Full Report
The Vietnam-aligned threat actor known as OceanLotus has been attributed to two distinct campaigns that targeted domestic entities and stock investors with a backdoor known as SPECTRALVIPER. The campaigns involve a prolonged cyber espionage operation aimed at a Vietnamese infrastructure and transport construction corporation between mid-2024 and February 2026, as well as a supply chain attack
Analysis Summary
# Threat Actor: OceanLotus
## Attribution & Identity
* **Name:** OceanLotus
* **Aliases:** APT32, SeaLotus, Canvas Cyclone
* **Known Associations:** Linked by Meta in 2020 to a Vietnamese IT firm named **CyberOne Group** (also known as CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited).
* **Country of Origin:** Vietnam (Vietnam-aligned).
## Activity Summary
OceanLotus has demonstrated a recent strategic shift toward domestic espionage within Vietnam. Two primary campaigns were identified between mid-2024 and early 2026:
1. **Infrastructure Espionage:** A prolonged operation (mid-2024 to February 2026) targeting a major Vietnamese infrastructure and transport construction corporation.
2. **FireAnt Supply Chain Attack:** A selective supply chain compromise (October 2025 to March 2026) leveraging the "FireAnt Metakit" platform to deliver malware to specific stock investors.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise:** Hijacking legitimate software update mechanisms (FireAnt Metakit) to deliver malicious binaries.
* **DLL Side-Loading:** Utilizing legitimate applications to load malicious DLLs to bypass security detections.
* **Watering Hole Attacks:** Historically used to profile visitors of interest (media, human rights organizations).
* **Digital Profiling:** Profiling site visitors before delivering specific payloads.
* **Malicious Package Injection:** Uploading malicious packages (e.g., ZiChatBot) to public repositories like PyPI to compromise developer environments.
* **Lack of Integrity Validation:** Exploiting software that lacks signature/integrity validation for update files (`version.xml`).
* **Reconnaissance:** Automated host reconnaissance following initial infection to determine the value of the target.
## Targeting
* **Sectors:** Local infrastructure, transport construction, financial/stock trading, media, human rights, and civil society.
* **Geography:** Primarily Vietnam (Domestic) and Southeast Asia (ASEAN nations).
* **Victims:**
* Vietnamese stock investors using FireAnt Metakit.
* Vietnamese infrastructure and transport construction corporations.
* Human rights defenders, dissidents, and NGOs.
* Public companies in Vietnam.
## Tools & Infrastructure
* **Malware Families:**
* **SPECTRALVIPER:** A sophisticated backdoor used in recent 2024-2026 campaigns.
* **ZiChatBot:** Delivered via malicious PyPI packages.
* **SOUNDBITE** (Denis), **PHOREAL** (Rizzo), **WINDSHIELD** (Remy).
* **Infrastructure:**
* **Update Server:** `metakit.fireant[.]vn/Software/version.xml`
* **Update Binary:** `setup.exe` (tampered)
* **C2/Staging:** Use of HTTP POST requests to staging servers for next-stage payload delivery.
## Implications
OceanLotus remains a persistent and evolving threat despite public exposure in 2020. The recent focus on domestic Vietnamese entities—specifically financial investors and critical infrastructure—suggests a shift toward internal stability and economic intelligence. Their ability to execute supply chain attacks and compromise local software ecosystems indicates a high level of technical sophistication and deep access within the regional digital landscape.
## Mitigations
* **Code Signing & Integrity:** Developers must implement cryptographic signature validation for all software updates to prevent the execution of tampered binaries.
* **Endpoint Detection and Response (EDR):** Deploy EDR solutions to monitor for DLL side-loading activities and suspicious parent-child process relationships (e.g., a legitimate update tool launching unsigned downloaders).
* **Supply Chain Risk Management:** Organizations should audit third-party software update mechanisms and restrict automated updates from untrusted or unvalidated sources.
* **Network Monitoring:** Monitor for HTTP POST requests to unrecognized external domains that transmit system reconnaissance data.
* **Repository Scanning:** Use security tools to scan developer environments for malicious PyPI or NPM packages.