When people think of hackers…
They imagine criminals chasing money.
Ransomware.
Bank accounts.
Crypto wallets.
But some of the world’s most sophisticated hacking groups have a very different objective:
Information.
And one of Asia’s most infamous cyber-espionage groups is back in the spotlight.
─────────
Its name is OceanLotus, also known as APT32.
For more than a decade, cybersecurity researchers have linked the group to highly sophisticated espionage campaigns targeting governments, multinational companies and political activists across Asia and beyond. It has previously been associated with attacks affecting organizations such as BMW, Hyundai, and even malware distribution through the Google Play Store.
But according to a new investigation by ESET Research, something appears to have changed.
─────────
Instead of focusing mainly on foreign targets, OceanLotus is now increasingly targeting organizations and individuals inside Vietnam itself.
Researchers uncovered two major campaigns between 2024 and 2026:
One infiltrated a Vietnamese infrastructure and transport company for more than a year.
The other compromised FireAnt MetaKit, a software platform widely used by stock market investors, turning a legitimate software update into a tool for cyber-espionage.
─────────
The malware used in these attacks is called SPECTRALVIPER.
Once installed, it can secretly collect information, inject malicious code into legitimate processes and maintain long-term access to infected systems while remaining extremely difficult to detect. Security researchers describe it as one of OceanLotus’ signature cyber-weapons.
─────────
So why would a group historically linked to international espionage suddenly focus on domestic targets?
Researchers believe the timing may not be accidental.
Vietnam is currently undergoing a massive anti-corruption campaign, accompanied by high-profile investigations and politically sensitive trials.
While no direct link has been officially proven, ESET notes that the choice of targets—including investors and strategic infrastructure—could be consistent with intelligence-gathering linked to these domestic developments.
─────────
Perhaps the most fascinating part of the story is that the attackers made a mistake.
An operational security error left internal code information inside one malware sample, allowing researchers to reconstruct parts of SPECTRALVIPER’s architecture and better understand how the operation worked.
Even elite hackers aren’t immune to human error.
─────────
One thing is becoming increasingly clear:
Modern espionage no longer relies only on spies in trench coats.
Sometimes, it hides inside a software update.
And in a world where cyber warfare is becoming as important as conventional warfare…
The next battlefield may be your computer screen.
