Vietnam-aligned cyber espionage group OceanLotus has emerged as a significant threat to national economic security with two sophisticated campaigns targeting domestic entities and investors. The threat actor, also known as APT32, has demonstrated remarkable persistence and advanced capabilities in its operations, leveraging a custom backdoor named SPECTRALVIPER to infiltrate systems and exfiltrate sensitive data.
The first campaign represents a prolonged cyber espionage operation lasting approximately 18 months, from mid-2024 through February 2026. During this timeframe, OceanLotus systematically targeted a major Vietnamese infrastructure and transport construction corporation. This attack was likely aimed at gathering intelligence related to national development projects, potentially for competitive advantage or strategic positioning. The threat group's selection of this specific sector underscores their focus on critical infrastructure that holds economic and strategic importance to Vietnam's national interests.
In a parallel operation, OceanLotus orchestrated a supply chain attack, though specific details about the compromised vendor remain limited. This secondary campaign demonstrates the threat actor's evolving tactics and their understanding that compromising trusted third parties provides an effective vector for reaching multiple high-value targets simultaneously. Both operations specifically targeted Vietnamese stock investors, suggesting motives that may include market manipulation, acquisition of insider information, or financial gain.
For security teams, these campaigns highlight several critical implications. First, the extended duration of the infrastructure attack indicates sophisticated evasion techniques and likely indicates that traditional security controls failed to detect