OceanLotus pivots to domestic espionage, ESET Research finds

Vietnam-aligned cyberespionage group OceanLotus has pivoted toward domestic surveillance targets while scaling back its foreign operations, according to new research published by ESET on 11 June 2026. The findings cover two distinct campaigns between mid-2024 and March 2026, both involving the group's signature SPECTRALVIPER backdoor, and represent what ESET describes as a meaningful shift in the 15-year-old threat actor's operational patterns.

ESET researchers identified the first campaign as a prolonged intrusion into a Vietnamese infrastructure and transport construction corporation, running from mid-2024 through January 2026. The second was a supply-chain attack, active from October 2025 to March 2026, in which OceanLotus compromised the update server of FireAnt MetaKit, a software platform widely used by stock market investors in Vietnam. Legitimate software updates were replaced with a malicious payload that ultimately deployed SPECTRALVIPER on victim machines. Despite the broad potential exposure of such a supply-chain attack, ESET observed only a small number of individuals who actually received the implant, pointing to deliberate, selective targeting rather than opportunistic mass compromise.

Operational shift and domestic context

ESET draws a direct line between OceanLotus's apparent domestic refocus and Vietnam's ongoing anti-corruption campaign, known as Blazing Furnace. Launched by the Communist Party of Vietnam, the programme mirrors in intent the large-scale anti-corruption drive associated with China's leadership, aiming to demonstrate party discipline and maintain popular legitimacy. ESET says it believes OceanLotus may be associated with these efforts, and that monitoring of financial-sector participants, such as stock investors using FireAnt MetaKit, could reflect intelligence-gathering in support of financial crime investigations.

An operational security lapse during one of the campaigns gave ESET researchers an unusual window into SPECTRALVIPER's internals: run-time type information names were left intact in a sample, allowing the team to reconstruct aspects of the backdoor's internal architecture. The group is noted for continuous innovation in its tooling, including custom network protocols and platform-specific data collection capabilities across both Windows and Linux.

OceanLotus, also tracked as APT32, first came to wide public attention between 2017 and 2020, when researchers documented large-scale watering-hole attacks across Southeast Asia, intrusions into BMW and Hyundai, and targeting of a Vietnamese dissident in Germany. Its profile dropped sharply after Facebook publicly identified a company believed to have served as the group's physical front in 2020. ESET's latest findings suggest the group never went quiet; it simply became more circumspect.

Wider threat landscape

The OceanLotus findings arrive as the threat intelligence community is paying close attention to state-aligned actors that blend foreign espionage with domestic surveillance mandates. Several Southeast Asian governments have been documented deploying commercially available or custom spyware against civil society groups and journalists, a pattern that has drawn scrutiny from the EU, the United Nations, and non-governmental organisations including Access Now and Citizen Lab.

Supply-chain attacks of the type used in the FireAnt MetaKit campaign are a growing vector globally: by compromising a trusted update mechanism, threat actors sidestep perimeter defences and endpoint detection at the point of initial delivery. For enterprise security teams in the region, the campaign is a reminder that software update integrity, including cryptographic signing and out-of-band verification, is a fundamental control regardless of whether an organisation considers itself a geopolitical target.

ESET has published a full technical write-up on WeLiveSecurity.com. Whether OceanLotus's domestic emphasis represents a permanent strategic realignment or a temporary operational adjustment tied to Vietnam's current political cycle, ESET says, remains an open question.