{
  "name": "From external espionage to domestic targeting",
  "slug": "from-external-espionage-to-domestic-targeting",
  "description": "Analysis of OceanLotus activities from 2024-2026 reveals a strategic shift toward domestic espionage within Vietnam. The Vietnam-aligned APT group conducted two distinct campaigns using the SPECTRALVIPER backdoor: a supply-chain attack compromising FireAnt Metakit stock trading platform from October 2025 to March 2026, and a prolonged intrusion into a Vietnamese infrastructure and transport construction corporation from mid-2024 through January 2026. The FireAnt compromise exploited the platform's insecure update mechanism, targeting stock investors with selective deployment. This operational pivot coincides with Vietnam's Blazing Furnace anti-corruption campaign, suggesting possible alignment with domestic investigative efforts against financial crime. The group continues demonstrating sophisticated tactics despite public exposure of its front company in 2020, maintaining technical innovation in tooling and infrastructure.",
  "published": "2026-06-11T12:15:46+00:00",
  "created_at": "2026-06-11T12:15:46+00:00",
  "modified_at": "2026-06-11T12:40:19+00:00",
  "created_at_opencti": "2026-06-11T12:15:46+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-06-11",
    "apt32",
    "fireant metakit",
    "phoreal",
    "soundbite",
    "stock investors",
    "supply chain attack"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "79.143.87.233"
      },
      {
        "id": "",
        "name": "103.119.47.104"
      },
      {
        "id": "",
        "name": "38.60.245.37"
      },
      {
        "id": "",
        "name": "192.34.109.173"
      },
      {
        "id": "",
        "name": "74.121.190.150"
      },
      {
        "id": "",
        "name": "166.88.77.186"
      },
      {
        "id": "",
        "name": "79.143.87.230"
      },
      {
        "id": "",
        "name": "192.34.109.163"
      },
      {
        "id": "",
        "name": "74.121.190.130"
      },
      {
        "id": "",
        "name": "http://metakit.fireant.vn/Software/version.xml"
      },
      {
        "id": "",
        "name": "http://metakit.fireant.vn/Software/setup.exe"
      },
      {
        "id": "",
        "name": "https://financemachinelearning.com/apparatus/wind/twig/statement.html"
      },
      {
        "id": "",
        "name": "1eda0de280713470878c399d3fb6c331ba0fadd0bd9802ed98ae06218a17f3f7"
      },
      {
        "id": "",
        "name": "8b824be52de7a8723124bad5a45664c574d6e905f300c35719f1e6988887bd62"
      },
      {
        "id": "",
        "name": "2bfaf9773b7fac658ab439b9b763a92e144e5388301ca03021ef56501be3036a"
      },
      {
        "id": "",
        "name": "eb52d1791fc861e459ee14f15ef8d4819a4afde3ac7ce5e8cebdcd5f7840925f"
      }
    ],
    "malware": [
      {
        "id": "00bb43e7-c698-4fbc-9c02-f020bb4fd1ad",
        "name": "PHOREAL - S0158",
        "slug": "phoreal-s0158"
      },
      {
        "id": "4d10f72c-09b0-4ca5-a573-451e7047b66c",
        "name": "SPECTRALVIPER",
        "slug": "spectralviper"
      },
      {
        "id": "e76f5123-82fb-4d0c-8d86-0faa18fcaab3",
        "name": "SOUNDBITE - S0157",
        "slug": "soundbite-s0157"
      },
      {
        "id": "legacy:malware:6aa19ba7646969bc",
        "name": "WINDSHIELD - S0155",
        "slug": "windshield-s0155"
      },
      {
        "id": "legacy:malware:f1033653a4af2779",
        "name": "Denis - S0354",
        "slug": "denis-s0354"
      }
    ],
    "intrusion_sets": [
      {
        "id": "9a821557-32bc-408b-b248-eaa7b91d60d3",
        "name": "APT32",
        "slug": "apt32"
      }
    ],
    "attack_patterns": [
      {
        "id": "4cb4ee3b-b78f-45cf-bcaa-45a2aa968e56",
        "name": "T1570"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4",
