Key Takeaways
- OceanLotus (APT‑32), a Vietnam‑aligned threat active since 2012, has recently shifted focus from foreign espionage to domestic targets in Vietnam.
- Two distinct campaigns were observed between mid‑2024 and March 2026: a prolonged intrusion of a Vietnamese infrastructure and transport construction corporation and a supply‑chain attack on the FireAnt Metakit stock‑trading platform.
- Both campaigns deployed the SPECTRALVIPER backdoor, first documented in June 2023, which uses DLL side‑loading to establish persistence, gather host information, enable lateral movement, and download additional payloads from attacker‑controlled C2 servers.
- The FireAnt Metakit abuse exploited the lack of signature validation in the update mechanism, allowing the threat actor to push a malicious update to a select group of investors via the legitimate update URL.
- Despite the group’s temporary disappearance after its alleged link to CyberOne Group was exposed in 2020, OceanLotus continues to demonstrate sophisticated tradecraft, aggressive tactics, and an evolving toolset.
- Ongoing monitoring is essential, as the group’s recent activity suggests a possible long‑term strategic emphasis on high‑value domestic entities rather than indiscriminate foreign targeting.
Overview of OceanLotus Activity and Strategic Shift
OceanLotus, also known as APT‑32, has been conducting cyber‑espionage operations since 2012, historically targeting entities across Southeast Asia, China, and various international organizations. Recent analysis by ESET highlights a noticeable change in the group’s focus: while earlier campaigns emphasized foreign governments, media outlets, and human‑rights activists, the actor now prioritizes domestic Vietnamese organizations. This shift does not necessarily indicate abandonment of overseas interests, but rather a more selective approach that concentrates resources on high‑value local targets such as critical infrastructure firms and financial‑software users. The report notes that whether this adjustment is temporary or represents a long‑term strategic reorientation remains uncertain, yet the group’s continued use of advanced tools and aggressive tactics underscores its enduring threat posture.
Targeting the Vietnamese Transport Construction Corporation
From November 2024 through February 2026, OceanLotus maintained covert access to an unnamed Vietnamese infrastructure and transport construction corporation. Although the precise initial infection vector is not publicly disclosed, investigators suspect exploitation of remote code execution vulnerabilities in a publicly facing Microsoft SQL server. Once inside the network, the threat actor moved laterally, deploying three distinct variants of the SPECTRALVIPER backdoor on multiple compromised hosts. Each variant communicates with a command‑and‑control (C2) server at “gatewayrvcenter[.]com,” transmitting host‑profiling data and receiving further instructions. Beyond simple data exfiltration, SPECTRALVIPER functions as a loader, injecting additional binaries or shellcode retrieved from the C2 into legitimate processes, thereby enabling persistent presence and the potential deployment of secondary payloads.
Capabilities of the SPECTRALVIPER Backdoor
First identified by Elastic Security Labs in June 2023, SPECTRALVIPER has become a hallmark of OceanLotus’s recent toolkit. The malware employs a DLL side‑loading technique: a legitimate executable is manipulated to load a malicious DLL (e.g., “DtlCrashCatch.dll”), which then injects itself into trusted processes such as OneDrive.Sync.Service.exe. This method helps evade detection by blending malicious activity with normal system operations. Once active, SPECTRALVIPER conducts basic host reconnaissance, gathers system information, and transmits it via HTTP POST to an attacker‑controlled staging server. The backdoor then contacts its primary C2 infrastructure to retrieve further instructions or additional payloads, facilitating everything from credential harvesting to the deployment of ransomware or spyware modules. Its modular design allows OceanLotus to tailor the post‑exploitation phase to the specific value of each compromised target.
The FireAnt Metakit Supply Chain Attack
ESET’s investigation revealed that between October 2 2025 and March 9 2026, OceanLotus abused the update mechanism of FireAnt Metakit, a widely used stock‑trading platform in Vietnam. The attackers inserted a malicious payload into the legitimate update URL, causing the application to download a trojanized “setup.exe” during its routine update check. Because the update configuration file (“metakit.fireant[.]vn/Software/version.xml”) lacked any integrity validation or signature verification, the Metakit client accepted the malicious binary as a genuine update without question. The campaign was highly selective, targeting only a subset of investors whose systems communicated with the compromised update server, suggesting that the threat actor conducted prior reconnaissance to identify high‑value victims within the user base.
Technical Mechanics of the FireAnt Exploitation
Upon execution, the malicious downloader performed basic host profiling—collecting information such as operating system version, installed software, and network configuration—and sent this data via an HTTP POST request to a staging server. In response, the staging server delivered the next‑stage payload: a DLL side‑loading chain designed to launch a rogue DLL (“DtlCrashCatch.dll”) from a legitimate binary. This DLL then injected itself into the OneDrive.Sync.Service.exe process, establishing a foothold that allowed the SPECTRALVIPER backdoor to beacon to its C2 server at “financemachinelearning[.]com.” Through this channel, the attackers exfiltrated encrypted host information and could issue commands to download additional tools, move laterally within the victim’s network, or persist across reboots. ESET noted that no further malicious updates were observed after March 9 2026, indicating that the threat actors likely concluded the operation once their objectives were met.
Implications and Outlook
The dual campaigns underscore OceanLotus’s adaptability and its willingness to exploit both traditional intrusion vectors (e.g., vulnerable SQL servers) and supply‑chain weaknesses in widely used software. The lack of signature validation in FireAnt’s update process represents a common but critical oversight that attackers can leverage to achieve trusted‑code execution at scale. For organizations in Vietnam—particularly those operating critical infrastructure, financial services, or any sector handling sensitive data—the findings reinforce the need for robust patch management, enforcement of code‑signing verification, network segmentation, and continuous monitoring for anomalous outbound traffic. Moreover, the observed shift toward domestic targeting suggests that threat intelligence feeds should prioritize monitoring of local entities and sectors that align with the group’s evolving interests. While OceanLotus’s activities have waxed and waned over its fifteen‑year history, its recent resurgence demonstrates that the group remains a potent and agile adversary capable of sustained, multi‑vector campaigns. Continued vigilance, threat‑hunting, and sharing of indicators of compromise will be essential to mitigate the risk posed by this persistent APT.