ThreatBrief AI

OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack

OceanLotus APT targeted Vietnam stock investors and infrastructure firms with SPECTRALVIPER backdoor via FireAnt supply chain compromise and SQL server exploitation in 2025-2026.

+ +

Published

Jun 12, 2026

Duration

5 min read

Risk Level

High Severity

Why it matters

OceanLotus (APT32), a Vietnam-aligned threat actor, has expanded domestic targeting with sophisticated supply chain attacks against stock investors and prolonged espionage against infrastructure firms. This shift from foreign espionage to domestic targets, likely tied to Vietnam’s Blazing Furnace anti-corruption campaign, signals an evolving operational focus that puts Vietnamese financial markets and critical infrastructure at sustained risk.

What happened

ESET researchers uncovered two distinct OceanLotus campaigns targeting Vietnamese entities between 2024 and 2026, both deploying the SPECTRALVIPER backdoor.

FireAnt Metakit supply chain attack (October 2025 – March 2026): The threat actor compromised the legitimate update mechanism of FireAnt Metakit, a popular stock investment platform in Vietnam. The update configuration at metakit.fireant.vn/Software/version.xml lacked any integrity validation mechanism, and the absence of SSL/TLS encryption made the protocol additionally vulnerable to interception. Metakit.exe executed the malicious downloader as a legitimate update. The downloader performed host reconnaissance and transmitted data via HTTP POST to a staging server. The payload chain deployed a DLL side-loading chain using DtlCrashCatch.dll, injected into OneDrive.Sync.Service.exe to trigger SPECTRALVIPER execution. Only a small subset of investors ultimately received the backdoor, indicating selective targeting.

Transport construction corporation espionage (November 2024 – February 2026): OceanLotus maintained covert access to an unnamed Vietnamese infrastructure and transport construction firm. Initial access is suspected through exploitation of remote code execution vulnerabilities in a public-facing Microsoft SQL server. Three different SPECTRALVIPER variants were identified across multiple compromised hosts using shared and distinct C2 servers.

Technical details

SPECTRALVIPER operates as an active backdoor communicating over HTTPS. It sends a beacon to a hardcoded C2 address with encrypted host-profiling data embedded in the HTTP Cookie header, using either euconsent-v2= or zd_cs_pm= prefix depending on the campaign variant.

The malware supports lateral movement through an orchestration model: one SPECTRALVIPER instance acts as orchestrator communicating with C2 infrastructure and distributing commands to other compromised hosts via named pipe channels. Beyond its backdoor role, SPECTRALVIPER functions as a loader capable of injecting binaries or shellcode retrieved from the C2 into target processes using ProcessReflector and ProcessManager components.

An OPSEC lapse left RTTI names intact in one sample, revealing an internal framework codenamed XGU with Pivot and Feature subclasses encapsulating orchestration and remote-control capabilities.

C2 domains were crafted to blend with victim traffic — financemachinelearning.com for stock investors and gatewayrvcenter.com for the transport firm. Staging servers migrated from 139.162.11.152 to 142.91.98.77 during the FireAnt campaign.

Defender actions

  • Verify software update integrity mechanisms, particularly for financial and trading platforms — enforce signature validation and TLS for all update binaries
  • Monitor for DLL side-loading chains involving OneDrive.Sync.Service.exe and unsigned DLLs in IntelAudio\Service paths
  • Block all identified C2 domains and IPs on network appliances and SIEM platforms
  • Audit public-facing Microsoft SQL servers for known RCE vulnerabilities; apply latest patches
  • Monitor HTTP POST requests to /V1/Update/GetUpdate endpoints from trading software
  • Investigate beacon traffic with zd_cs_pm= or euconsent-v2= Cookie header prefixes to anomalous domains
  • Review named pipe inter-process communication between hosts for signs of SPECTRALVIPER orchestration

Indicators

23 indicators · TLP:clear

domain · c2 · high conf

financemachinelearning.com

SPECTRALVIPER C2 domain used in FireAnt supply chain campaign

Srcs: eset-research

domain · c2 · high conf

gatewayrvcenter.com

SPECTRALVIPER C2 domain used in transport construction firm campaign

Srcs: eset-research

domain · c2 · high conf

coachcybersecurity.com

SPECTRALVIPER C2 domain

Srcs: eset-research

domain · c2 · high conf

mxprodesign.com

SPECTRALVIPER C2 domain

Srcs: eset-research

domain · c2 · high conf

power-sync-services.com

SPECTRALVIPER C2 domain

Srcs: eset-research

domain · c2 · high conf

leadingfilipinoteams.com

SPECTRALVIPER C2 domain

Srcs: eset-research

ipv4 · c2 · high conf

38.60.245.187

SPECTRALVIPER C2 server

Srcs: eset-research

ipv4 · c2 · high conf

139.99.33.239

SPECTRALVIPER C2 server for coachcybersecurity.com

Srcs: eset-research

ipv4 · infrastructure · high conf

139.162.11.152

SPECTRALVIPER staging server early FireAnt campaign

Srcs: eset-research

ipv4 · c2 · high conf

139.180.128.42

SPECTRALVIPER C2 server for gatewayrvcenter.com

Srcs: eset-research

ipv4 · infrastructure · high conf

142.91.98.77

SPECTRALVIPER staging server late FireAnt campaign

Srcs: eset-research

ipv4 · c2 · high conf

166.88.77.186

SPECTRALVIPER C2 server for mxprodesign.com

Srcs: eset-research

ipv4 · c2 · high conf

194.68.26.241

SPECTRALVIPER C2 server for financemachinelearning.com

Srcs: eset-research

hash-sha1 · payload · high conf

511B77459673EC42163F19E300FF1D233B6C39FB

SPECTRALVIPER downloader setup.exe first iteration

Srcs: eset-research

hash-sha1 · payload · high conf

59A8553A4F8130F576AB234E0B220BE4D4DA0E98

SPECTRALVIPER downloader setup.exe stable version

Srcs: eset-research

hash-sha1 · payload · high conf

9CA1A5C7F79882DB913534C1E62B26BCDCB9F6DD

SPECTRALVIPER downloader setup.exe variant

Srcs: eset-research

hash-sha1 · payload · high conf

A8E2BBBFCB86500322D2367744FA12755AB0C165

SPECTRALVIPER downloader setup.exe variant

Srcs: eset-research

hash-sha1 · payload · high conf

F74F1FEB62B662CDA489FDB2453727824E55ACB9

SPECTRALVIPER downloader setup.exe variant

Srcs: eset-research

hash-sha1 · payload · high conf

865A1739337D3303B3AB02C5E694C22B79C42B7D

SPECTRALVIPER backdoor system.config.xml

Srcs: eset-research

hash-sha1 · payload · high conf

8CD78B8DB76563E4F972ABE817CEEE9CF9B00037

SPECTRALVIPER backdoor DtlCrashCatch.dll

Srcs: eset-research

hash-sha1 · payload · high conf

B0FEA981D02F6F76DE81EBAEFCB68B7D205D6194

SPECTRALVIPER backdoor NotificationConfig.json

Srcs: eset-research

hash-sha1 · payload · high conf

48FEBB91A10D1462461A012FAFC0918BB028E947

SPECTRALVIPER backdoor DtlCrashCatch.dll variant

Srcs: eset-research

hash-sha1 · payload · high conf

150764A71DEEF498DE6F8C95ECCCB4455C1B601F

SPECTRALVIPER backdoor SetupUi.dll

Srcs: eset-research