ESET Links OceanLotus to Supply-Chain Attack on Vietnam's FireAnt Platform, Domestic Espionage Shift
ESET has tied the state-aligned threat actor OceanLotus (APT32) to a supply-chain attack on Vietnam's FireAnt financial platform and a prolonged intrusion into a transport infrastructure company, indicating a pivot toward domestic espionage.
ESET researchers have uncovered a significant shift in the operations of the state-aligned threat actor known as OceanLotus, or APT32, linking the group to a supply-chain attack on Vietnam's FireAnt financial platform and a prolonged intrusion into a transport infrastructure company. The findings, published on June 11, 2026, suggest that OceanLotus is increasingly redirecting its espionage efforts from foreign targets to domestic Vietnamese entities, gathering intelligence from within the country.
The supply-chain attack on FireAnt, a widely used financial platform in Vietnam, involved sophisticated intrusion techniques that allowed the threat actor to compromise the software supply chain and potentially gain access to downstream customers. ESET's analysis indicates that the attackers leveraged advanced methods to infiltrate the platform's development environment, embedding malicious code that could be distributed through legitimate updates. This approach mirrors tactics seen in other state-sponsored campaigns, such as the SolarWinds attack, but with a focus on domestic financial infrastructure.
In a separate but related incident, ESET documented a prolonged intrusion into a Vietnamese transport infrastructure company, where OceanLotus maintained persistent access over an extended period. The attackers employed custom malware and stealthy lateral movement techniques to exfiltrate sensitive data related to logistics, operations, and potentially national security. The dual targeting of financial and transport sectors underscores the group's interest in critical infrastructure that could provide strategic advantages.
OceanLotus, widely believed to operate on behalf of the Vietnamese government, has historically focused on espionage against foreign governments, dissidents, and human rights organizations. However, this new activity marks a notable pivot toward domestic targets, raising questions about the regime's internal security priorities. The shift may reflect a growing concern over internal dissent or economic competition, as Vietnam's rapid digitalization creates new vulnerabilities.
The attacks also highlight the evolving capabilities of OceanLotus, which has a long history of using custom malware, phishing campaigns, and supply-chain compromises. ESET's report details the technical indicators of compromise, including specific file hashes and command-and-control infrastructure, enabling defenders to detect and mitigate similar threats. The group's ability to target domestic platforms suggests a deep understanding of Vietnam's technology ecosystem.
In response to the findings, Vietnamese authorities have not publicly commented, but the incidents underscore the need for enhanced cybersecurity measures across critical sectors. Organizations using FireAnt or similar platforms are advised to conduct thorough audits and monitor for signs of compromise. The transport company affected has reportedly initiated remediation efforts, though details remain scarce.
This development comes amid broader trends of state-sponsored threat actors increasingly targeting domestic infrastructure, as seen with other groups like Salt Typhoon and Volt Typhoon. The OceanLotus case serves as a reminder that even within a country, state-aligned hackers may turn their tools inward, blurring the lines between foreign espionage and internal surveillance. As Vietnam continues to digitize its economy, the risk of such attacks will likely grow, demanding vigilance from both public and private sectors.