OceanLotus and the remarkable strategic shift in Vietnam's cyberspace
Campaign overview
For many years, OceanLotus (APT32) has been known as one of the most prominent cyber espionage groups in Southeast Asia, regularly appearing in reports about intelligence gathering activities targeting foreign organizations and businesses. However, the latest findings from ESET show a notable change in this group's operating strategy. Instead of focusing on international goals as before, OceanLotus is tending to shift its focus to domestic goals, especially in the fields of finance and critical infrastructure.
Through supply chain attack campaigns and the deployment of the SPECTRALVIPER backdoor, the group demonstrated the ability to accurately select targets, maintain long-term presence, and gather strategically valuable information. These developments not only reflect a change in the way OceanLotus operates but also pose new challenges to cybersecurity in Vietnam.
Who is OceanLotus (APT32)?
Who is OceanLotus?
OceanLotus, also known by the identifiers APT32, SeaLotus or Cobalt Kitty, is an Advanced Persistent Threat (APT) group that has been tracked by the international cybersecurity community since around 2012. During more than a decade of operation, this group has become one of the most prominent threat actors in Southeast Asia thanks to its ability to conduct sustained, sophisticated and highly targeted cyber espionage campaigns.
Activity history
The first traces of OceanLotus were recorded in the early 2010s, when many organizations in Southeast Asia became targets of spear-phishing campaigns and customized malware. From 2014 onwards, the group's activities have increasingly expanded in both scale and geographical scope, targeting government agencies, private businesses, research organizations, media and individuals with high intelligence value.
During the period 2016–2020, OceanLotus continuously appeared in reports of many major security firms such as ESET, FireEye, CrowdStrike, Kaspersky, Volexity and Cybereason. The recorded campaigns span many countries in Asia, North America and Europe, with the primary goal of gathering political, economic and strategic intelligence.
After 2020, the group's public activities decreased significantly. However, recent studies show that OceanLotus has not diminished in capacity but is shifting to a more discreet operating model, choosing targets more carefully and focusing on campaigns that bring high intelligence value.
Goals and motives
Unlike regular cybercrime groups that often aim for direct financial profit, OceanLotus is considered a group operating according to the cyber espionage model (Cyber Espionage). The main goal of campaigns is to collect information from organizations or individuals of strategic value.
Areas that have been targeted by the group include:
Government and diplomatic agencies.
Technology enterprise.
Energy and telecommunications.
Critical infrastructure.
Finance and investment.
Research and academic institutions.
Media and journalism.
Techniques and methods of operation
One of the highlights of OceanLotus is the ability to combine many different attack techniques in the same campaign to increase the success rate and prolong the presence time on the victim system.
Techniques commonly used by the group include:
Spear-Phishing: OceanLotus often uses emails specifically designed for each target, attaching documents or links containing malicious code. Email content is often directly related to the victim's field of activity to increase interaction.
Watering Hole Attack: The group has repeatedly infiltrated websites that the target frequently visits, then inserted malicious code or redirected users to the attacker's control infrastructure.
Supply Chain Attack: This is a prominent technique in recent campaigns. Instead of directly attacking victims, OceanLotus infiltrates software providers or intermediary services to distribute malicious code through legitimate update channels. The FireAnt MetaKit campaign is a good example of this approach.
Living-off-the-Land: OceanLotus often takes advantage of legitimate tools available on the operating system to reduce the possibility of detection. This approach helps the group's activities blend in with the system's normal flow and progress.
