OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack

Summary

The Vietnam-aligned threat actor OceanLotus has been linked to two campaigns targeting domestic entities and stock investors with the SPECTRALVIPER backdoor. One campaign involved cyber espionage against a construction corporation, while the other was a supply chain attack leveraging the FireAnt Metakit platform. This indicates a shift towards domestic targets for the group.

Full text

OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack Ravie LakshmananJun 11, 2026Supply Chain Attack / Cyber Espionage The Vietnam-aligned threat actor known as OceanLotus has been attributed to two distinct campaigns that targeted domestic entities and stock investors with a backdoor known as SPECTRALVIPER. The campaigns involve a prolonged cyber espionage operation aimed at a Vietnamese infrastructure and transport construction corporation between mid-2024 and February 2026, as well as a supply chain attack leveraging FireAnt Metakit, a popular software platform used by stock investors in Vietnam. The second activity cluster took place from October 2025 to March 2026. The two sets of attacks represent a shift in operational focus, per ESET, with the threat actor placing an increasing emphasis on domestic espionage rather than external targets. The group, active since 2012, also has a history of targeting China. "Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling," the Slovakian cybersecurity company said in a report shared with The Hacker News. Prior attacks orchestrated by the adversarial collective have leveraged watering holes to digitally profile site visitors, with a specific focus on hundreds of individuals and organizations tied to media, human rights, and civil society causes in 2017 and 2018. Other campaigns have singled out Vietnamese human rights defenders and dissidents. In December 2020, Meta linked OceanLotus' activities with a Vietnamese IT company named CyberOne Group, which is also known as CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited. Although the company denied the allegations, the public exposure led to the group going off the grid for nearly three years. Some of the key tools in its arsenal include SOUNDBITE (aka Denis), PHOREAL (aka Rizzo), WINDSHIELD (aka Remy), and, more recently, SPECTRALVIPER, which was first documented by Elastic Security Labs in June 2023 when the threat actor resurfaced in connection with a campaign targeting Vietnamese public companies. As recently as last month, Kaspersky said it discovered three malicious packages on the Python Package Index (PyPI) repository designed to deliver a previously unknown malware family called ZiChatBot on Windows and Linux systems. The Russian cybersecurity company noted that the dropper used to deliver the malware shares a "64% similarity" to another dropper used by OceanLotus. The FireAnt Metakit Supply Chain Attack The latest findings from ESET show that the FireAnt Metakit supply chain attack likely began around October 2, 2025, and lasted until March 2026. The attack is said to have leveraged the software's legitimate update URL to serve SPECTRALVIPER to a small subset of stock investors, indicating a more selective approach. The use of the FireAnt update server to directly distribute malicious payloads notwithstanding, the update configuration file located at "metakit.fireant[.]vn/Software/version.xml" lacks an integrity validation mechanism to ensure that the update binary ("setup.exe") has not been tampered with. "Due to the absence of signature validation, Metakit.exe executed the malicious downloader as a legitimate update," ESET said. "Once launched, the downloader performed basic host reconnaissance and transmitted the collected information via an HTTP POST request to a staging server, requesting the next-stage payload." The payload is a DLL side-loading chain that employs a legitimate binary to launch a rogue DLL ("DtlCrashCatch.dll"), which then injects itself into the OneDrive.Sync.Service.exe process to trigger the execution of SPECTRALVIPER. The backdoor subsequently contacts a command-and-control (C2) server ("financemachinelearning[.]com") to send encrypted host information. ESET said it has not observed any further malicious updates being distributed through the compromised channel since March 9, 2026, raising the possibility that the threat actors concluded their campaign. Vietnamese Transport Construction Corporation Targeted OceanLotus has also been found targeting an unnamed Vietnamese infrastructure and transport construction firm starting as far back as November 2024, covertly retaining access to the entity until February 2026. Although the exact initial access pathway used by the threat actor is unclear, it's suspected to have involved the exploitation of remote code execution vulnerabilities in a public-facing Microsoft SQL server. The attacks, as before, paves the way for the deployment of the SPECTRALVIPER backdoor using DLL side-loading. Three different variants have been identified across multiple compromised hosts on the same network. The malware contacts the C2 server ("gatewayrvcenter[.]com") to transmit host-profiling data and receive instructions from the operator. SPECTRALVIPER also facilitates lateral movement and functions as a loader by injecting additional binaries or shellcode retrieved from the C2 server into target processes. "Overall, the available evidence points to a potential shift in OceanLotus's operational patterns," ESET said. "Since the exposure of its physical front company in 2020, the group appears to have adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Backdoor, cyber espionage, cybersecurity, DLL side-loading, ESET, Supply Chain Attack, Vietnam ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]

Indicators of Compromise

• domain — financemachinelearning[.]com
• domain — metakit.fireant[.]vn
• malware — SPECTRALVIPER
• malware — ZiChatBot

Entities