OceanLotus (APT32) has shifted from foreign espionage to domestic intelligence collection inside Vietnam, deploying its newest implant SPECTRALVIPER via two vectors: a supply-chain compromise of the FireAnt Metakit update server (targeting financial sector stock investors) and exploitation of a public-facing Microsoft SQL Server (targeting a critical-infrastructure and transport construction corporation). The corporate intrusion persisted covertly for approximately 15 months, from November 2024 to February 2026. No further malicious updates appeared after March 9, 2026, suggesting the operation has concluded.
TA2026167OceanLotus (also tracked as APT32, SeaLotus, APT-C-00, Ocean Buffalo, Tin Woodlawn, ATK 17, SectorF01, Pond Loach, APT-LY-100, Lotus Bane) is a Vietnam-nexus cyberespionage group active since at least 2012, believed to operate in line with Vietnamese government interests. Tracking from 2024 to 2026 reveals a clear strategic pivot from foreign to domestic intelligence — targeting Vietnamese financial services, stock investors, infrastructure, transport, and construction sectors.
Two campaigns are documented. In the first, OceanLotus compromised the FireAnt Metakit update server (October 2025 – March 2026), pushing a malicious setup.exe to a hand-picked subset of stock-market investors. In the second, the group exploited a remote code execution flaw in a public-facing Microsoft SQL Server to intrude on a critical-infrastructure and transport construction corporation (mid-2024), with host activity persisting from November 2024 to February 2026 — a roughly 15-month covert foothold.
Both campaigns deployed SPECTRALVIPER, first documented in 2023, via DLL sideloading. The backdoor beacons over HTTPS, acts as a loader for additional shellcode or binaries, and exfiltrates data through the same encrypted channel.
Five stages cover the OceanLotus SPECTRALVIPER campaigns: actor background, domestic pivot and initial access, FireAnt supply-chain execution, DLL sideloading and implant injection, and C2/impact.
setup.exe in place of a legitimate update. Because the FireAnt Metakit update process performed no signature or integrity verification and did not use SSL/TLS, Metakit.exe executed the downloader as if it were trusted. The downloader profiled the host, sent fingerprint data to a staging server via HTTP POST, and retrieved the next-stage payload — reaching only a small, hand-picked subset of investors despite the broad potential impact of a supply-chain attack.IntelAudioService.exe sideloaded a rogue DtlCrashCatch.dll — SPECTRALVIPER acting as a loader — which injected the backdoor into OneDrive.Sync.Service.exe. The corporate intrusion replicated this technique using renamed copies of Toolbox.exe invoked with a -uiDll switch, deploying multiple SPECTRALVIPER variants across the network. Renamed masquerade binaries observed include Genuine.exe, Updater.exe, and AutoCAD242.exe.euconsent-v2= or zd_cs_pm= and connections to finance- or business-themed C2 domains. The impact: a ~15-month covert foothold in a critical-infrastructure firm and a surgical supply-chain attack. No further malicious updates appeared after March 9, 2026.IntelAudioService.exe loading DtlCrashCatch.dll. Alert on renamed copies of Toolbox.exe (e.g., Genuine.exe, Updater.exe, AutoCAD242.exe) invoked with a -uiDll parameter. Enforce DLL load-order controls and application allowlisting on sensitive systems.euconsent-v2= or zd_cs_pm=. Alert on unusual fixed User-Agent strings and HTTPS connections to finance- or business-themed domains that blend into normal traffic. Flag connections to the IOC domains and IP addresses listed in the IoC section immediately.OneDrive.Sync.Service.exe.Block and correlate across endpoint, network, and DNS controls.