Event timeline
| Date | Event | Significance |
|---|---|---|
| 2020 | Multiple public reports from cybersecurity vendors and social media platforms exposed infrastructure, tools, and activities associated with OceanLotus. | Marked a period of increased international scrutiny and attribution efforts against the group. |
| 2020–2023 | Publicly observed OceanLotus operations significantly decreased. | The group shifted toward more covert operations, reducing exposure of its infrastructure and toolsets. |
| Mid-2024 | ESET identified a long-term intrusion targeting a Vietnamese infrastructure and transportation construction company. | Indicated a strategic shift toward domestic targets and critical sectors. |
| Late 2024 | SPECTRALVIPER was deployed to maintain access and conduct intelligence collection. | Revealed the emergence of a new flagship backdoor used in OceanLotus operations. |
| Early 2025 | Surveillance and intelligence-gathering activities continued within compromised environments. | Demonstrated the group's focus on long-term persistence and espionage. |
| October 2025 | The update infrastructure of FireAnt MetaKit was compromised. | Marked the beginning of a supply chain attack targeting Vietnam's investor community. |
| October 2025 – March 2026 | Trojanized software updates were distributed to FireAnt MetaKit users. | OceanLotus leveraged trusted software update mechanisms to reach selected victims. |
| Late 2025 | A malicious loader was used to deploy SPECTRALVIPER on targeted systems. | Only carefully selected, high-value targets proceeded to the next stage of compromise. |
| Early 2026 | OceanLotus maintained communication with command-and-control (C2) servers and collected intelligence from compromised victims. | Represented the primary espionage and intelligence-gathering phase of the campaign. |
| March 2026 | The FireAnt MetaKit operation concluded or transitioned to new infrastructure. | Suggested operational changes, infrastructure rotation, or the start of a new campaign phase. |
| June 2026 | ESET published the report "OceanLotus: From External Espionage to Domestic Targeting". | Provided the first detailed public analysis of OceanLotus's increasing focus on domestic targets. |
FireAnt MetaKit and SPECTRALVIPER Campaign
Attack methods and malware ecosystem
Unlike many mass malware distribution campaigns, OceanLotus applies the "Selective Targeting" strategy. Instead of infecting as many victims as possible, the team focuses on individuals or organizations pre-identified as having high intelligence value.
In the campaign documented by ESET, FireAnt MetaKit served as the initial entry point. This is a platform widely used by the stock investor community in Vietnam. By compromising the software's update server, OceanLotus was able to distribute malicious code through legitimate updates without arousing suspicion from users.
It's worth noting that the malware is not immediately deployed on every system that receives the update. Instead, intermediate components will conduct an assessment of the target environment before activating the next stages. This is a sign that OceanLotus is applying a strategy to minimize the possibility of detection and optimize resources for truly valuable goals.
Deploy SPECTRALVIPER
After the initial intrusion was successful, OceanLotus deployed SPECTRALVIPER – the backdoor identified as the central component of the campaign.
According to ESET, SPECTRALVIPER is not a single malware but a spy platform designed with a modular architecture. This approach allows attack teams the flexibility to expand functionality to specific targets without needing to change the entire toolkit.
Step 1 – Loader is activated
After the malicious update is installed at the link: http://metakit.fireant.vn/Software/version.xml , the loader will be executed on the victim system.
Main function:
Check the execution environment.
Determine the operating system.
Collect initial information.
Evaluate target value.
Prepare to download the main malware.
Step 02 – Collect system information
Before fully activating the backdoor, the malware performs reconnaissance operations to understand the target environment.
The data collected includes:
Computer name.
User account.
Windows version.
Domain information (Domain).
IP address.
Processes are active.
List of security software.
The purpose of this phase is to determine whether the system belongs to the desired target group.
Step 3 – Register with the control server
Once profiling is complete, SPECTRALVIPER establishes communication with the Command and Control (C2) infrastructure.
Connections are made through:
HTTP/HTTPS.
Encrypted transmission channel.
Periodic Beacons.
Purpose:
Receive command from operator.
Download new modules.
Submit collected data.
Escalate access and target exploitation
Internal environmental survey
After establishing a foothold in the system, OceanLotus moves into the information exploitation phase. This is the longest phase of the campaign and also the final goal of the entire attack chain.
Backdoor collects information about:
File system.
Internal server.
Network sharing.
Shared resources.
Domain users.
These activities help operators understand the infrastructure of the compromised organization.
Maintain long-term access
One outstanding characteristic of OceanLotus is its ability to maintain presence over long periods of time.
The team uses many persistence techniques such as:
Registry Run Keys.
Scheduled Tasks.
Startup Components.
Periodically reconnect to C2.
Thanks to that, malware still exists even when the system is restarted.
Collect and extract data
After completing the survey, OceanLotus began collecting valuable data.
For investors:
Transaction information.
Financial data.
Customer profile.
Investment portfolio.
