OceanLotus APT Executes Targeted Supply-Chain Attack
The OceanLotus Advanced Persistent Threat (APT), also known as APT32, has conducted a sophisticated supply-chain operation, successfully implanting its notorious SPECTRALVIPER backdoor into FireAnt MetaKit, a widely used Vietnamese market-data component. This incident highlights the growing threat posed by cybercriminal groups that utilize advanced tools to infiltrate critical infrastructure and commercial systems.
According to telemetry data collected from mid-2024 through early 2026, OceanLotus was observed executing two distinct campaigns: a protracted espionage intrusion aimed at a Vietnamese infrastructure and transport construction company and a targeted supply-chain breach of FireAnt MetaKit, which is heavily relied upon by stock investors. Both campaigns leveraged the SPECTRALVIPER backdoor, indicating a high level of sophistication and meticulous planning behind the attacks.
The operations surrounding the FireAnt attack began in October 2025. During this period, malicious payloads were served from the legitimate update URL of FireAnt MetaKit. The initial samples appeared to be test iterations; however, subsequent payloads were seen to be heavily obfuscated. These downloads utilized new infrastructure alongside a campaign-specific command and control (C2) domain, specifically financemachinelearning.com, which was deliberately designed to blend in with investor traffic.
One significant flaw in the update mechanism allowed the attackers to exploit its lack of integrity checks, as it utilized unencrypted HTTP for both version metadata and binary updates. This vulnerability provided the attackers with a unique opportunity to substitute legitimate updates with their malicious versions.
The deployment method utilized by the attackers included a downloader that conducted basic host reconnaissance, sending profiling data to a staging server before requesting a next-stage payload and implementing a side-loading chain. This side-loading involved the injection of DtlCrashCatch.dll, which served as a SPECTRALVIPER loader, alongside IntelAudioService.exe. The latter was simply a renamed version of a legitimate signed executable, dtlupdate.exe, designed to further disguise the nefarious activity.
The DtlCrashCatch.dll was eventually injected into OneDrive.Sync.Service.exe. This step allowed the SPECTRALVIPER backdoor to communicate with encrypted host information embedded within an HTTP Cookie header, notably using the prefix zd_cs_pm= in this specific campaign. Observers of this attack noted a migration of staging hosts over time from IP address 139.162.11.152 to 142.91.98.77. The cessation of detected malicious updates since March 9, 2026, suggests that the operation may have either been disrupted or intentionally ceased.
According to security researchers at ESET, OceanLotus maintained a prolonged intrusion that targeted a significant infrastructure and transport construction firm from mid-2024 until February 2026. The operational deployments showcased differing orchestration across various environments, suggesting that the attackers adapted their implants according to the specific roles of the compromised hosts. This campaign employed multiple variants of SPECTRALVIPER, which were side-loaded using legitimate signed executables.
Initial access to targets likely exploited remote code execution vulnerabilities on public SQL servers, emphasizing the need for stringent security measures in database management systems. Interestingly, an operational security oversight led to the leakage of RTTI symbols in two SPECTRALVIPER samples, allowing researchers to partially reconstruct the internal class hierarchy of the malware. The SPECTRALVIPER operates as an HTTPS-based active backdoor, capable of facilitating complex attacks.
Specifically, the orchestration model they employed involved designated orchestrator instances that relayed commands to other compromised hosts via named pipes. Techniques identified included methods such as XGU::Pivot::StartLink and XGU::Pivot::Internal::WaitNew_RemotePipe. The SPECTRALVIPER backdoor also had the functionality of a loader, allowing it to inject additional binaries or shellcode via the ProcessReflector and ProcessManager components.
The C2 domains observed during the incidents, such as gatewayrvcenter.com and coachcybersecurity.com, adopted campaign-specific naming strategies to obscure malicious traffic. Contextually, these operations coincide with Vietnam’s recent intensification of anti-corruption initiatives and financial investigations, particularly during the “Blazing Furnace” campaigns addressing bond misreporting concerns in late 2025.
The timing of the FireAnt compromise and its choice of target strongly indicate that activities were aligned with domestic financial crime investigations rather than broad commercial espionage or indiscriminate theft. Following its exposure in 2020 and reemergence with SPECTRALVIPER in 2023, OceanLotus has seemingly shifted its focus toward more selective, domestically-oriented operations while retaining its formidable toolkit and capability for stealthy supply-chain breaches.
To mitigate such threats, defenders are advised to audit update channels for integrity and encryption, monitor for suspicious side-loading activities involving signed binaries, and search for indicators relating to SPECTRALVIPER, such as HTTP cookie-prefixed beacons and named pipe orchestration artifacts.
As the landscape of cybersecurity continues to evolve, the OceanLotus APT case underscores the necessity for enhanced vigilance and comprehensive defense strategies against increasingly sophisticated cyberattacks.