        "name": "T1195.002"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2017-11882"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Construction"
      },
      {
        "id": "",
        "name": "Transportation"
      },
      {
        "id": "",
        "name": "au.charlineopkesston.com"
      },
      {
        "id": "",
        "name": "cdn-tynt.com"
      },
      {
        "id": "",
        "name": "office.ourkekwiciver.com"
      },
      {
        "id": "",
        "name": "labs-apnic.net"
      },
      {
        "id": "",
        "name": "cyhire.cechire.com"
      },
      {
        "id": "",
        "name": "ursulapapst.xyz"
      },
      {
        "id": "",
        "name": "christienoll.xyz"
      },
      {
        "id": "",
        "name": "trc.webhop.net"
      },
      {
        "id": "",
        "name": "hristophe.com"
      },
      {
        "id": "",
        "name": "10cm.mypets.ws"
      },
      {
        "id": "",
        "name": "karelbecker.com"
      },
      {
        "id": "",
        "name": "pixel1.dnsalias.net"
      },
      {
        "id": "",
        "name": "daichungvienvinhthanh.com"
      },
      {
        "id": "",
        "name": "figbc.knowsitall.info"
      },
      {
        "id": "",
        "name": "aliexpresscn.net"
      },
      {
        "id": "",
        "name": "iecopeland.com"
      },
      {
        "id": "",
        "name": "coachcybersecurity.com"
      },
      {
        "id": "",
        "name": "dwarduong.com"
      },
      {
        "id": "",
        "name": "metakit.fireant.vn"
      },
      {
        "id": "",
        "name": "trieudaiviet.com"
      },
      {
        "id": "",
        "name": "lb-web-stat.com"
      },
      {
        "id": "",
        "name": "jeanessbinder.com"
      },
      {
        "id": "",
        "name": "gardencityclub.com"
      },
      {
        "id": "",
        "name": "aol.straliaenollma.xyz"
      },
      {
        "id": "",
        "name": "cdnazure.com"
      },
      {
        "id": "",
        "name": "lbertussbau.com"
      },
      {
        "id": "",
        "name": "stopherau.com"
      },
      {
        "id": "",
        "name": "jamedalue.com"
      },
      {
        "id": "",
        "name": "tefanie.com"
      },
      {
        "id": "",
        "name": "sophiahoule.com"
      },
      {
        "id": "",
        "name": "player-cnevids.com"
      },
      {
        "id": "",
        "name": "meroque.com"
      },
      {
        "id": "",
        "name": "danchimviet.info"
      },
      {
        "id": "",
        "name": "omasicase.com"
      },
      {
        "id": "",
        "name": "sarc.onteagleroad.com"
      },
      {
        "id": "",
        "name": "keoucha.com"
      },
      {
        "id": "",
        "name": "ntjeilliams.com"
      },
      {
        "id": "",
        "name": "triviet.news"
      },
      {
        "id": "",
        "name": "chinaport.org"
      },
      {
        "id": "",
        "name": "sanauer.com"
      },
      {
        "id": "",
        "name": "stienollmache.xyz"
      },
      {
        "id": "",
        "name": "andreagahuvrauvin.com"
      },
      {
        "id": "",
        "name": "andreagbridge.com"
      },
      {
        "id": "",
        "name": "loridanase.com"
      },
      {
        "id": "",
        "name": "becreybour.com"
      },
      {
        "id": "",
        "name": "beaudrysang.xyz"
      },
      {
        "id": "",
        "name": "erstin.com"
      },
      {
        "id": "",
        "name": "danviethouston.com"
      },
      {
        "id": "",
        "name": "ntop.dieordaunt.com"
      },
      {
        "id": "",
        "name": "optnmstri.com"
      },
      {
        "id": "",
        "name": "karolinblair.com"
      },
      {
        "id": "",
        "name": "orrislark.com"
      },
      {
        "id": "",
        "name": "static.tagscdn.com"
