OceanLotus APT Executes Precision Supply-Chain Attack Targeting Vietnamese Stock Investors The advanced persistent threat (APT) group OceanLotus (APT32) conducted a sophisticated supply-chain compromise of FireAnt MetaKit, a widely used Vietnamese market-data component, deploying its SPECTRALVIPER backdoor to target stock investors. The operation, active from October 2025 to March 2026, exploited FireAnt’s unencrypted HTTP update mechanism, allowing attackers to serve malicious payloads via its legitimate update URL. The attack began with test iterations before escalating to heavily obfuscated downloaders, which used campaign-specific infrastructure, including the domain financemachinelearning[.]com, designed to blend with financial traffic. The downloader performed host reconnaissance, sent profiling data to a staging server, and deployed a side-loading chain involving DtlCrashCatch.dll (a SPECTRALVIPER loader) alongside a renamed, legitimately signed executable (IntelAudioService.exe). The malware then injected into OneDrive.Sync.Service.exe, beaconing to HTTPS command-and-control (C2) servers with encrypted host data embedded in HTTP cookie headers (using the zd_cs_pm= prefix). In parallel, OceanLotus maintained a long-running espionage campaign against a Vietnamese infrastructure and transport construction firm from mid-2024 to February 2026, using tailored SPECTRALVIPER variants side-loaded via legitimate executables (e.g., Toolbox.exe). Initial access likely exploited remote code execution (RCE) vulnerabilities in public SQL servers. A rare OPSEC lapse retained RTTI symbols in malware samples allowed researchers to reconstruct parts of SPECTRALVIPER’s internal class hierarchy, revealing its role as an HTTPS-based backdoor with orchestration capabilities. Compromised hosts communicated via named pipes, with designated "orchestrator" instances relaying commands to other infected systems. The attack’s timing and targeting align with Vietnam’s intensified anti-corruption and financial investigations, including the "Blazing Furnace" campaigns and regulatory scrutiny of bond misreporting in late 2025. This suggests the operation supported domestic surveillance or financial-crime probes rather than broad espionage or indiscriminate theft. OceanLotus, active since at least 2020 and resurgent with SPECTRALVIPER in 2023, has refined its tactics, favoring selective, domestically focused operations while retaining advanced tooling for stealthy supply-chain compromises. The group’s C2 infrastructure included domains like gatewayrvcenter[.]com and coachcybersecurity[.]com, hosted across providers such as OVH, Akamai, and Leaseweb, with no new malicious updates detected after March 9, 2026, indicating a possible cessation or disruption of the campaign.