OceanLotus (APT32) Deploys SPECTRALVIPER Backdoor in Domestic Espionage Campaigns, Including Supply-Chain Attack on Stock Investors

Executive Summary

OceanLotus (also known as APT32 or SeaLotus), a sophisticated threat actor aligned with Vietnamese state interests, has pivoted its operations to focus on domestic targets. A new report from cybersecurity firm ESET details two major espionage campaigns conducted between mid-2024 and March 2026. The first was a prolonged intrusion against a major Vietnamese construction corporation. The second was a stealthy supply-chain attack that compromised the update mechanism of FireAnt MetaKit, a popular stock investment application, to selectively deploy malware. In both operations, OceanLotus used its custom SPECTRALVIPER backdoor, signaling a strategic shift from foreign targets to domestic entities that may align with Vietnam's national priorities.

Threat Overview

ESET uncovered two distinct, long-running campaigns attributed to OceanLotus:

1. Construction Firm Espionage (Mid-2024 – Feb 2026): The APT group maintained persistent access to the network of a major Vietnamese infrastructure and transport construction company for over a year. The initial access vector is suspected to be the exploitation of an RCE vulnerability in a public-facing Microsoft SQL server.
2. FireAnt MetaKit Supply-Chain Attack (Oct 2025 – Mar 2026): OceanLotus compromised the update server for the FireAnt MetaKit software. By replacing a legitimate update with a malicious one, they were able to deliver their backdoor to a select group of stock market investors. The attack was successful because the software's update process used unencrypted HTTP and lacked digital signature verification, allowing the attackers to perform a man-in-the-middle style attack on the update process.

Technical Analysis

OceanLotus employed a range of sophisticated TTPs across these campaigns:

• Initial Access: The group likely used T1190 - Exploit Public-Facing Application against the construction firm's SQL server. For the FireAnt campaign, they used T1195.002 - Compromise Software Supply Chain by tampering with the update mechanism.
• Execution & Persistence: The primary payload, SPECTRALVIPER, was loaded using T1574.002 - DLL Side-Loading. The backdoor was executed by a legitimate, signed executable, making it difficult for basic security tools to detect.
• Command and Control (C2): The SPECTRALVIPER backdoor communicated with a C2 server using a domain, financemachinelearning[.]com, specifically chosen to blend in with legitimate financial data traffic and evade detection by network security monitoring.
• Targeting: The supply-chain attack was highly targeted. Instead of deploying the backdoor to all FireAnt users, OceanLotus selectively infected only a small subset, indicating a focus on high-value individuals within the Vietnamese financial sector.

Impact Assessment

These campaigns represent a significant strategic shift for OceanLotus, moving from foreign corporate and government targets to domestic ones. This could indicate the group is being tasked with supporting national policy, such as Vietnam's anti-corruption drive, by gathering intelligence on domestic companies and influential individuals. The supply-chain attack, in particular, demonstrates a high level of sophistication and patience, posing a severe risk to any organization or individual using the compromised software. The potential for data exfiltration could lead to insider trading, economic espionage, or blackmail.

IOCs — Directly from Articles

Detection & Response

Security teams should focus on detecting the TTPs used by OceanLotus:

1. Network Monitoring: Monitor for and block any outbound connections to the known C2 domain financemachinelearning[.]com. Use D3FEND's Network Traffic Analysis to hunt for suspicious C2-like traffic patterns.
2. Endpoint Detection: Deploy EDR solutions to detect DLL side-loading. Monitor for legitimate applications loading unsigned or anomalously named DLLs from non-standard directories.
3. Software Integrity: Use file integrity monitoring or application control solutions to verify the integrity of application updates, especially for third-party software. Look for changes in file hashes of core application components.
4. Log Analysis: For the suspected initial vector, monitor MS SQL server logs for signs of exploitation or unusual queries. For D3FEND, this aligns with Database-level Policy Enforcement.

Mitigation

Organizations can take several steps to defend against these types of attacks:

• M1051 - Update Software: Ensure all public-facing applications, such as Microsoft SQL servers, are promptly patched to prevent initial access via known vulnerabilities.
• M1021 - Restrict Web-Based Content: Use outbound traffic filtering to block connections to known malicious domains and untrusted IP addresses.
• Application Control: Implement application control policies, such as those using AppLocker or Windows Defender Application Control, to prevent the execution of unauthorized or unsigned DLLs. This corresponds to D3FEND's Executable Allowlisting.
• Vendor Risk Management: For supply-chain threats, organizations should assess the security practices of their software vendors, prioritizing those who use secure update mechanisms (e.g., HTTPS, code signing).