windshield (Malware)
- DonutLoader (Tool)
- FireAnt MetaKit (Tool)
- OneDrive (Tool)
- Cobalt Strike Beacon (Tool)
- DtlCrashCatch.dll (Tool)
- Dtlupdate.exe (Tool)
- ExtExport.exe (Tool)
- IntelAudioService.exe (Tool)
- Metakit.exe (Tool)
- Meterpreter (Tool)
- Mshta.exe (Tool)
- Nslookup.exe (Tool)
- OneDrive.Sync.Service.exe (Tool)
- PowerShell (Tool)
- ProcDump (Tool)
- Rundll-ng (Tool)
- Toolbox.exe (Tool)
- Windbg.exe (Tool)
- 018433e8e815d9d2065e57b759202edc (Md5)
- 1a4d58e281103fea2a4ccbfab93f74d2 (Md5)
- 5394b09cf2a0b3d1caaecc46c0e502e3 (Md5)
- 5421781c2c05e64ef20be54e2ee32e37 (Md5)
- 6baafffa7bf960dec821b627f9653e44 (Md5)
- facec411b6d6aa23ff80d1366633ea7a (Md5)
- T1027 - Obfuscated Files Or Information (Mitre Attack)
- T1053.005 - Scheduled Task (Mitre Attack)
- T1055 - Process Injection (Mitre Attack)
- T1056.001 - Keylogging (Mitre Attack)
- T1059.001 - PowerShell (Mitre Attack)
- T1059.007 - JavaScript (Mitre Attack)
- T1059 - Command and Scripting Interpreter (Mitre Attack)
- T1070.001 - Clear Windows Event Logs (Mitre Attack)
- T1071.001 - Web Protocols (Mitre Attack)
- T1071.004 - DNS (Mitre Attack)
- T1071 - Application Layer Protocol (Mitre Attack)
- T1189 - Drive-by Compromise (Mitre Attack)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- T1195 - Supply Chain Compromise (Mitre Attack)
- T1218.005 - Mshta (Mitre Attack)
- T1505.003 - Web Shell (Mitre Attack)
- T1566.001 - Spearphishing Attachment (Mitre Attack)
- T1566 - Phishing (Mitre Attack)
- T1574 - Hijack Execution Flow (Mitre Attack)
- AmiBroker (Platform)
- Blogspot (Platform)
- Google Apps (Platform)
- Linux (Platform)
- MacOS (Platform)
- MetaStock (Platform)
- MetaTrader (Platform)
- Microsoft SQL Server (Platform)
- Microsoft Word (Platform)
- Windows (Platform)