From exterior espionage to home focusing on

Our monitoring of OceanLotus actions from 2024–2026 reveals a shift in operational focus. Throughout this era, the Vietnam-aligned OceanLotus adopted a extra selective strategy to exterior operations whereas inserting rising emphasis on home espionage. We recognized two distinct campaigns involving the SPECTRALVIPER backdoor: a supply-chain assault focusing on inventory traders in Vietnam and a protracted espionage operation towards a Vietnamese infrastructure and transport building firm.

Whether or not the shift represents a short lived adjustment or a long-term strategic change stays unclear; nonetheless, this 15-year-old APT group continues to exhibit aggressive ways and a degree of craftiness in its tooling.

Key factors of this blogpost:

• From mid-2024 to February 2026, OceanLotus compromised the community of a Vietnamese infrastructure and transport building company with its signature implant, SPECTRALVIPER.
• From October 2025 to March 2026, OceanLotus carried out a supply-chain assault leveraging FireAnt Metakit, a software program platform extensively utilized by inventory traders in Vietnam.
• Regardless of the broad potential impression of such an assault, we noticed only some people who finally acquired SPECTRALVIPER, indicating selective focusing on.
• An OPSEC mistake gives us with an inner view of SPECTRALVIPER’s structure.

OceanLotus profile

OceanLotus, also called APT32, is a cyberespionage group allegedly aligned with the pursuits of the Vietnamese authorities. In line with our telemetry, exercise attributed to this group dates again to 2012, and presumably earlier. OceanLotus primarily targets China and Southeast Asia (with a deal with Vietnam); it has been related to quite a lot of operations, starting from a large digital profiling marketing campaign to extremely focused assaults towards Vietnamese human-rights activists.

OceanLotus is thought for repeatedly innovating and increasing its arsenals of Home windows and Linux backdoors, typically implementing distinctive community protocols or tailoring the information assortment capabilities to particular operational goals. Its well-known instruments embody Denis (aka SOUNDBITE), implementing DNS tunneling for C&C communications; PHOREAL, which leverages the ICMP protocol for C&C communications; WINDSHIELD, which options an fascinating proxy bypass mechanism; and its newest backdoor, SPECTRALVIPER, which incorporates orchestration capabilities. 

OceanLotus: Publicity and realignment

Between 2017 and 2020, OceanLotus attracted vital public consideration following a number of reviews detailing its cyberespionage actions. These included large-scale watering-hole assaults focusing on Southeast Asia in 2017–2018, intrusions into firms reminiscent of BMW and Hyundai in 2019, and the focusing on of a Vietnamese dissident in Germany that very same yr. The group was additionally linked to operations towards human rights defenders between 2019 and 2020, in addition to espionage focusing on the Wuhan municipal authorities in 2020.

Nonetheless, the group’s operations confronted a setback in 2020 when Fb publicly recognized the corporate believed for use as a entrance for OceanLotus. Following this publicity, public reporting on the group diminished considerably, and its actions acquired comparatively little consideration for a number of years.

OceanLotus resurfaced publicly in 2023 with a report from Elastic Safety Labs that described an assault utilizing a beforehand undocumented backdoor it named SPECTRALVIPER and that focused Vietnamese companies. Constructing on this, our analysis examines the group’s more moderen exercise, noticed from mid-2024 via early 2026. Throughout this era, we recognized two distinct campaigns that each relied on SPECTRALVIPER as their main backdoor however had very totally different goal sufferer profiles.

The primary marketing campaign concerned the compromise of an infrastructure and transport building company. This intrusion started in mid-2024 and endured via January 2026.

The second marketing campaign was a supply-chain assault that started in late 2025 and continued till March 2026. On this operation, OceanLotus compromised the replace server of FireAnt Metakit, a Vietnamese inventory funding platform, and changed official software program updates with a malicious payload that finally deployed SPECTRALVIPER. This marketing campaign seems to have focused inventory traders and could also be linked to Vietnam’s latest efforts to advertise securities market reforms, suggesting a potential connection to home monitoring or investigative goals.

Lastly, in July 2025, a supply-chain assault involving the add of malicious wheel packages to the Python Bundle Index (PyPI) was attributed to OceanLotus. Nonetheless, our telemetry didn’t establish any affected victims, and we lack enough visibility to independently confirm that attribution.

Total, the obtainable proof factors to a possible shift in OceanLotus’s operational patterns. Because the publicity of its bodily entrance firm in 2020, the group seems to have adopted a extra selective strategy to international espionage whereas inserting rising emphasis on home targets.

Context of this marketing campaign

It’s value noting that OceanLotus’s newest actions appear to align with numerous latest developments happening on Vietnam’s home scene.