For infrastructure businesses:
Project profile.
Technical documents.
Investment plan.
Bidding information.
The data is then sent back to the control infrastructure via encrypted connections to reduce the possibility of detection.
Why did OceanLotus switch to a domestic target?
One of the biggest questions is the reason behind this change in strategy. Here are some hypotheses put forth:
Collect economic intelligence: Information about financial markets, investment activities and infrastructure projects has great strategic value.
High-value targets: Infrastructure businesses and investment platforms often store large amounts of sensitive data.
More selective campaign: Instead of targeting large numbers of victims, the team focuses on targets most likely to yield important information.
Reduced exposure to international attention: Operating within a narrower scope reduces the risk of being tracked and made public by international organizations.
Impact on Vietnam's cybersecurity
New findings show that domestic organizations are no longer secondary subjects in APT campaigns. Instead, businesses need to pay special attention to risks from the software supply chain, the risk of prolonged intrusion, the possibility of strategic data collection as well as legitimate software being used as a channel to spread malicious code.
For SOC centers and Blue Teams, enhancing threat hunting, monitoring unusual traffic, and checking software integrity are necessary measures.
Conclude
ESET's new findings suggest that OceanLotus is entering a new phase of operations with a focus on domestic targets. The use of supply chain attacks with the SPECTRALVIPER backdoor reflects the group's high level of sophistication and ability to deploy sustained espionage campaigns.
While the ultimate goals of these campaigns have not yet been fully determined, the trend toward focusing on the financial and infrastructure sectors suggests that economic intelligence may be becoming a new priority. In the context of APT threats becoming increasingly sophisticated and difficult to detect, findings from ESET are an important warning to the cybersecurity community and organizations in Vietnam.
Recommended
For individual users
Only download and update software from official sources.
Regularly update operating systems and security software.
Be cautious with emails, attachments or links of unknown origin.
Immediately report to the technical department when detecting unusual signs on the device.
For businesses and organizations
Strengthen security testing and assessment for software and IT service providers.
Implement multi-factor authentication (MFA) for critical systems.
Track and monitor unusual network connections, especially traffic out to the Internet.
Regularly update IOC and threat intelligence from reputable sources.
Develop incident response procedures and periodic drills to be ready to handle targeted attacks.
In the context of APT groups increasingly using sophisticated and difficult-to-detect techniques, the combination of information security awareness, continuous monitoring and supply chain risk management will be an important factor to help minimize the risk of becoming a victim of campaigns similar to OceanLotus.
MITRE ATT&CK Mapping
| ATT&CK Tactic | Technique | ATT&CK ID | Description |
|---|---|---|---|
| Initial Access | Supply Chain Compromise | T1195 | Compromising trusted software distribution channels, as observed in the FireAnt MetaKit supply chain attack. |
| Initial Access | Spearphishing Attachment | T1566.001 | Delivering malicious payloads through targeted email attachments. |
| Execution | User Execution | T1204 | Malware execution triggered by user interaction with a file or application. |
| Execution | Command and Scripting Interpreter | T1059 | Executing commands or scripts on compromised systems. |
| Persistence | Registry Run Keys / Startup Folder | T1547.001 | Establishing persistence through autorun mechanisms. |
| Persistence | Scheduled Task/Job | T1053.005 | Creating scheduled tasks to maintain long-term access. |
