ESET researchers have attributed two 2024–2026 campaigns to the OceanLotus (APT32) group, targeting domestic Vietnamese entities: an infrastructure construction corporation and stock investors. Both operations used the SPECTRALVIPER backdoor, and one of them was a supply-chain attack via the popular investment platform FireAnt Metakit. In ESET’s assessment, these campaigns signal a possible strategic pivot by the group from external to domestic espionage — a trend that warrants attention from organizations in Vietnam and the Southeast Asia region.
Group profile and strategic context
OceanLotus is an APT group linked to Vietnam and, according to researchers, has been active since 2012. Historically, the group has specialized in external cyberespionage and has a documented history of attacks against China. In 2017–2018, OceanLotus conducted watering hole attacks to profile visitors to websites associated with the media, human rights organizations, and civil society. Separate campaigns were directed against Vietnamese human rights defenders and dissidents.
After the public exposure of an alleged link between the group and a Vietnamese IT company in December 2020, OceanLotus went largely quiet for almost three years, according to ESET. The group’s return was observed in 2023, when Elastic Security Labs documented SPECTRALVIPER in a campaign against Vietnamese publicly listed companies. The group’s toolkit also includes SOUNDBITE (Denis), PHOREAL (Rizzo), and WINDSHIELD (Remy).
ESET’s key analytical takeaway is that the identified campaigns indicate a shift in OceanLotus’s focus from external to domestic Vietnamese targets. It remains unclear whether this is a temporary adjustment or a long-term strategic change.
FireAnt Metakit supply-chain attack
The first campaign was a supply-chain attack via FireAnt Metakit, a popular software platform for stock investors in Vietnam. According to ESET, the attack likely began around October 2, 2025 and continued until March 2026.
The attackers abused the platform’s legitimate update mechanism to deliver SPECTRALVIPER to a limited number of investors, indicating a selective approach to victim targeting. The critical weakness lay in the absence of an integrity verification mechanism: the update configuration file at metakit.fireant[.]vn/Software/version.xml did not validate the signature of the downloaded binary file setup.exe.
The infection chain unfolded as follows:
- The
Metakit.exeapplication downloaded the malicious loader as a legitimate update because no signature verification was performed. - The loader carried out basic host reconnaissance and sent the collected data via HTTP POST to an intermediate server, requesting the next-stage payload.
- The payload used a DLL side-loading technique: a legitimate binary loaded the malicious library
DtlCrashCatch.dll. - The malicious DLL injected itself into the
OneDrive.Sync.Service.exeprocess, launching SPECTRALVIPER. - The backdoor established communication with the C2 server
financemachinelearning[.]comand transmitted encrypted host information.
ESET reports that after March 9, 2026, no further malicious updates were observed being distributed via the compromised channel, which may indicate that the operators had concluded the campaign.
Prolonged compromise of a construction corporation
The second campaign targeted an unnamed Vietnamese corporation in the infrastructure and transport construction sector. According to the researchers, covert access to the organization’s network was maintained from November 2024 to February 2026 — more than 15 months.
The exact initial access vector has not been established, but ESET believes the attackers exploited remote code execution vulnerabilities in a publicly accessible Microsoft SQL server. They then deployed SPECTRALVIPER via DLL side-loading. On several compromised hosts within the same network, three distinct variants of the backdoor were discovered, indicating active development of the toolset.
In this campaign, SPECTRALVIPER connected to the C2 server gatewayrvcenter[.]com to exfiltrate host profiling data and receive instructions. The backdoor also enabled lateral movement within the network and acted as a loader, injecting additional binaries or shellcode from the C2 into target processes.
Indicators of compromise
- C2 domains:
financemachinelearning[.]com,gatewayrvcenter[.]com - Compromised update
- Malicious files:
DtlCrashCatch.dll,setup.exe- Abuse of legitimate processes:
OneDrive.Sync.Service.exe,Metakit.exe - Malicious files:
Impact assessment and affected sectors
Two categories face the highest risk: Vietnamese critical infrastructure organizations (transport, construction) and users of the FireAnt Metakit investment software. The supply-chain attack is particularly dangerous because it exploits users’ trust in a legitimate update mechanism. The long-term compromise of the construction corporation (over a year) demonstrates the group’s ability to maintain a persistent foothold in a network, creating risks of confidential data leakage related to major infrastructure projects.
It is important to recognize the limitations of the available data: the attribution and assessment of OceanLotus’s strategic pivot are based primarily on research by a single vendor (ESET). Independent confirmation from other research teams is not yet available.
Practical recommendations
- FireAnt Metakit users: scan systems for the listed IOCs, especially the
DtlCrashCatch.dllfile and network connections tofinancemachinelearning[.]com. Contact the platform developer to obtain information on measures taken to secure the update mechanism. - Organizations with publicly accessible Microsoft SQL servers: audit configuration, ensure current patches are applied, and restrict direct internet access.
- Network monitoring: set up detection of DLL side-loading — in particular, track loading of unusual DLLs by legitimate processes, as well as injections into
OneDrive.Sync.Service.exe. - Software developers: implement cryptographic signature verification for updates. The lack of integrity validation in FireAnt Metakit was a key factor in the success of the attack.
- Network traffic inspection: block or monitor connections to the domains
financemachinelearning[.]comandgatewayrvcenter[.]com.
The identified OceanLotus campaigns highlight two tactical priorities for the group: exploiting trust in software supply chains and maintaining long-term covert presence in the networks of large organizations. Organizations in Vietnam, especially in critical infrastructure and financial sectors, should immediately scan their systems for the listed indicators of compromise and strengthen integrity controls around the update mechanisms of the software they use.
