From external espionage to domestic targeting

June 11, 2026, 2:40 p.m.

Description

Analysis of OceanLotus activities from 2024-2026 reveals a strategic shift toward domestic espionage within Vietnam. The Vietnam-aligned APT group conducted two distinct campaigns using the SPECTRALVIPER backdoor: a supply-chain attack compromising FireAnt Metakit stock trading platform from October 2025 to March 2026, and a prolonged intrusion into a Vietnamese infrastructure and transport construction corporation from mid-2024 through January 2026. The FireAnt compromise exploited the platform's insecure update mechanism, targeting stock investors with selective deployment. This operational pivot coincides with Vietnam's Blazing Furnace anti-corruption campaign, suggesting possible alignment with domestic investigative efforts against financial crime. The group continues demonstrating sophisticated tactics despite public exposure of its front company in 2020, maintaining technical innovation in tooling and infrastructure.

External References

https://otx.alienvault.com/pulse/6a2ac312c98386d398eab284
https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
Tags
supply-chain attack
2026-06-11
apt32
fireant metakit
phoreal
soundbite
stock investors

Date

  • Created: June 11, 2026, 2:15 p.m.
  • Published: June 11, 2026, 2:15 p.m.
  • Modified: June 11, 2026, 2:40 p.m.

Indicators

  • 1eda0de280713470878c399d3fb6c331ba0fadd0bd9802ed98ae06218a17f3f7
  • 8b824be52de7a8723124bad5a45664c574d6e905f300c35719f1e6988887bd62
  • 2bfaf9773b7fac658ab439b9b763a92e144e5388301ca03021ef56501be3036a
  • eb52d1791fc861e459ee14f15ef8d4819a4afde3ac7ce5e8cebdcd5f7840925f
  • 79.143.87.233
  • 103.119.47.104
  • 38.60.245.37
  • 192.34.109.173
  • 74.121.190.150
  • 166.88.77.186
  • 79.143.87.230
  • 192.34.109.163
  • 74.121.190.130
  • http://metakit.fireant.vn/Software/version.xml
  • http://metakit.fireant.vn/Software/setup.exe
  • https://financemachinelearning.com/apparatus/wind/twig/statement.html
Download all indicators here!

Attack Patterns

  • PHOREAL - S0158
  • SPECTRALVIPER
  • SOUNDBITE - S0157
  • WINDSHIELD - S0155
  • Denis - S0354
  • APT32

Additional Informations

  • Finance
  • Construction
  • Transportation
  • au.charlineopkesston.com
  • cdn-tynt.com
  • office.ourkekwiciver.com
  • labs-apnic.net
  • cyhire.cechire.com
  • ursulapapst.xyz
  • christienoll.xyz
  • trc.webhop.net
  • hristophe.com
  • 10cm.mypets.ws
  • karelbecker.com
  • pixel1.dnsalias.net
  • daichungvienvinhthanh.com
  • figbc.knowsitall.info
  • aliexpresscn.net
  • iecopeland.com
  • coachcybersecurity.com
  • dwarduong.com
  • metakit.fireant.vn
  • trieudaiviet.com
  • lb-web-stat.com
  • jeanessbinder.com
  • gardencityclub.com
  • aol.straliaenollma.xyz
  • cdnazure.com
  • lbertussbau.com
  • stopherau.com
  • jamedalue.com
  • tefanie.com
  • sophiahoule.com
  • player-cnevids.com
  • meroque.com
  • danchimviet.info
  • omasicase.com
  • sarc.onteagleroad.com
  • keoucha.com
  • ntjeilliams.com
  • triviet.news
  • chinaport.org
  • sanauer.com
  • stienollmache.xyz
  • andreagahuvrauvin.com
  • andreagbridge.com
  • loridanase.com
  • becreybour.com
  • beaudrysang.xyz
  • erstin.com
  • danviethouston.com
  • ntop.dieordaunt.com
  • optnmstri.com
  • karolinblair.com
  • orrislark.com
  • static.tagscdn.com
  • aximilian.com
  • tefanortin.com
  • mtgvinh.net
  • ucairtz.com
  • jeffreyue.com
  • adineohler.com
  • s0-2mdn.net
  • moureuxacv.com
  • cdn1.shacknet.us
  • jamyer.com
  • dieordaunt.com
  • oteams.com
  • rity.com
  • wfpscripts.homeunix.com
  • financemachinelearning.com
  • static-addtoany.com
  • straliaenollma.xyz
  • straits-times.is-an-actor.com
  • ucaargo.com
  • irkaimboeuf.com
  • ds-aksb-a.likescandy.com
  • ichardt.com
  • your-ip.getmyip.com
  • arinaurna.com
  • rackerasr.com
  • errellawle.com
  • anessallie.com
  • raovatcalitoday.com
  • lauradesnoyers.com
  • tiqqcdn.com
  • byronorenstein.com
  • imgincapsula.com
  • nav.neat-url.com
  • orinneamoure.com
  • avidsontre.com
  • tcog.thruhere.net
  • dreyoddu.com
  • frahreiner.com
  • braydenhateaub.com
  • secure-imrworldwide.com
  • tiwimg.com
  • lcontacts.servebbs.net
  • cnrp7.org
  • nguoitieudung.com.vn
  • chascloud.com
  • io.blogsite.org
  • widgets-wp.com
  • venionne.com
  • ichefbcci.is-a-chef.com
  • p-typekit.com
  • eckenbaue.com
  • orresto.com
  • onnaha.com
  • aulolloy.com
  • leadingfilipinoteams.com
  • dns.chinanews.network
  • eighrimeau.com
  • s-adroll.com
  • alicervois.com
  • urnage.com
  • myolton.com
  • carosseda.com
  • baotgm.net
  • benchtag2.com
  • metacachecdn.com
  • avidilleneu.com
  • tsworthoa.com
  • effecto-azureedge.net
  • icmannaws.com
  • marrmann.com
  • power-sync-services.com
  • pagefairjs.com
  • daff.faybilodeau.com
  • virginiaar.com
  • lienketqnhn.org
  • traveroyce.com
  • laudiaouc.com
  • christienollmache.xyz
  • hieryells.com
  • cart.gotdns.com
  • rcuselynac.com
  • biasatts.com
  • sskimresources.com
  • mxprodesign.com
  • onteagle.com
  • arkoimmerma.com
  • assets-cdn.blogdns.net
  • cloud.360cn.info
  • antenham.com
  • fvpoc.org
  • tips-renew.webhop.info
  • exploit.agent.lt
  • html5.endofinternet.net
  • scdn-cxense.com
  • thongtinchongphandong.com
  • cdnscr.thruhere.net
  • ourkekwiciver.com
  • illagedrivestralia.xyz
  • aisicoin.com
  • bootstraplink.com
  • weblink.selfip.info
  • cdn-ampproject.com
  • gui.dnsdojo.net
  • tephens.com
  • ad-appier.com
  • utagscript.com
  • tinkhongle.com
  • nasahlaes.com
  • arabica.podzone.net
  • gatewayrvcenter.com

Linked vulnerabilities

CVE-2017-11882

None
Published: