Emerging ThreatsMalware & Ransomware

OceanLotus Targets Vietnam Investors with SPECTRALVIPER Backdoor

Analyst 207||Source: TheHackerNews
Busy office in Vietnam with cityscape view and people working at desks.

"Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling," the Slovakian cybersecurity company said in a report shared with The Hacker News.

ESET attributes two campaigns to OceanLotus and describes a changing focus

ESET attributes two distinct campaigns to the Vietnam-aligned threat actor known as OceanLotus. According to the report, one campaign was a prolonged cyber espionage operation against a Vietnamese infrastructure and transport construction corporation that began in mid-2024 and continued until February 2026. The other was a supply chain attack targeting stock investors that ran from October 2025 to March 2026 and leveraged the FireAnt Metakit platform.

ESET noted the activity represents "an increasing emphasis on domestic espionage rather than external targets." The firm also tied OceanLotus to a broader history of operations dating back to 2012, including watering-hole profiling campaigns in 2017 and 2018 and past targeting of Vietnamese human rights defenders and dissidents.

FireAnt Metakit supply chain attack: timeline and mechanism

ESET reports the FireAnt Metakit supply chain compromise likely began around October 2, 2025, and continued through March 2026. The adversary used the software's legitimate update URL to deliver SPECTRALVIPER to a small, selective subset of stock investors in Vietnam.

  • The update configuration file located at "metakit.fireant[.]vn/Software/version.xml" "lacks an integrity validation mechanism" to ensure the update binary ("setup.exe") has not been tampered with, ESET said.
  • Because there was no signature validation, "Metakit.exe executed the malicious downloader as a legitimate update." The downloader performed basic host reconnaissance and used an HTTP POST to a staging server to request the next-stage payload.
  • ESET observed that the infection chain culminated in a DLL side-loading sequence and the execution of SPECTRALVIPER; ESET last saw malicious updates distributed through the compromised channel on March 9, 2026.

SPECTRALVIPER: loading chain, C2 domains, and capabilities

SPECTRALVIPER — first documented by Elastic Security Labs in June 2023 — is central to both clusters. In the FireAnt activity the payload chain uses a legitimate binary to load a rogue DLL named "DtlCrashCatch.dll," which then injects into the OneDrive.Sync.Service.exe process to trigger SPECTRALVIPER.

The backdoor subsequently contacted a command-and-control server at "financemachinelearning[.]com" to send encrypted host information. In the infrastructure-targeting cluster, SPECTRALVIPER variants called back to "gatewayrvcenter[.]com" and were observed performing host profiling, facilitating lateral movement, and acting as a loader by injecting additional binaries or shellcode retrieved from the C2 server into target processes.

Intrusion at a Vietnamese transport construction firm: access and persistence

ESET reports OceanLotus covertly retained access to an unnamed Vietnamese infrastructure and transport construction company beginning as early as November 2024 and lasting until February 2026. While the initial access vector is not definitively established, ESET suspects exploitation of remote code execution vulnerabilities in a public-facing Microsoft SQL server.

Across multiple compromised hosts on the same network, analysts identified three SPECTRALVIPER variants. The malware used DLL side-loading to establish persistence and provide the operators with host profiling, lateral-movement capabilities, and a loader mechanism to execute additional payloads from the C2 server.

What this means for stock investors, infrastructure firms, and defenders

  • Stock investors and FireAnt customers: The selective use of the legitimate FireAnt update channel to deliver malicious updates shows attackers can leverage popular investor platforms to reach specific user subsets; affected users will need to examine update integrity and evidence of the OneDrive.Sync.Service.exe injection described by ESET.
  • Infrastructure and construction firms: The multi-month clandestine access into a transport construction company highlights the risk posed by exposed Microsoft SQL services and the operational impact of persistent backdoors that support lateral movement and loaders.
  • Security teams and incident responders: The campaign underscores the importance of detecting DLL side-loading chains, monitoring unexpected injections into processes such as OneDrive.Sync.Service.exe, and tracking connections to the observed C2 domains "financemachinelearning[.]com" and "gatewayrvcenter[.]com."

OceanLotus has been tied in the past to a physical front company exposed in December 2020 when Meta linked the group's activities to a Vietnamese IT company named CyberOne Group (also known as CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited); the exposure, ESET recounted, led the group to go off the grid for nearly three years. More recently, Kaspersky reported finding PyPI packages that used a dropper sharing "64% similarity" with a dropper previously used by OceanLotus, illustrating continued reuse and evolution of delivery methods across platforms.

The factual record ESET and others set out shows a veteran actor renewing pressure on domestic targets inside Vietnam while retaining a capability to reach selective external audiences via supply-chain channels. Whether that shift proves a brief tactical pivot or a lasting change in objectives — in the words of ESET, "remains unclear" — but the collection of tooling, DLL side‑loading practices, and observed C2 infrastructure leave concrete traces defenders can hunt for now.

Read the original report: https://thehackernews.com/2026/06/oceanlotus-hits-vietnam-investors-with.html

BackdoorCyber EspionageEmerging ThreatsNation-StateSupply ChainVietnamAPTOceanlotusSPECTRALVIPER
Related Intelligence

Continue Reading

Law enforcement officers gather around seized computer equipment in a server room.

Interpol Disrupts SniperDz Phishing-as-a-Service Platform

In a major blow to cybercrime, Interpol has dismantled the notorious SniperDz Phishing-as-a-Service platform, a significant player in the global phishing landscape. This success is a testament to the power of cross-border collaboration, with 13 countries joining forces to bring down the operation.

Analyst 207
Modern office space with scattered papers and an open file cabinet, hinting at disruption.

Ransomware Attacks Shift to Data Theft Tactics

Ransomware attacks have taken a sinister turn, with a growing number of hackers ditching decryption keys and instead using stolen data to extort their victims. In fact, a recent report found that a whopping 87% of ransomware claims now involve data theft, with encryption becoming a thing of the past.

Analyst 207
Formal government briefing room with podium, American flags, and seals, daylight streaming through tall windows.

FBI Disrupts Chinese Spy Websites Targeting US Security Clearance Holders

The FBI and Justice Department have shut down 13 fake websites pretending to be legitimate consulting firms, targeting US security clearance holders with lucrative job offers that aimed to extract sensitive information for the Chinese government. These seized domains were part of a sophisticated intelligence collection campaign that began in November 2023.

Analyst 207
Smartphone on a plain surface with subtle screen reflection in natural light.

NSO Group Defies Court Order, Continues Targeting WhatsApp Users

Despite a court order blocking it from doing so, NSO Group continues to target WhatsApp users, defying the ruling and putting users at risk. The company is fighting to overturn the order, claiming it will suffer harm if it's forced to comply.

Analyst 207