From external espionage to domestic targeting
Essential information
- Published
- 11/06/2026 14:15
- Modified
- 11/06/2026 14:40
- Tags
- 2026-06-11 apt32 fireant metakit phoreal soundbite stock investors supply chain attack
- Related entities
- 1 vulnerabilities (cve), 16 observables, 1 intrusion sets (apt), 16 techniques (mitre), 5 malware, 166 others
Description
Analysis of OceanLotus activities from 2024-2026 reveals a strategic shift toward domestic espionage within Vietnam. The Vietnam-aligned APT group conducted two distinct campaigns using the SPECTRALVIPER backdoor: a supply-chain attack compromising FireAnt Metakit stock trading platform from October 2025 to March 2026, and a prolonged intrusion into a Vietnamese infrastructure and transport construction corporation from mid-2024 through January 2026. The FireAnt compromise exploited the platform's insecure update mechanism, targeting stock investors with selective deployment. This operational pivot coincides with Vietnam's Blazing Furnace anti-corruption campaign, suggesting possible alignment with domestic investigative efforts against financial crime. The group continues demonstrating sophisticated tactics despite public exposure of its front company in 2020, maintaining technical innovation in tooling and infrastructure.