Lately, Vietnamese authorities have embarked upon a significant campaign towards corruption – a program baptized Blazing Furnace. Much like Xi Jinping’s huge anti-corruption push in China, this effort, launched by the Communist Social gathering of Vietnam, is meant to exhibit to the inhabitants that the social gathering is prepared and in a position to clear up its ranks to keep up its legitimacy. Since 2016, this coverage has led to a number of high-profile trials involving social gathering officers or businessmen accused of bribing politicians. Moreover, two Vietnamese presidents have even been compelled to resign since 2023, after they have been publicly related to corruption scandals. In 2025 alone, the social gathering reportedly sanctioned 9,600 of its members in instances associated to corruption, financial crimes, and abuse of place.

On this context, it appears probably that Vietnam’s safety equipment is now deploying more and more vital sources to struggle corruption (and monetary crime extra broadly). We imagine that OceanLotus could possibly be in some way related to these efforts, and that this can be another excuse behind the group’s obvious refocus on home intelligence and surveillance within the final two years or so. The truth is, the 2 targets we recognized on this marketing campaign echo judicial sagas that just lately agitated Vietnam’s public area.

In late October 2025, as an example, Vietnam’s monetary regulation company revealed that about 70 main nationwide firms had been discovered to have misreported bond gross sales over the previous decade – a revelation that led to a 5.5% stoop within the nation’s principal inventory index. This announcement means that Vietnamese law-enforcement was presumably deploying wide-ranging investigative efforts towards the nation’s inventory market on the time that OceanLotus was noticed compromising the FireAnt inventory buying and selling app.

Primarily based on these parts, we imagine that OceanLotus’s supply-chain assault was most likely performed as a part of present investigative efforts towards corruption and monetary crime in Vietnam.

Concentrating on inventory traders

The provision chain

We estimate that the FireAnt supply-chain assault started round October 2025 and continued till March 2026. Throughout this era, we recognized a couple of inventory traders uncovered to the supply-chain; nonetheless, solely a small subset of them finally acquired the SPECTRALVIPER backdoor. Our crew made a number of makes an attempt to inform FireAnt of the incident however acquired no response.

FireAnt is a Vietnam‑based mostly fintech firm that provides a platform for inventory market information, evaluation, and funding help instruments for each particular person and institutional traders. It’s thought-about one of many main digital funding platforms in Vietnam, offering actual‑time market information, technical evaluation options, and AI‑pushed insights, together with a neighborhood element the place traders can share info and opinions. Inside this ecosystem, FireAnt MetaKit is a specialised software program element centered on information supply. It’s designed to offer actual‑time and historic monetary market information on to technical evaluation platforms reminiscent of AmiBroker, MetaStock, and MetaTrader.

On October 2^nd, 2025, we detected the primary malicious payload originating from FireAnt MetaKit’s official replace URL http://metakit.fireant[.]vn/Software program/setup.exe. The area resolved to the real IP handle of the FireAnt replace server, suggesting a supply-chain compromise state of affairs. Our evaluation of this payload reveals a first-iteration downloader, indicating that this exercise probably represents the early stage of the marketing campaign, the place OceanLotus was testing the supply mechanism on the preliminary victims. In Desk 1, we evaluate this preliminary downloader with the steady model noticed later within the marketing campaign.

Desk 1. Comparability between the check model and the steady model of the downloader

Along with observing payloads delivered straight from the FireAnt replace server, we recognized flaws within the replace protocol utilized by the FireAnt MetaKit software program. Particularly, the replace configuration file at http://metakit.fireant.vn/Software program/model.xml lacks any integrity validation mechanism, as proven in Determine 1.

Second, the dearth of SSL/TLS encryption within the community protocol used for acquiring each the model.xml file and any up to date binary makes FireAnt MetaKit weak to interception assaults; nonetheless, now we have not noticed OceanLotus leveraging this system on this marketing campaign.

The execution chain

As a result of absence of signature validation, Metakit.exe executed the malicious downloader as a official replace. As soon as launched, the downloader carried out fundamental host reconnaissance and transmitted the collected info by way of an HTTP POST request to a staging server, requesting the next-stage payload (Determine 2).

Throughout all noticed samples, the obtain API V1/Replace/GetUpdate remained constant. Nonetheless, the staging infrastructure developed over time, with C&C servers initially hosted at 139.162.11[.]152 and later migrating to 142.91.98[.]77.

Within the subsequent stage, the downloader deployed a side-loading chain involving DtlCrashCatch.dll, which is SPECTRALVIPER configured as a loader, and its companion executable, IntelAudioService.exe. The latter was executed with the command:

C:Customers[redacted]IntelAudioServiceIntelAudioService.exe /appmodel /StateRepository /Service

Evaluation revealed that IntelAudioService.exe is in truth a duplicate of the official, signed executable dtlupdate.exe, as proven in Determine 3.