| Privilege Escalation | Scheduled Task/Job | T1053.005 | Leveraging scheduled tasks to execute with elevated privileges. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Obfuscating malware components and configuration data to evade detection. |
| Defense Evasion | Masquerading | T1036 | Disguising malicious files or processes as legitimate software. |
| Defense Evasion | Indicator Removal on Host | T1070 | Modifying or removing artifacts to reduce forensic visibility. |
| Discovery | System Information Discovery | T1082 | Collecting information about the operating system and hardware environment. |
| Discovery | File and Directory Discovery | T1083 | Enumerating files and directories on the compromised host. |
| Discovery | Process Discovery | T1057 | Identifying running processes on the target system. |
| Discovery | Network Service Discovery | T1046 | Scanning and identifying available network services. |
| Collection | Data from Local System | T1005 | Collecting documents and other locally stored data. |
| Collection | Screen Capture | T1113 | Capturing screenshots for intelligence-gathering purposes. |
| Collection | Clipboard Data | T1115 | Collecting information stored in the clipboard. |
| Credential Access | OS Credential Dumping | T1003 | Obtaining credentials from operating system credential stores. |
| Command and Control | Application Layer Protocol | T1071 | Communicating with C2 infrastructure using common application-layer protocols. |
| Command and Control | Web Protocols | T1071.001 | Leveraging HTTP/HTTPS for command-and-control communications. |
| Command and Control | Encrypted Channel | T1573 | Encrypting C2 traffic to hinder detection and analysis. |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Transferring collected data through established C2 channels. |
| Exfiltration | Exfiltration to Cloud Storage | T1567.002 | Using cloud-based services to exfiltrate collected information. |
| Impact | Data Manipulation | T1565 | Modifying software components or data within the supply chain compromise. |
IOC
File Hash (SHA-1)
511B77459673EC42163F19E300FF1D233B6C39FB
59A8553A4F8130F576AB234E0B220BE4D4DA0E98
9CA1A5C7F79882DB913534C1E62B26BCDCB9F6DD
A8E2BBBFCB86500322D2367744FA12755AB0C165
F74F1FEB62B662CDA489FDB2453727824E55ACB9
F8F8209987CA7F139DE6A62F9E6EE21BD2AE93A9
19A69F856EFA811C376F68E4FEB0997B4724F8BD
490194E9BB5128ECA8693AD9E610891C2ED185AF
51176139B0B2220B802C1578A4994DF68DF5BCD1
91F042F59BE4BDCB6E5EA21B91DECD731C175B54
A177ED0BFFEB1EFE1D9D31D72A82EF2625AE646D
B7B2D2DB544F9EEA74453CDF2B8BEEA58CF07C48
4AD36AD6C165B5174967020CB1A3358F78D7A283
57352B3CEEE32216E5AA20BAA848483D7AB5A6FB
9BC06DF9F932746A05EE728C8B103BD3BA6BF395
865A1739337D3303B3AB02C5E694C22B79C42B7D
B0FEA981D02F6F76DE81EBAEFCB68B7D205D6194
48FEBB91A10D1462461A012FAFC0918BB028E947
150764A71DEEF498DE6F8C95ECCCB4455C1B601F
IP addresses
38.60.245[.]37
139.99.33[.]239
139.162.11[.]152
139.180.128[.]42
142.91.98[.]77
166.88.77[.]186
194.68.26[.]241
46.183.220.8146.183.220.8246.183.222.8246.183.222.8346.183.222.8446.183.223.10646.183.223.10774.121.190.13074.121.190.15079.143.87.23079.143.87.23384.38.132.22684.38.132.227149.56.180.243158.69.100.199164.132.45.67192.34.109.163192.34.109.173198.50.191.194198.50.191.195198.50.234.96198.50.234.111
Domains
Registry
HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\HKCU\SOFTWARE\Classes\CLSID{E3517E26-8E93-458D-A6DF-8030BC80528B}\HKCU\SOFTWARE\Intel\Display\igfxcui\igfxtray\;[NUMBER];[DWORD]
Initial Dropper
FDCB35CD9CB8DC1474CBCDF1C9BB03200DCF3F18
A40EE8FF313E59AA92D48592C494A4C3D81449AF
C2EB1033BC01AB0FD732A7BA4967BE02C0690BF0
D35695F2366A43628231E73FFA83CA106306A8FA
FE0161FB8A26A0BF4AFAD746C7EBF89499DCD3A7
032EF58B7978D079287874044DC516AF624AE5F5
2A387D7D47A63D6E47D9CC92D3DC69A53816C2C0
7105CAA6D4FD8A2C67523D385277528E556AE4F6
F96BCD875836DA89800912DE1E557891697C7CF4
Sideloaded libraries
82e579bd49d69845133c9aa8585f8bd26736437b
202fb56edb2fb542e05c845d62ffbdcfbebed9ec
Reference
OceanLotus: From external espionage to domestic targeting
malware-ioc/oceanlotus at master · eset/malware-ioc
Vietnam-aligned OceanLotus pivots to spy on domestic
OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack
