OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack
OceanLotus APT targeted Vietnam stock investors and infrastructure firms with SPECTRALVIPER backdoor via FireAnt supply chain compromise and SQL server exploitation in 2025-2026.
Published
Jun 12, 2026Duration
5 min readRisk Level
High SeverityIntel Tags
Why it matters
OceanLotus (APT32), a Vietnam-aligned threat actor, has expanded domestic targeting with sophisticated supply chain attacks against stock investors and prolonged espionage against infrastructure firms. This shift from foreign espionage to domestic targets, likely tied to Vietnam’s Blazing Furnace anti-corruption campaign, signals an evolving operational focus that puts Vietnamese financial markets and critical infrastructure at sustained risk.
What happened
ESET researchers uncovered two distinct OceanLotus campaigns targeting Vietnamese entities between 2024 and 2026, both deploying the SPECTRALVIPER backdoor.
FireAnt Metakit supply chain attack (October 2025 – March 2026): The threat actor compromised the legitimate update mechanism of FireAnt Metakit, a popular stock investment platform in Vietnam. The update configuration at metakit.fireant.vn/Software/version.xml lacked any integrity validation mechanism, and the absence of SSL/TLS encryption made the protocol additionally vulnerable to interception. Metakit.exe executed the malicious downloader as a legitimate update. The downloader performed host reconnaissance and transmitted data via HTTP POST to a staging server. The payload chain deployed a DLL side-loading chain using DtlCrashCatch.dll, injected into OneDrive.Sync.Service.exe to trigger SPECTRALVIPER execution. Only a small subset of investors ultimately received the backdoor, indicating selective targeting.
Transport construction corporation espionage (November 2024 – February 2026): OceanLotus maintained covert access to an unnamed Vietnamese infrastructure and transport construction firm. Initial access is suspected through exploitation of remote code execution vulnerabilities in a public-facing Microsoft SQL server. Three different SPECTRALVIPER variants were identified across multiple compromised hosts using shared and distinct C2 servers.
Technical details
SPECTRALVIPER operates as an active backdoor communicating over HTTPS. It sends a beacon to a hardcoded C2 address with encrypted host-profiling data embedded in the HTTP Cookie header, using either euconsent-v2= or zd_cs_pm= prefix depending on the campaign variant.
The malware supports lateral movement through an orchestration model: one SPECTRALVIPER instance acts as orchestrator communicating with C2 infrastructure and distributing commands to other compromised hosts via named pipe channels. Beyond its backdoor role, SPECTRALVIPER functions as a loader capable of injecting binaries or shellcode retrieved from the C2 into target processes using ProcessReflector and ProcessManager components.
An OPSEC lapse left RTTI names intact in one sample, revealing an internal framework codenamed XGU with Pivot and Feature subclasses encapsulating orchestration and remote-control capabilities.
C2 domains were crafted to blend with victim traffic — financemachinelearning.com for stock investors and gatewayrvcenter.com for the transport firm. Staging servers migrated from 139.162.11.152 to 142.91.98.77 during the FireAnt campaign.
Defender actions
- Verify software update integrity mechanisms, particularly for financial and trading platforms — enforce signature validation and TLS for all update binaries
- Monitor for DLL side-loading chains involving OneDrive.Sync.Service.exe and unsigned DLLs in IntelAudio\Service paths
- Block all identified C2 domains and IPs on network appliances and SIEM platforms
- Audit public-facing Microsoft SQL servers for known RCE vulnerabilities; apply latest patches
- Monitor HTTP POST requests to /V1/Update/GetUpdate endpoints from trading software
- Investigate beacon traffic with zd_cs_pm= or euconsent-v2= Cookie header prefixes to anomalous domains
- Review named pipe inter-process communication between hosts for signs of SPECTRALVIPER orchestration
Indicators
23 indicators · TLP:cleardomain · c2 · high conf
financemachinelearning.com
SPECTRALVIPER C2 domain used in FireAnt supply chain campaign
domain · c2 · high conf
gatewayrvcenter.com
SPECTRALVIPER C2 domain used in transport construction firm campaign
domain · c2 · high conf
coachcybersecurity.com
SPECTRALVIPER C2 domain
domain · c2 · high conf
mxprodesign.com
SPECTRALVIPER C2 domain
domain · c2 · high conf
power-sync-services.com
SPECTRALVIPER C2 domain
domain · c2 · high conf
leadingfilipinoteams.com
SPECTRALVIPER C2 domain
ipv4 · c2 · high conf
38.60.245.187
SPECTRALVIPER C2 server
ipv4 · c2 · high conf
139.99.33.239
SPECTRALVIPER C2 server for coachcybersecurity.com
ipv4 · infrastructure · high conf
139.162.11.152
SPECTRALVIPER staging server early FireAnt campaign
ipv4 · c2 · high conf
139.180.128.42
SPECTRALVIPER C2 server for gatewayrvcenter.com
ipv4 · infrastructure · high conf
142.91.98.77
SPECTRALVIPER staging server late FireAnt campaign
ipv4 · c2 · high conf
166.88.77.186
SPECTRALVIPER C2 server for mxprodesign.com
ipv4 · c2 · high conf
194.68.26.241
SPECTRALVIPER C2 server for financemachinelearning.com
hash-sha1 · payload · high conf
511B77459673EC42163F19E300FF1D233B6C39FB
SPECTRALVIPER downloader setup.exe first iteration
hash-sha1 · payload · high conf
59A8553A4F8130F576AB234E0B220BE4D4DA0E98
SPECTRALVIPER downloader setup.exe stable version
hash-sha1 · payload · high conf
9CA1A5C7F79882DB913534C1E62B26BCDCB9F6DD
SPECTRALVIPER downloader setup.exe variant
hash-sha1 · payload · high conf
A8E2BBBFCB86500322D2367744FA12755AB0C165
SPECTRALVIPER downloader setup.exe variant
hash-sha1 · payload · high conf
F74F1FEB62B662CDA489FDB2453727824E55ACB9
SPECTRALVIPER downloader setup.exe variant
hash-sha1 · payload · high conf
865A1739337D3303B3AB02C5E694C22B79C42B7D
SPECTRALVIPER backdoor system.config.xml
hash-sha1 · payload · high conf
8CD78B8DB76563E4F972ABE817CEEE9CF9B00037
SPECTRALVIPER backdoor DtlCrashCatch.dll
hash-sha1 · payload · high conf
B0FEA981D02F6F76DE81EBAEFCB68B7D205D6194
SPECTRALVIPER backdoor NotificationConfig.json
hash-sha1 · payload · high conf
48FEBB91A10D1462461A012FAFC0918BB028E947
SPECTRALVIPER backdoor DtlCrashCatch.dll variant
hash-sha1 · payload · high conf
150764A71DEEF498DE6F8C95ECCCB4455C1B601F
SPECTRALVIPER backdoor SetupUi.dll