OceanLotus APT Executes Precision Supply-Chain Attack Targeting Vietnamese Stock Investors
The advanced persistent threat (APT) group OceanLotus (APT32) conducted a sophisticated supply-chain compromise of FireAnt MetaKit, a widely used Vietnamese market-data component, deploying its SPECTRALVIPER backdoor to target stock investors. The operation, active from October 2025 to March 2026, exploited FireAnt’s unencrypted HTTP update mechanism, allowing attackers to serve malicious payloads via its legitimate update URL.
The attack began with test iterations before escalating to heavily obfuscated downloaders, which used campaign-specific infrastructure, including the domain financemachinelearning[.]com, designed to blend with financial traffic. The downloader performed host reconnaissance, sent profiling data to a staging server, and deployed a side-loading chain involving DtlCrashCatch.dll (a SPECTRALVIPER loader) alongside a renamed, legitimately signed executable (IntelAudioService.exe). The malware then injected into OneDrive.Sync.Service.exe, beaconing to HTTPS command-and-control (C2) servers with encrypted host data embedded in HTTP cookie headers (using the zd_cs_pm= prefix).
In parallel, OceanLotus maintained a long-running espionage campaign against a Vietnamese infrastructure and transport construction firm from mid-2024 to February 2026, using tailored SPECTRALVIPER variants side-loaded via legitimate executables (e.g., Toolbox.exe). Initial access likely exploited remote code execution (RCE) vulnerabilities in public SQL servers. A rare OPSEC lapse retained RTTI symbols in malware samples allowed researchers to reconstruct parts of SPECTRALVIPER’s internal class hierarchy, revealing its role as an HTTPS-based backdoor with orchestration capabilities. Compromised hosts communicated via named pipes, with designated "orchestrator" instances relaying commands to other infected systems.
The attack’s timing and targeting align with Vietnam’s intensified anti-corruption and financial investigations, including the "Blazing Furnace" campaigns and regulatory scrutiny of bond misreporting in late 2025. This suggests the operation supported domestic surveillance or financial-crime probes rather than broad espionage or indiscriminate theft.
OceanLotus, active since at least 2020 and resurgent with SPECTRALVIPER in 2023, has refined its tactics, favoring selective, domestically focused operations while retaining advanced tooling for stealthy supply-chain compromises. The group’s C2 infrastructure included domains like gatewayrvcenter[.]com and coachcybersecurity[.]com, hosted across providers such as OVH, Akamai, and Leaseweb, with no new malicious updates detected after March 9, 2026, indicating a possible cessation or disruption of the campaign.
Source: https://gbhackers.com/oceanlotus-targets-stock-investors/
FireAnt.vn cybersecurity rating report: https://www.rankiteo.com/company/fireant-vn
"id": "FIR1781188040",
"linkid": "fireant-vn",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Stock investors',
'industry': 'Financial Services',
'location': 'Vietnam',
'name': 'FireAnt MetaKit',
'type': 'Market-data component'},
{'industry': 'Construction/Infrastructure',
'location': 'Vietnam',
'type': 'Infrastructure and transport construction '
'firm'}],
'attack_vector': ['Supply-chain compromise',
'Remote code execution (RCE) vulnerabilities'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'sensitivity_of_data': 'High (financial and operational '
'intelligence)',
'type_of_data_compromised': ['Host profiling data',
'Encrypted host data']},
'date_detected': '2025-10-01',
'date_resolved': '2026-03-09',
'description': 'The advanced persistent threat (APT) group OceanLotus (APT32) '
'conducted a sophisticated supply-chain compromise of FireAnt '
'MetaKit, a widely used Vietnamese market-data component, '
'deploying its SPECTRALVIPER backdoor to target stock '
'investors. The operation exploited FireAnt’s unencrypted HTTP '
'update mechanism, allowing attackers to serve malicious '
'payloads via its legitimate update URL. The attack involved '
'test iterations, heavily obfuscated downloaders, and '
'campaign-specific infrastructure. OceanLotus also maintained '
'a long-running espionage campaign against a Vietnamese '
'infrastructure and transport construction firm, using '
'tailored SPECTRALVIPER variants.',
'impact': {'data_compromised': True,
'operational_impact': 'Espionage and data exfiltration',
'systems_affected': ['Market-data components (FireAnt MetaKit)',
'Infrastructure and transport construction '
'firm systems']},
'initial_access_broker': {'backdoors_established': ['SPECTRALVIPER backdoor'],
'high_value_targets': ['Stock investors',
'Infrastructure and '
'transport construction '
'firm']},
'investigation_status': 'Completed (campaign ceased or disrupted)',
'motivation': ['Domestic surveillance', 'Financial-crime probes'],
'post_incident_analysis': {'root_causes': ['Unencrypted HTTP update mechanism',
'RCE vulnerabilities in public SQL '
'servers']},
'references': [{'source': 'Cybersecurity Research Report'}],
'threat_actor': 'OceanLotus (APT32)',
'title': 'OceanLotus APT Executes Precision Supply-Chain Attack Targeting '
'Vietnamese Stock Investors',
'type': ['Supply-chain attack', 'Espionage'],
'vulnerability_exploited': 'Unencrypted HTTP update mechanism in FireAnt '
'MetaKit'}