OceanLotus appears to have modified its tactics and is now using compromised web sites for its targets in their ongoing espionage campaign:

The group has begun using compromised websites to profile and target entities of interest to the Vietnamese government, Volexity says.

OceanLotus, an APT actor that over the past few years has been conducting a sophisticated digital surveillance campaign aligned with Vietnamese state interests, has built out a massive attack infrastructure of compromised websites.

OceanLotus, aka APT32, has compromised over 100 websites, the vast majority of which belong to organizations and individuals critical of the government in Vietnam.

The use of compromised websites to lure victims is a new development for OceanLotus and shows how sophisticated threat actors manage to stay a step ahead of defenders by constantly switching tactics.

Once a website has been compromised, OceanLotus has used different methods to identify site visitors and drop different payloads on their systems.

In addition to building out a big network of compromised websites to stage and deliver malware to selected victims, OceanLotus has also managed to build a massive backend infrastructure to facilitate its core data collection activities.

Maturing malicious actors are a huge risk to organizations in their crosshairs.