      },
      {
        "id": "",
        "name": "aximilian.com"
      },
      {
        "id": "",
        "name": "tefanortin.com"
      },
      {
        "id": "",
        "name": "mtgvinh.net"
      },
      {
        "id": "",
        "name": "ucairtz.com"
      },
      {
        "id": "",
        "name": "jeffreyue.com"
      },
      {
        "id": "",
        "name": "adineohler.com"
      },
      {
        "id": "",
        "name": "s0-2mdn.net"
      },
      {
        "id": "",
        "name": "moureuxacv.com"
      },
      {
        "id": "",
        "name": "cdn1.shacknet.us"
      },
      {
        "id": "",
        "name": "jamyer.com"
      },
      {
        "id": "",
        "name": "dieordaunt.com"
      },
      {
        "id": "",
        "name": "oteams.com"
      },
      {
        "id": "",
        "name": "rity.com"
      },
      {
        "id": "",
        "name": "wfpscripts.homeunix.com"
      },
      {
        "id": "",
        "name": "financemachinelearning.com"
      },
      {
        "id": "",
        "name": "static-addtoany.com"
      },
      {
        "id": "",
        "name": "straliaenollma.xyz"
      },
      {
        "id": "",
        "name": "straits-times.is-an-actor.com"
      },
      {
        "id": "",
        "name": "ucaargo.com"
      },
      {
        "id": "",
        "name": "irkaimboeuf.com"
      },
      {
        "id": "",
        "name": "ds-aksb-a.likescandy.com"
      },
      {
        "id": "",
        "name": "ichardt.com"
      },
      {
        "id": "",
        "name": "your-ip.getmyip.com"
      },
      {
        "id": "",
        "name": "arinaurna.com"
      },
      {
        "id": "",
        "name": "rackerasr.com"
      },
      {
        "id": "",
        "name": "errellawle.com"
      },
      {
        "id": "",
        "name": "anessallie.com"
      },
      {
        "id": "",
        "name": "raovatcalitoday.com"
      },
      {
        "id": "",
        "name": "lauradesnoyers.com"
      },
      {
        "id": "",
        "name": "tiqqcdn.com"
      },
      {
        "id": "",
        "name": "byronorenstein.com"
      },
      {
        "id": "",
        "name": "imgincapsula.com"
      },
      {
        "id": "",
        "name": "nav.neat-url.com"
      },
      {
        "id": "",
        "name": "orinneamoure.com"
      },
      {
        "id": "",
        "name": "avidsontre.com"
      },
      {
        "id": "",
        "name": "tcog.thruhere.net"
      },
      {
        "id": "",
        "name": "dreyoddu.com"
      },
      {
        "id": "",
        "name": "frahreiner.com"
      },
      {
        "id": "",
        "name": "braydenhateaub.com"
      },
      {
        "id": "",
        "name": "secure-imrworldwide.com"
      },
      {
        "id": "",
        "name": "tiwimg.com"
      },
      {
        "id": "",
        "name": "lcontacts.servebbs.net"
      },
      {
        "id": "",
        "name": "cnrp7.org"
      },
      {
        "id": "",
        "name": "nguoitieudung.com.vn"
      },
      {
        "id": "",
        "name": "chascloud.com"
      },
      {
        "id": "",
        "name": "io.blogsite.org"
      },
      {
        "id": "",
        "name": "widgets-wp.com"
      },
      {
        "id": "",
        "name": "venionne.com"
      },
      {
        "id": "",
        "name": "ichefbcci.is-a-chef.com"
      },
      {
        "id": "",
        "name": "p-typekit.com"
      },
      {
        "id": "",
        "name": "eckenbaue.com"
      },
      {
        "id": "",
        "name": "orresto.com"
      },
      {
        "id": "",
        "name": "onnaha.com"
      },
      {
        "id": "",
        "name": "aulolloy.com"
      },
      {
        "id": "",
        "name": "leadingfilipinoteams.com"
      },
      {
        "id": "",
        "name": "dns.chinanews.network"
