The 15-year-old Vietnam-aligned APT group OceanLotus poisoned a trusted software update server to push its SPECTRALVIPER backdoor to a handpicked set of stock investors, while running a parallel two-year intrusion against a transport construction firm. ESET's findings point to a clear pivot: the group is spending less energy on foreign targets and more on watching its own backyard.
OceanLotus, the long-running threat actor with ties to Vietnamese state interests, has resurfaced in two campaigns that researchers say mark a meaningful change in how the group picks its victims. According to a new ESET report shared with The Hacker News, the group used the SPECTRALVIPER backdoor against a domestic infrastructure company and, separately, against stock investors who trusted a popular trading platform's update mechanism. The investor-facing operation is the one that should make every software vendor uncomfortable, because it abused a feature users are told to keep enabled: automatic updates.
What Actually Happened
The supply chain piece centered on FireAnt Metakit, a trading and analytics tool widely used by retail and professional stock investors in Vietnam. Starting around October 2, 2025, and continuing through March 2026, OceanLotus served SPECTRALVIPER directly through FireAnt's legitimate update URL. Rather than spraying the malware at everyone running the software, the attackers pushed it to a small, selected subset of users. That restraint is itself a signal. Indiscriminate distribution gets caught quickly; targeted distribution to a handful of high-value accounts can run for months before anyone notices.
The technical failure that made this possible is mundane and, unfortunately, common. The update configuration file hosted at metakit.fireant[.]vn/Software/version.xml had no integrity validation. There was nothing checking whether the setup.exe it pointed to was the real, vendor-signed binary or something an attacker had swapped in. "Due to the absence of signature validation, Metakit.exe executed the malicious downloader as a legitimate update," ESET wrote. Once it ran, the downloader did quick reconnaissance of the host and sent the results to a staging server over an HTTP POST request, which then handed back the next payload.
From there the attack used a DLL side-loading chain. A legitimate, trusted binary loaded a malicious DLL named DtlCrashCatch.dll, which injected itself into OneDrive.Sync.Service.exe to launch SPECTRALVIPER. The backdoor then phoned home to a command-and-control server at financemachinelearning[.]com, sending encrypted details about the infected machine. ESET hasn't seen any new malicious updates flow through that channel since March 9, 2026, which suggests the operators may have wrapped up this round.
The Second Campaign: Two Years Inside a Construction Firm
The quieter operation targeted an unnamed Vietnamese infrastructure and transport construction corporation. OceanLotus is believed to have gotten in as early as November 2024 and kept access until February 2026, roughly 15 months of presence on the network. The initial entry point isn't confirmed, but ESET suspects remote code execution flaws in a public-facing Microsoft SQL server.
The deployment pattern matched the investor campaign: DLL side-loading to launch SPECTRALVIPER, with three different variants of the backdoor found across multiple hosts on the same network. The C2 server here was gatewayrvcenter[.]com. Beyond espionage, SPECTRALVIPER pulls double duty as a loader, injecting additional binaries or shellcode fetched from the C2 into target processes, which is how the group handled lateral movement once inside.
Why the Target Shift Matters
OceanLotus has been active since 2012, and its history reads like a survey of regional espionage. The group ran watering hole campaigns in 2017 and 2018 to profile hundreds of people and organizations connected to media, human rights, and civil society. It repeatedly went after Vietnamese dissidents and human rights defenders. It has also targeted China over the years. In December 2020, Meta tied the group's activity to a Vietnamese IT company called CyberOne Group, an exposure that pushed OceanLotus offline for nearly three years.
What ESET is flagging now is a center-of-gravity change. "Since the exposure of its physical front company in 2020, the group appears to have adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets," the company said. Whether that's a permanent strategy or a temporary recalibration, the researchers can't yet say, but they were blunt about the group's capability: this "15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling."
SPECTRALVIPER itself isn't new. Elastic Security Labs first documented it in June 2023, when OceanLotus reappeared targeting Vietnamese public companies. The group's broader toolkit includes older implants like SOUNDBITE (also called Denis), PHOREAL (Rizzo), and WINDSHIELD (Remy). And the tooling keeps evolving across ecosystems. Last month, Kaspersky reported three malicious packages on the Python Package Index that delivered a new malware family dubbed ZiChatBot to Windows and Linux. The dropper behind it shared a 64% similarity with one previously linked to OceanLotus, a reminder that attribution often hangs on code reuse rather than a single smoking gun.
Practical Takeaways for Defenders and Vendors
The FireAnt case is a textbook argument for code signing and signature verification on every update channel, not just the initial download. If Metakit.exe had verified the cryptographic signature of setup.exe before executing it, this attack path closes. Vendors shipping desktop software should treat update integrity as a baseline requirement: sign your binaries, verify signatures client-side, and serve update manifests over channels that an attacker can't silently rewrite. Pinning the expected publisher certificate is a reasonable next step.
For defenders watching their own networks, DLL side-loading remains one of OceanLotus's favorite techniques, so it deserves attention. Legitimate processes like OneDrive.Sync.Service.exe loading unexpected DLLs, or trusted binaries running from unusual paths, are worth alerting on. The affected platforms here are Windows endpoints, with the PyPI angle extending exposure to Linux developer environments as well. Organizations using FireAnt Metakit should check for the indicators ESET published, including the C2 domains financemachinelearning[.]com and gatewayrvcenter[.]com, and review whether the suspect update ran in their environment between October 2025 and March 2026.
The construction firm intrusion adds a familiar lesson about exposed database servers. A public-facing Microsoft SQL server with an unpatched RCE flaw is an open door, and 15 months of undetected access shows how long an attacker can dwell once inside. Patching internet-exposed services, segmenting them away from sensitive internal systems, and monitoring for the kind of lateral movement SPECTRALVIPER enables all reduce how far a breach like this can spread. Supply chain compromise and exposed infrastructure are different doors into the same house, and OceanLotus has demonstrated it knows how to walk through both.
Comments
Please log in or register to join the discussion