Executive Summary
The advanced persistent threat group OceanLotus (also known as APT32), long associated with cyber-espionage in Southeast Asia, has recently pivoted to domestic targeting within Vietnam. Leveraging a newly identified backdoor named SPECTRALVIPER, OceanLotus executed a sophisticated supply chain attack against Vietnamese stock investors via the FireAnt investment platform and simultaneously compromised a major infrastructure and transport construction corporation. These campaigns, active from late 2024 through early 2026, demonstrate a significant escalation in both technical sophistication and strategic focus, with attackers exploiting trusted software distribution channels and advanced lateral movement techniques. The attacks highlight the urgent need for robust supply chain security, vigilant monitoring of update mechanisms, and advanced detection of process injection and side-loading tactics.
Threat Actor Profile
OceanLotus (APT32) is a highly capable, Vietnam-aligned threat actor known for its persistent and adaptive cyber-espionage operations. Historically, OceanLotus has targeted foreign governments, dissidents, and multinational corporations, but recent campaigns indicate a shift toward domestic Vietnamese entities, particularly those in finance and critical infrastructure. The group is characterized by its use of custom malware, supply chain compromise, and advanced evasion techniques. OceanLotus is also referred to as FireAnt, APT-C-00, and CobaltKitty in various threat intelligence reports. Its operations are mapped to the MITRE ATT&CK group G0050.
Technical Analysis of Malware/TTPs
The core of these campaigns is the deployment of the SPECTRALVIPER backdoor, a modular and stealthy malware platform. SPECTRALVIPER is delivered via DLL side-loading, exploiting legitimate binaries such as OneDrive.Sync.Service.exe and IntelAudioService.exe (a renamed copy of dtlupdate.exe), to evade detection and gain execution within trusted processes. The infection chain begins with a trojanized setup.exe distributed through the compromised FireAnt update server, which lacks signature validation. Upon execution, the dropper performs host reconnaissance, exfiltrates system data via encrypted HTTP POST requests, and initiates a side-loading sequence by placing a rogue DLL (DtlCrashCatch.dll) alongside a legitimate binary. This DLL is then loaded into memory, injecting SPECTRALVIPER into a trusted process.
SPECTRALVIPER establishes encrypted command-and-control (C2) communications using HTTPS, custom User-Agent strings, and encrypted payloads embedded in HTTP Cookie headers. The malware supports a range of post-exploitation capabilities, including system information discovery, lateral movement via named pipes and process injection, and the loading of additional payloads or shellcode. Multiple variants of SPECTRALVIPER have been observed, each tailored for persistence, redundancy, and evasion within different victim environments.
The infrastructure attack leveraged public-facing Microsoft SQL servers, exploiting remote code execution vulnerabilities to gain initial access. The attackers then deployed SPECTRALVIPER across multiple hosts, using renamed binaries such as Genuine.exe, Updater.exe, and AutoCAD242.exe (all variants of Toolbox.exe with the -uiDll parameter) to facilitate DLL side-loading and maintain persistence.
Exploitation in the Wild
The supply chain attack on FireAnt was highly targeted, with only a subset of users receiving the malicious update between October 2025 and March 2026. The attackers demonstrated precise control over the update distribution, likely selecting victims based on predefined criteria. No further malicious updates were observed after March 9, 2026, suggesting the campaign was both time-bound and selective.
In the infrastructure sector, OceanLotus maintained persistent access to the victim organization for over a year, deploying multiple SPECTRALVIPER variants to ensure continued foothold and operational flexibility. The attackers utilized a diverse C2 infrastructure, including domains such as financemachinelearning[.]com, gatewayrvcenter[.]com, coachcybersecurity[.]com, mxprodesign[.]com, and power-sync-services[.]com, to manage different stages of the attack and evade network-based detection.
Victimology and Targeting
The primary victims of these campaigns are Vietnamese stock investors using the FireAnt MetaKit platform and a major infrastructure and transport construction corporation. The financial sector attack undermined trust in software update mechanisms, exposing sensitive business and financial data to exfiltration. The infrastructure attack targeted critical operational systems, enabling espionage and potential disruption of essential services. Both campaigns reflect a strategic focus on sectors vital to Vietnam’s economic and national security, with attackers demonstrating deep knowledge of local software ecosystems and business processes.
Mitigation and Countermeasures
Organizations using FireAnt MetaKit should immediately audit update logs for unauthorized downloads of setup.exe between October 2025 and March 2026, inspect systems for the presence of DtlCrashCatch.dll, and monitor for anomalous activity in OneDrive.Sync.Service.exe. Outbound connections to financemachinelearning[.]com must be blocked and closely monitored.
Infrastructure and transport companies should review Microsoft SQL server logs for signs of exploitation, search for DLL side-loading artifacts and SPECTRALVIPER variants, and block outbound connections to gatewayrvcenter[.]com, coachcybersecurity[.]com, mxprodesign[.]com, and power-sync-services[.]com. All organizations are strongly advised to implement code-signing validation for software updates, enhance monitoring for process injection and unusual child process creation from trusted binaries, and deploy advanced endpoint detection and response (EDR) solutions capable of identifying side-loading and in-memory injection techniques.
Regular threat hunting for the specific IOCs listed below, combined with user awareness training and strict access controls on update servers, will further reduce the risk of compromise.
References
- ESET Research: OceanLotus: From external espionage to domestic targeting (June 2026)
- MITRE ATT&CK: OceanLotus (APT32)
- Elastic Security Labs: SPECTRALVIPER
- The Hacker News: OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack
- RedSecureTech: OceanLotus SPECTRALVIPER Backdoor Hits Vietnamese Targets
About Rescana
Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their digital supply chains. Our platform leverages real-time intelligence, automated workflows, and deep analytics to provide actionable insights and strengthen your organization’s security posture. For questions or further information, we are happy to assist at ops@rescana.com.
