The Vietnam-linked advanced persistent threat group OceanLotus has been tied to two separate but overlapping campaigns — one aimed at a domestic infrastructure and transport construction firm, the other targeting stock market investors. Both deployed a backdoor called SPECTRALVIPER, and together they paint a picture of an operation that ran quietly for the better part of two years.
The espionage campaign against the construction corporation stretched from mid-2024 through February 2026, suggesting patient, methodical reconnaissance rather than smash-and-grab data theft. The second campaign took a different tack: a supply chain compromise designed to reach individual investors trading on Vietnamese exchanges. That’s a notable shift — going after retail investors isn’t typical APT behavior, and it hints at either an economic intelligence motive or a broader strategy to destabilize financial confidence.
SPECTRALVIPER itself is a modular backdoor with the usual capabilities — credential harvesting, lateral movement, command-and-control communication — but what stands out is how long the operators stayed undetected. Nearly two years inside a critical infrastructure target should give any security team pause. If your threat models don’t account for APT groups with this kind of patience, it’s time to update them.
Source: The Hacker News