      },
      {
        "id": "",
        "name": "eighrimeau.com"
      },
      {
        "id": "",
        "name": "s-adroll.com"
      },
      {
        "id": "",
        "name": "alicervois.com"
      },
      {
        "id": "",
        "name": "urnage.com"
      },
      {
        "id": "",
        "name": "myolton.com"
      },
      {
        "id": "",
        "name": "carosseda.com"
      },
      {
        "id": "",
        "name": "baotgm.net"
      },
      {
        "id": "",
        "name": "benchtag2.com"
      },
      {
        "id": "",
        "name": "metacachecdn.com"
      },
      {
        "id": "",
        "name": "avidilleneu.com"
      },
      {
        "id": "",
        "name": "tsworthoa.com"
      },
      {
        "id": "",
        "name": "effecto-azureedge.net"
      },
      {
        "id": "",
        "name": "icmannaws.com"
      },
      {
        "id": "",
        "name": "marrmann.com"
      },
      {
        "id": "",
        "name": "power-sync-services.com"
      },
      {
        "id": "",
        "name": "pagefairjs.com"
      },
      {
        "id": "",
        "name": "daff.faybilodeau.com"
      },
      {
        "id": "",
        "name": "virginiaar.com"
      },
      {
        "id": "",
        "name": "lienketqnhn.org"
      },
      {
        "id": "",
        "name": "traveroyce.com"
      },
      {
        "id": "",
        "name": "laudiaouc.com"
      },
      {
        "id": "",
        "name": "christienollmache.xyz"
      },
      {
        "id": "",
        "name": "hieryells.com"
      },
      {
        "id": "",
        "name": "cart.gotdns.com"
      },
      {
        "id": "",
        "name": "rcuselynac.com"
      },
      {
        "id": "",
        "name": "biasatts.com"
      },
      {
        "id": "",
        "name": "sskimresources.com"
      },
      {
        "id": "",
        "name": "mxprodesign.com"
      },
      {
        "id": "",
        "name": "onteagle.com"
      },
      {
        "id": "",
        "name": "arkoimmerma.com"
      },
      {
        "id": "",
        "name": "assets-cdn.blogdns.net"
      },
      {
        "id": "",
        "name": "cloud.360cn.info"
      },
      {
        "id": "",
        "name": "antenham.com"
      },
      {
        "id": "",
        "name": "fvpoc.org"
      },
      {
        "id": "",
        "name": "tips-renew.webhop.info"
      },
      {
        "id": "",
        "name": "exploit.agent.lt"
      },
      {
        "id": "",
        "name": "html5.endofinternet.net"
      },
      {
        "id": "",
        "name": "scdn-cxense.com"
      },
      {
        "id": "",
        "name": "thongtinchongphandong.com"
      },
      {
        "id": "",
        "name": "cdnscr.thruhere.net"
      },
      {
        "id": "",
        "name": "ourkekwiciver.com"
      },
      {
        "id": "",
        "name": "illagedrivestralia.xyz"
      },
      {
        "id": "",
        "name": "aisicoin.com"
      },
      {
        "id": "",
        "name": "bootstraplink.com"
      },
      {
        "id": "",
        "name": "weblink.selfip.info"
      },
      {
        "id": "",
        "name": "cdn-ampproject.com"
      },
      {
        "id": "",
        "name": "gui.dnsdojo.net"
      },
      {
        "id": "",
        "name": "tephens.com"
      },
      {
        "id": "",
        "name": "ad-appier.com"
      },
      {
        "id": "",
        "name": "utagscript.com"
      },
      {
        "id": "",
        "name": "tinkhongle.com"
      },
      {
        "id": "",
        "name": "nasahlaes.com"
      },
      {
        "id": "",
        "name": "arabica.podzone.net"
      },
      {
        "id": "",
        "name": "gatewayrvcenter.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6a2ac312c98386d398eab284",
    "https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/"
  ]
}