As soon as executed, DtlCrashCatch.dll injects itself into the OneDrive.Sync.Service.exe course of, enabling execution in backdoor mode. The backdoor then points a beacon request to the hardcoded URL https://financemachinelearning[.]com/equipment/wind/twig/assertion.html, embedding encrypted host info throughout the HTTP Cookie header. Traditionally, this information was prefixed with euconsent-v2=; nonetheless, on this marketing campaign, we noticed using the prefix, zd_cs_pm= (Determine 4), marking the primary occasion of this variation.

The entire execution chain is summarized in Determine 5.

Since March 9^th, 2026, now we have not noticed any additional malicious updates being distributed via the compromised channel, suggesting that the supply-chain assault has most likely concluded.

Concentrating on a big company

We assess that the compromise of the company community of a Vietnamese infrastructure and transport building company started as early as November 2024 and endured till February 2026. Though the preliminary entry vector was indirectly noticed, our evaluation of sufferer’s public-facing servers means that the attacker might have exploited distant code execution (RCE) vulnerabilities in a Microsoft SQL server to determine an preliminary foothold.

Throughout this era, we recognized a number of SPECTRALVIPER variants deployed throughout the community, utilizing each shared and distinct C&C servers. Notably, these deployments exhibited slight variations, presumably tailor-made to the environments of compromised hosts (Determine 6).

Real.exe, Updater.exe, and AutoCAD242.exe in Determine 6 are variants of the identical official and signed executable Toolbox.exe (Determine 7), all of which require the command line parameter -uiDll for the side-loading mechanism to operate accurately. Much like the supply-chain assault, the side-loaded DLL is SPECTRALVIPER in its loader configuration, which subsequently injects the SPECTRALVIPER backdoor into a number course of.

Desk 2 lists the C&C domains noticed throughout this incident.

Desk 2. SPECTRALVIPER’s C&C domains noticed from the incident

SPECTRALVIPER: A structural view

Our evaluation of SPECTRALVIPER aligns carefully with findings reported by Elastic Safety Labs. Fairly than reiterating beforehand revealed particulars, we prolong that work by offering extra perception into the construction of the malware’s inner courses.

Throughout our investigation, we recognized two samples containing RTTI info, which allowed us to reconstruct a partial class hierarchy. This attitude gives deeper visibility into SPECTRALVIPER’s capabilities, in addition to its underlying architectural design.

At a excessive degree, SPECTRALVIPER operates as an energetic backdoor speaking with its C&C server over HTTPS. It initiates communication by sending a beacon to a hardcoded handle utilizing a predefined Person-Agent header, with encrypted host-profiling information embedded within the HTTP Cookie header and prefixed with both euconsent-v2= or zd_cs_pm=.

The C&C domains look like rigorously crafted for every marketing campaign to mix in with the sufferer’s community site visitors. As an illustration, financemachinelearning[.]com was utilized in operations focusing on inventory traders, whereas gatewayrvcenter[.]com was noticed in exercise focusing on the infrastructure and transport building firm’s community.

SPECTRALVIPER additionally helps lateral motion via an orchestration mannequin, wherein one occasion is designated as an orchestrator answerable for speaking with the C&C infrastructure. This orchestrator distributes instructions to different compromised hosts by way of named pipe channels. Inside the codebase, inter-instance communication is applied via strategies reminiscent of XGU::Pivot::StartLink and XGU::Pivot::Inside::WaitNew_RemotePipe.

Evaluation of those methodology names means that XGU represents an inner framework underpinning SPECTRALVIPER. The Pivot subclass inherits from XGU and is answerable for orchestration performance. One other key subclass, Function, encapsulates the malware’s remote-control capabilities, as illustrated in Determine 8.

Past its function as a backdoor, SPECTRALVIPER capabilities as a succesful loader, in a position to inject itself – in addition to extra binaries or shellcode acquired from the C&C – into goal processes. In each campaigns we analyzed, SPECTRALVIPER was configured to initially execute in a loader function, injecting its backdoor element right into a separate course of relatively than counting on a standalone loader. These course of manipulation and injection capabilities are applied via the ProcessReflector and ProcessManager courses, as proven in Determine 9.

Conclusion

On this blogpost, now we have offered updates on OceanLotus, a Vietnam-aligned APT group. In line with our telemetry, exercise noticed between 2024 and 2026 means that the group has put an rising deal with home espionage. We describe two incidents throughout this era: a supply-chain assault leveraging FireAnt MetaKit to focus on inventory traders in Vietnam, and the compromise of a Vietnamese infrastructure and transport building firm. In each instances, OceanLotus deployed its signature backdoor, SPECTRALVIPER, on sufferer programs. Notably, an operational safety (OPSEC) lapse resulted in RTTI names being left intact in a SPECTRALVIPER pattern, enabling us to reconstruct elements of the backdoor’s inner structure.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis provides non-public APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

A complete record of indicators of compromise (IoCs) and samples may be present in our GitHub repository.

Recordsdata

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.