OceanLotus, a Vietnam aligned advanced persistent threat group active since 2012, has been linked to two coordinated cyber espionage campaigns targeting domestic institutions and stock market investors. Security researchers attribute both operations to the deployment of a malware backdoor known as SPECTRALVIPER, which has been used in separate but overlapping intrusion chains spanning critical infrastructure and financial software ecosystems in Vietnam.
According to findings shared by ESET, the first campaign involved a prolonged espionage operation targeting a Vietnamese infrastructure and transport construction corporation between mid 2024 and February 2026. In parallel, a second cluster of activity ran from October 2025 to March 2026 and focused on a supply chain compromise involving FireAnt Metakit, a widely used platform among stock investors in Vietnam. This second intrusion reportedly leveraged the legitimate update mechanism of the software to deliver malicious payloads to a limited number of users, indicating a selective targeting strategy rather than broad distribution. The group has also been observed shifting its operational behavior toward domestic intelligence collection while maintaining historical interest in regional targets, including entities in China and previously monitored civil society organizations.
The FireAnt Metakit intrusion chain demonstrated how trusted software distribution channels were abused to facilitate malware delivery. Attackers are believed to have used the official update URL hosted at metakit.fireant.vn to push a tampered installer file, which then executed without integrity validation checks in place. Due to missing signature verification in the update configuration, the compromised executable was treated as legitimate by Metakit.exe, allowing execution of a malicious downloader. Once activated, the downloader performed system reconnaissance and transmitted collected data to a staging server through an HTTP request, which then facilitated retrieval of the next stage payload. The attack chain continued through a process involving dynamic link library side loading, where a legitimate application was used to load a rogue library named DtlCrashCatch.dll. This component injected itself into the OneDrive.Sync.Service.exe process, ultimately enabling execution of SPECTRALVIPER, which then communicated with a command and control server identified as financemachinelearning.com to transmit encrypted host data.
Beyond the investor focused campaign, OceanLotus was also observed maintaining long term access to a Vietnamese infrastructure and transport construction organization over a period extending from late 2024 to early 2026. Although the initial entry vector remains unconfirmed, researchers suspect exploitation of remote code execution vulnerabilities in a publicly exposed Microsoft SQL server. Once inside, the group deployed multiple variants of SPECTRALVIPER across compromised systems within the network. These variants enabled lateral movement and functioned as loaders capable of retrieving additional payloads or shellcode from external command and control infrastructure, including gatewayrvcenter.com. The malware also supported sustained host profiling and data exfiltration while maintaining persistence within internal systems, indicating a structured approach to long term espionage rather than short term disruption.
Security analysts noted that SPECTRALVIPER has evolved into a flexible backdoor capable of multi stage infection, process injection, and modular expansion through remote payload delivery. Earlier observations by Elastic Security Labs and subsequent analysis by other cybersecurity firms, including Kaspersky, have associated OceanLotus tooling with broader malware ecosystems, including Python based droppers and additional custom families used for stealthy deployment. Researchers also highlighted that the group has refined its targeting strategy following previous exposure of infrastructure and alleged front company links reported in earlier investigations, suggesting a more selective operational posture focused on strategic intelligence gathering within Vietnam’s domestic sectors.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
