OceanLotus is moving differently. The Vietnam‑aligned threat actor has been tied to two distinct campaigns that hit domestic entities and Vietnam stock investors with the SPECTRALVIPER backdoor, according to new research from ESET.
- Domestic espionage against a Vietnamese infrastructure and transport construction corporation (mid‑2024 to February 2026)
- A supply chain attack abusing the FireAnt Metakit update channel used by stock investors (October 2025 to March 2026)
ESET’s assessment: the operations signal a shift toward domestic collection. The group has been active since 2012 and previously targeted China. OceanLotus historically leveraged watering holes to profile site visitors across media, human rights, and civil society targets in 2017–2018, and has singled out Vietnamese human rights defenders and dissidents.
In December 2020, Meta linked OceanLotus activity to CyberOne Group (also known as CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited). The company denied the allegations; the exposure pushed the group off the grid for nearly three years.
Tooling associated with OceanLotus includes SOUNDBITE (aka Denis), PHOREAL (aka Rizzo), WINDSHIELD (aka Remy), and more recently SPECTRALVIPER, first documented by Elastic Security Labs in June 2023 in campaigns against Vietnamese public companies.
As recently as last month, Kaspersky reported three malicious PyPI packages designed to deploy a previously unknown malware family, ZiChatBot, on Windows and Linux. The dropper used in that activity shares a “64% similarity” with another dropper used by OceanLotus, per Kaspersky’s analysis here.
The FireAnt Metakit Supply Chain Attack
ESET assesses the FireAnt Metakit operation began around October 2, 2025, and ran until March 2026. The attackers abused the platform’s legitimate update URL to deliver SPECTRALVIPER to a small subset of investors — a selective, high‑precision delivery.
- Update config location: “metakit.fireant[.]vn/Software/version.xml”
- No integrity/signature validation for the update binary (“setup.exe”)
- Result: Metakit.exe executed a malicious downloader as if it were a legitimate update
Once launched, the downloader performed basic host reconnaissance and exfiltrated the data via HTTP POST to a staging server, requesting the next stage.
The payload chain used DLL side‑loading: a legitimate binary loaded a rogue DLL (“DtlCrashCatch.dll”), which injected into the OneDrive.Sync.Service.exe process to trigger SPECTRALVIPER execution. The backdoor then contacted its C2, “financemachinelearning[.]com,” and sent encrypted host information.
ESET has not observed additional malicious updates distributed through this channel since March 9, 2026, suggesting the operators may have concluded the campaign.
Vietnamese Transport Construction Corporation Targeted
OceanLotus also compromised an unnamed Vietnamese infrastructure and transport construction firm starting as far back as November 2024, maintaining covert access until February 2026. Initial access is unconfirmed; ESET suspects exploitation of remote code execution vulnerabilities on a public‑facing Microsoft SQL Server.
- Persistence and execution via DLL side‑loading to deploy SPECTRALVIPER
- Three SPECTRALVIPER variants identified across multiple hosts in the same network
- C2: “gatewayrvcenter[.]com” for host‑profiling data and tasking
- SPECTRALVIPER enables lateral movement and acts as a loader, injecting additional binaries or shellcode from C2 into target processes
“Whether the shift represents a temporary adjustment or a long‑term strategic change remains unclear; however, this 15‑year‑old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling,” ESET said.
Overall takeaway from ESET: “Since the exposure of its physical front company in 2020, the group appears to have adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets.”
Reference: View article