OceanLotus Pivot to Vietnam Finance Exposes State Cyber Focus on Emerging Markets

OceanLotus's deployment of SPECTRALVIPER through the FireAnt Metakit supply chain marks a calculated escalation in Vietnam-aligned cyber operations, moving from external human rights targets to domestic financial infrastructure. ESET documented the campaign running October 2025 to March 2026, exploiting an unsigned update mechanism at metakit.fireant.vn to deliver the backdoor selectively to stock investors. This selective approach, absent integrity checks, allowed seamless DLL side-loading into OneDrive processes before beaconing to financemachinelearning.com. The shift aligns with Vietnam's rapid financial sector growth and its strategic position between Chinese and Western economic spheres, where economic intelligence yields higher returns than traditional dissident monitoring. Prior coverage overlooked how OceanLotus's 2023 resurfacing with SPECTRALVIPER, first detailed by Elastic Security Labs, directly preceded this domestic pivot, indicating a strategic recalibration after the 2020 CyberOne exposure. Kaspersky's recent PyPI findings of ZiChatBot droppers showing 64% code overlap further suggest the group maintains parallel tooling for stealthy financial reconnaissance. Unlike broader APT trends that prioritize critical infrastructure, OceanLotus demonstrates craft in abusing legitimate investor platforms, a pattern repeated by other state actors in ASEAN markets where regulatory oversight lags. This evolution reveals sustained Vietnamese state interest in monitoring capital flows and corporate decision-making amid regional power realignments.