OceanLotus: From external espionage to domestic targeting

Our tracking of OceanLotus activities from 2024–2026 reveals a shift in operational focus. During this period, the Vietnam-aligned OceanLotus adopted a more selective approach to external operations while placing increasing emphasis on domestic espionage. We identified two distinct campaigns involving the SPECTRALVIPER backdoor: a supply-chain attack targeting stock investors in Vietnam and a prolonged espionage operation against a Vietnamese infrastructure and transport construction company.

Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling.

Key points of this blogpost:

• From mid-2024 to February 2026, OceanLotus compromised the network of a Vietnamese infrastructure and transport construction corporation with its signature implant, SPECTRALVIPER.
• From October 2025 to March 2026, OceanLotus carried out a supply-chain attack leveraging FireAnt Metakit, a software platform widely used by stock investors in Vietnam.
• Despite the broad potential impact of such an attack, we observed only a few individuals who ultimately received SPECTRALVIPER, indicating selective targeting.
• An OPSEC mistake provides us with an internal view of SPECTRALVIPER’s architecture.

OceanLotus profile

OceanLotus, also known as APT32, is a cyberespionage group allegedly aligned with the interests of the Vietnamese government. According to our telemetry, activity attributed to this group dates back to 2012, and possibly earlier. OceanLotus mainly targets China and Southeast Asia (with a focus on Vietnam); it has been associated with a variety of operations, ranging from a massive digital profiling campaign to highly targeted attacks against Vietnamese human-rights activists.

OceanLotus is known for continuously innovating and expanding its arsenals of Windows and Linux backdoors, often implementing unique network protocols or tailoring the data collection capabilities to specific operational objectives. Its well-known tools include Denis (aka SOUNDBITE), implementing DNS tunneling for C&C communications; PHOREAL, which leverages the ICMP protocol for C&C communications; WINDSHIELD, which features an interesting proxy bypass mechanism; and its latest backdoor, SPECTRALVIPER, which includes orchestration capabilities.

OceanLotus: Exposure and realignment

Between 2017 and 2020, OceanLotus attracted significant public attention following multiple reports detailing its cyberespionage activities. These included large-scale watering-hole attacks targeting Southeast Asia in 2017–2018, intrusions into corporations such as BMW and Hyundai in 2019, and the targeting of a Vietnamese dissident in Germany that same year. The group was also linked to operations against human rights defenders between 2019 and 2020, as well as espionage targeting the Wuhan municipal government in 2020.

However, the group’s operations faced a setback in 2020 when Facebook publicly identified the company believed to be used as a front for OceanLotus. Following this exposure, public reporting on the group diminished significantly, and its activities received comparatively little attention for several years.

OceanLotus resurfaced publicly in 2023 with a report from Elastic Security Labs that described an attack using a previously undocumented backdoor it named SPECTRALVIPER and that targeted Vietnamese businesses. Building on this, our research examines the group’s more recent activity, observed from mid-2024 through early 2026. During this period, we identified two distinct campaigns that both relied on SPECTRALVIPER as their primary backdoor but had very different target victim profiles.

The first campaign involved the compromise of an infrastructure and transport construction corporation. This intrusion began in mid-2024 and persisted through January 2026.

The second campaign was a supply-chain attack that began in late 2025 and continued until March 2026. In this operation, OceanLotus compromised the update server of FireAnt Metakit, a Vietnamese stock investment platform, and replaced legitimate software updates with a malicious payload that ultimately deployed SPECTRALVIPER. This campaign appears to have targeted stock investors and may be linked to Vietnam’s recent efforts to promote securities market reforms, suggesting a possible connection to domestic monitoring or investigative objectives.

Finally, in July 2025, a supply-chain attack involving the upload of malicious wheel packages to the Python Package Index (PyPI) was attributed to OceanLotus. However, our telemetry did not identify any affected victims, and we lack sufficient visibility to independently verify that attribution.

Overall, the available evidence points to a potential shift in OceanLotus’s operational patterns. Since the exposure of its physical front company in 2020, the group appears to have adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets.

Context of this campaign

It is worth noting that OceanLotus’s latest activities seem to align with various recent developments taking place on Vietnam’s domestic scene.

In recent years, Vietnamese authorities have embarked upon a major crusade against corruption – a program baptized Blazing Furnace. Similar to Xi Jinping’s big anti-corruption push in China, this effort, launched by the Communist Party of Vietnam, is intended to demonstrate to the population that the party is willing and able to clean up its ranks to maintain its legitimacy. Since 2016, this policy has led to several high-profile trials involving party officials or businessmen accused of bribing politicians. Furthermore, two Vietnamese presidents have even been forced to resign since 2023, after they were publicly associated with corruption scandals. In 2025 alone, the party reportedly sanctioned 9,600 of its members in cases related to corruption, economic crimes, and abuse of position.

In this context, it seems likely that Vietnam’s security apparatus is now deploying increasingly important resources to fight corruption (and financial crime more broadly). We believe that OceanLotus could be somehow associated with these efforts, and that this may be another reason behind the group’s apparent refocus on domestic intelligence and surveillance in the last two years or so. In fact, the two targets we identified in this campaign echo judicial sagas that recently agitated Vietnam’s public arena.

In late October 2025, for instance, Vietnam’s financial regulation agency revealed that about 70 major national companies had been found to have misreported bond sales over the past decade – a revelation that led to a 5.5% slump in the country’s main stock index. This announcement suggests that Vietnamese law-enforcement was possibly deploying wide-ranging investigative efforts against the country’s stock market at the time that OceanLotus was observed compromising the FireAnt stock trading app.

Based on these elements, we believe that OceanLotus’s supply-chain attack was probably conducted as part of current investigative efforts against corruption and financial crime in Vietnam.

Targeting stock investors

The supply chain

We estimate that the FireAnt supply-chain attack began around October 2025 and continued until March 2026. During this period, we identified a few stock investors exposed to the supply-chain; however, only a small subset of them ultimately received the SPECTRALVIPER backdoor. Our team made multiple attempts to notify FireAnt of the incident but received no response.

FireAnt is a Vietnam‑based fintech company that offers a platform for stock market data, analysis, and investment support tools for both individual and institutional investors. It is considered one of the leading digital investment platforms in Vietnam, providing real‑time market data, technical analysis features, and AI‑driven insights, along with a community component where investors can share information and opinions. Within this ecosystem, FireAnt MetaKit is a specialized software component focused on data delivery. It is designed to provide real‑time and historical financial market data directly to technical analysis platforms such as AmiBroker, MetaStock, and MetaTrader.

On October 2^nd, 2025, we detected the first malicious payload originating from FireAnt MetaKit’s legitimate update URL http://metakit.fireant[.]vn/Software/setup.exe. The domain resolved to the genuine IP address of the FireAnt update server, suggesting a supply-chain compromise scenario. Our analysis of this payload reveals a first-iteration downloader, indicating that this activity likely represents the early stage of the campaign, where OceanLotus was testing the delivery mechanism on the initial victims. In Table 1, we compare this initial downloader with the stable version observed later in the campaign.

Table 1. Comparison between the test version and the stable version of the downloader

In addition to observing payloads delivered directly from the FireAnt update server, we identified flaws in the update protocol used by the FireAnt MetaKit software. Specifically, the update configuration file at http://metakit.fireant.vn/Software/version.xml lacks any integrity validation mechanism, as shown in Figure 1.

Second, the lack of SSL/TLS encryption in the network protocol used for obtaining both the version.xml file and any updated binary makes FireAnt MetaKit vulnerable to interception attacks; however, we have not observed OceanLotus leveraging this technique in this campaign.

The execution chain

Due to the absence of signature validation, Metakit.exe executed the malicious downloader as a legitimate update. Once launched, the downloader performed basic host reconnaissance and transmitted the collected information via an HTTP POST request to a staging server, requesting the next-stage payload (Figure 2).

Across all observed samples, the download API V1/Update/GetUpdate remained consistent. However, the staging infrastructure evolved over time, with C&C servers initially hosted at 139.162.11[.]152 and later migrating to 142.91.98[.]77.

In the subsequent stage, the downloader deployed a side-loading chain involving DtlCrashCatch.dll, which is SPECTRALVIPER configured as a loader, and its companion executable, IntelAudioService.exe. The latter was executed with the command:

C:\Users\[redacted]\IntelAudio\Service\IntelAudioService.exe /appmodel /StateRepository /Service

Analysis revealed that IntelAudioService.exe is in fact a copy of the legitimate, signed executable dtlupdate.exe, as shown in Figure 3.

Once executed, DtlCrashCatch.dll injects itself into the OneDrive.Sync.Service.exe process, enabling execution in backdoor mode. The backdoor then issues a beacon request to the hardcoded URL https://financemachinelearning[.]com/apparatus/wind/twig/statement.html, embedding encrypted host information within the HTTP Cookie header. Historically, this data was prefixed with euconsent-v2=; however, in this campaign, we observed the use of the prefix, zd_cs_pm= (Figure 4), marking the first instance of this variation.

The complete execution chain is summarized in Figure 5.

Since March 9^th, 2026, we have not observed any further malicious updates being distributed through the compromised channel, suggesting that the supply-chain attack has probably concluded.

Targeting a large corporation

We assess that the compromise of the corporate network of a Vietnamese infrastructure and transport construction corporation began as early as November 2024 and persisted until February 2026. Although the initial access vector was not directly observed, our analysis of victim's public-facing servers suggests that the attacker may have exploited remote code execution (RCE) vulnerabilities in a Microsoft SQL server to establish an initial foothold.

During this period, we identified multiple SPECTRALVIPER variants deployed across the network, using both shared and distinct C&C servers. Notably, these deployments exhibited slight variations, possibly tailored to the environments of compromised hosts (Figure 6).

Genuine.exe, Updater.exe, and AutoCAD242.exe in Figure 6 are variants of the same legitimate and signed executable Toolbox.exe (Figure 7), all of which require the command line parameter -uiDll for the side-loading mechanism to function correctly. Similar to the supply-chain attack, the side-loaded DLL is SPECTRALVIPER in its loader configuration, which subsequently injects the SPECTRALVIPER backdoor into a host process.

Table 2 lists the C&C domains observed during this incident.

Table 2. SPECTRALVIPER’s C&C domains observed from the incident

SPECTRALVIPER: A structural view

Our analysis of SPECTRALVIPER aligns closely with findings reported by Elastic Security Labs. Rather than reiterating previously published details, we extend that work by providing additional insight into the structure of the malware’s internal classes.

During our investigation, we identified two samples containing RTTI information, which allowed us to reconstruct a partial class hierarchy. This perspective provides deeper visibility into SPECTRALVIPER’s capabilities, as well as its underlying architectural design.

At a high level, SPECTRALVIPER operates as an active backdoor communicating with its C&C server over HTTPS. It initiates communication by sending a beacon to a hardcoded address using a predefined User-Agent header, with encrypted host-profiling data embedded in the HTTP Cookie header and prefixed with either euconsent-v2= or zd_cs_pm=.

The C&C domain names appear to be carefully crafted for each campaign to blend in with the victim’s network traffic. For instance, financemachinelearning[.]com was used in operations targeting stock investors, while gatewayrvcenter[.]com was observed in activity targeting the infrastructure and transport construction company’s network.

SPECTRALVIPER also supports lateral movement through an orchestration model, in which one instance is designated as an orchestrator responsible for communicating with the C&C infrastructure. This orchestrator distributes commands to other compromised hosts via named pipe channels. Within the codebase, inter-instance communication is implemented through methods such as XGU::Pivot::StartLink and XGU::Pivot::Internal::WaitNew_RemotePipe.

Analysis of these method names suggests that XGU represents an internal framework underpinning SPECTRALVIPER. The Pivot subclass inherits from XGU and is responsible for orchestration functionality. Another key subclass, Feature, encapsulates the malware’s remote-control capabilities, as illustrated in Figure 8.

Beyond its role as a backdoor, SPECTRALVIPER functions as a capable loader, able to inject itself – as well as additional binaries or shellcode received from the C&C – into target processes. In both campaigns we analyzed, SPECTRALVIPER was configured to initially execute in a loader role, injecting its backdoor component into a separate process rather than relying on a standalone loader. These process manipulation and injection capabilities are implemented through the ProcessReflector and ProcessManager classes, as shown in Figure 9.

Conclusion

In this blogpost, we have provided updates on OceanLotus, a Vietnam-aligned APT group. According to our telemetry, activity observed between 2024 and 2026 suggests that the group has put an increasing focus on domestic espionage. We describe two incidents during this period: a supply-chain attack leveraging FireAnt MetaKit to target stock investors in Vietnam, and the compromise of a Vietnamese infrastructure and transport construction company. In both cases, OceanLotus deployed its signature backdoor, SPECTRALVIPER, on victim systems. Notably, an operational security (OPSEC) lapse resulted in RTTI names being left intact in a SPECTRALVIPER sample, enabling us to reconstruct aspects of the backdoor’s internal architecture.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

Network

MITRE ATT&CK techniques

This table was built using version 19 of the MITRE ATT&CK framework.