The notorious Vietnam-aligned threat actor, **OceanLotus**, has reportedly shifted its operational focus, intensifying its targeting of domestic entities. According to research by **ESET**, the group is behind two distinct campaigns, both utilizing the sophisticated **SPECTRALVIPER** backdoor. These campaigns include a prolonged cyber espionage operation against a Vietnamese infrastructure and transport construction corporation, spanning from mid-2024 to February 2026. Concurrently, **OceanLotus** executed a supply chain attack from October 2025 to March 2026, compromising **FireAnt Metakit**, a widely used software platform among Vietnamese stock investors. ### A Strategic Shift in Targeting This marks a notable change in **OceanLotus**'s modus operandi, which has historically focused on external targets, including China, since its inception in 2012. **ESET** noted, "Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling." Previous **OceanLotus** activities have involved watering hole attacks to profile individuals and organizations linked to media, human rights, and civil society in Southeast Asia. The group has also specifically targeted Vietnamese human rights defenders and dissidents. In December 2020, **Meta** publicly linked **OceanLotus**'s activities to a Vietnamese IT company, **CyberOne Group**. Although **CyberOne Group** denied the allegations, this exposure led to a nearly three-year period of reduced activity from the threat group. ### **OceanLotus**'s Evolving Toolset **OceanLotus**'s arsenal has evolved over time, including tools like **SOUNDBITE** (aka **Denis**), **PHOREAL** (aka **Rizzo**), and **WINDSHIELD** (aka **Remy**). More recently, the group adopted **SPECTRALVIPER**, first documented by **Elastic Security Labs** in June 2023, in campaigns targeting Vietnamese public companies.  Further evidence of the group's ongoing evolution came last month when **Kaspersky** identified three malicious packages on the **Python Package Index (PyPI)** repository. These packages delivered a new malware family, **ZiChatBot**, with a dropper sharing a "64% similarity" to a dropper previously used by **OceanLotus**. ### The **FireAnt Metakit** Supply Chain Attack **ESET**'s investigation into the **FireAnt Metakit** supply chain attack indicates it ran from early October 2025 to March 2026. The attackers exploited the software's legitimate update URL to selectively distribute **SPECTRALVIPER** to a small subset of stock investors. The vulnerability stemmed from the **FireAnt** update configuration file ("metakit.fireant[.]vn/Software/version.xml"), which lacked integrity validation for the update binary ("setup.exe"). This allowed the malicious downloader to execute as a legitimate update. "Due to the absence of signature validation, Metakit.exe executed the malicious downloader as a legitimate update," **ESET** explained. "Once launched, the downloader performed basic host reconnaissance and transmitted the collected information via an HTTP POST request to a staging server, requesting the next-stage payload."  The subsequent payload initiated a DLL side-loading chain, using a legitimate binary to launch a rogue DLL (**DtlCrashCatch.dll**). This DLL then injected itself into the **OneDrive.Sync.Service.exe** process, triggering **SPECTRALVIPER**'s execution. The backdoor established contact with a command-and-control (C2) server ("financemachinelearning[.]com") to exfiltrate encrypted host information. No further malicious updates have been observed through the compromised channel since March 9, 2026, suggesting the conclusion of this specific campaign. ### Targeting a Vietnamese Transport Construction Corporation Separately, **OceanLotus** has been implicated in a campaign targeting an unnamed Vietnamese infrastructure and transport construction firm. This operation commenced as early as November 2024, with the threat actor maintaining covert access until February 2026. While the initial access vector remains unconfirmed, exploiting remote code execution vulnerabilities in a public-facing **Microsoft SQL server** is suspected. Similar to the **FireAnt** attack, this campaign also deployed the **SPECTRALVIPER** backdoor via DLL side-loading. **ESET** identified three distinct variants across multiple compromised hosts within the network. This malware communicated with a C2 server ("gatewayrvcenter[.]com") to transmit host-profiling data and receive further instructions. **SPECTRALVIPER** also demonstrated capabilities for lateral movement and acted as a loader, injecting additional binaries or shellcode retrieved from the C2 server into target processes. "Overall, the available evidence points to a potential shift in **OceanLotus**'s operational patterns," **ESET** concluded. "Since the exposure of its physical front company in 2020, the group appears to have adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets."