OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack

Staff Editor 2026-06-11
OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack

OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack

https://thehackernews.com/2026/06/oceanlotus-hits-vietnam-investors-with.html

Publish Date: 2026-06-11 05:45:00

Source Domain: thehackernews.com

The Vietnam-aligned threat actor known as OceanLotus has been attributed to two distinct campaigns that targeted domestic entities and stock investors with a backdoor known as SPECTRALVIPER.

The campaigns involve a prolonged cyber espionage operation aimed at a Vietnamese infrastructure and transport construction corporation between mid-2024 and February 2026, as well as a supply chain attack leveraging FireAnt Metakit, a popular software platform used by stock investors in Vietnam. The second activity cluster took place from October 2025 to March 2026.

The two sets of attacks represent a shift in operational focus, per ESET, with the threat actor placing an increasing emphasis on domestic espionage rather than external targets. The group, active since 2012, also has a history of targeting China.

“Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling,” the Slovakian cybersecurity company said in a report shared with The Hacker News.

Prior attacks orchestrated by the adversarial collective have leveraged watering holes to digitally profile site visitors, with a specific focus on hundreds of individuals and organizations tied to media, human rights, and civil society causes in 2017 and 2018. Other campaigns have singled out Vietnamese human rights defenders and dissidents.

In December 2020, Meta linked OceanLotus’ activities with a Vietnamese IT company named CyberOne Group, which is also known as CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited. Although the company denied the allegations, the public exposure led to the group going off the grid for nearly three years.

Some of the key tools in its arsenal include SOUNDBITE (aka Denis), PHOREAL (aka Rizzo), WINDSHIELD (aka Remy), and, more recently, SPECTRALVIPER, which was first documented by Elastic Security Labs in…

Source

More Stories

Guidepost Solutions Welcomes Cybersecurity and Enterprise Risk Leader Karen Randall as Senior Managing Director | National Business

Guidepost Solutions Welcomes Cybersecurity and Enterprise Risk Leader Karen Randall as Senior Managing Director | National Business

Staff Editor 2026-06-11
Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories

Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories

Staff Editor 2026-06-11
ECLAT Health Achieves HITRUST r2 Certification, Demonstrating Commitment to Cybersecurity and Information Protection

ECLAT Health Achieves HITRUST r2 Certification, Demonstrating Commitment to Cybersecurity and Information Protection

Staff Editor 2026-06-11

Terms and Conditions - Privacy Policy