| Type | Value |
|---|---|
| SHA1 |
511b77459673ec42163f19e300ff1d233b6c39fb 59a8553a4f8130f576ab234e0b220be4d4da0e98 9ca1a5c7f79882db913534c1e62b26bcdcb9f6dd a8e2bbbfcb86500322d2367744fa12755ab0c165 f74f1feb62b662cda489fdb2453727824e55acb9 f8f8209987ca7f139de6a62f9e6ee21bd2ae93a9 19a69f856efa811c376f68e4feb0997b4724f8bd 490194e9bb5128eca8693ad9e610891c2ed185af 51176139b0b2220b802c1578a4994df68df5bcd1 91f042f59be4bdcb6e5ea21b91decd731c175b54 a177ed0bffeb1efe1d9d31d72a82ef2625ae646d b7b2d2db544f9eea74453cdf2b8beea58cf07c48 4ad36ad6c165b5174967020cb1a3358f78d7a283 57352b3ceee32216e5aa20baa848483d7ab5a6fb 9bc06df9f932746a05ee728c8b103bd3ba6bf395 865a1739337d3303b3ab02c5e694c22b79c42b7d b0fea981d02f6f76de81ebaefcb68b7d205d6194 48febb91a10d1462461a012fafc0918bb028e947 150764a71deef498de6f8c95ecccb4455c1b601f |
| Filenames |
setup.exe · system.config.xml · NotificationConfig.json DtlCrashCatch.dll · SetupUi.dll |
| IPv4 |
38[.]60[.]245[.]37 · 139[.]99[.]33[.]239 · 139[.]162[.]11[.]152 139[.]180[.]128[.]42 · 142[.]91[.]98[.]77 · 166[.]88[.]77[.]186 194[.]68[.]26[.]241 · 103[.]119[.]47[.]104 |
| Domains |
leadingfilipinoteams[.]com · coachcybersecurity[.]com gatewayrvcenter[.]com · mxprodesign[.]com financemachinelearning[.]com · power-sync-services[.]com |
| URLs |
hxxp[:]//metakit[.]fireant[.]vn/Software/setup[.]exe hxxp[:]//metakit[.]fireant[.]vn/Software/version[.]xml |
| Tactic | Technique | Sub-technique & Notes |
|---|---|---|
| Initial Access | T1195 |
T1195.002 Compromise Software Supply Chain — FireAnt Metakit update server hijacked to deliver malicious setup.exe without signature or TLS verification |
| Initial Access | T1190 |
Exploit Public-Facing Application — RCE in a public-facing Microsoft SQL Server used to compromise a critical-infrastructure corporation |
| Execution | T1059 |
Command and Scripting Interpreter — scripting used post-compromise for staging, profiling, and lateral deployment |
| Execution | T1204 |
User Execution — victims run the malicious setup.exe delivered via the trusted FireAnt Metakit update channel |
| Persistence | T1574 |
T1574.001 DLL Sideloading — signed IntelAudioService.exe sideloads rogue DtlCrashCatch.dll; renamed Toolbox.exe copies use -uiDll to deploy SPECTRALVIPER variants |
| Defense Evasion | T1055 |
Process Injection — SPECTRALVIPER injected into OneDrive.Sync.Service.exe to blend with legitimate processes |
| Defense Evasion | T1036 |
Masquerading — binaries renamed as IntelAudioService.exe, Genuine.exe, Updater.exe, AutoCAD242.exe to blend with legitimate software |
| Defense Evasion | T1027 |
Obfuscated Files or Information — SPECTRALVIPER payload obfuscated; C2 traffic encrypted and disguised in Cookie headers |
| Defense Evasion | T1553 |
T1553.002 Code Signing — signed legitimate binaries used as sideloading hosts to inherit trust |
| Discovery | T1082 |
System Information Discovery — downloader profiles host and sends fingerprint data to staging server via HTTP POST before next-stage delivery |
| Lateral Movement | T1570 |
Lateral Tool Transfer — SPECTRALVIPER orchestrator model relays commands and payloads to other infected hosts via named pipes |
| Lateral Movement | T1021 |
Remote Services — remote access used to propagate SPECTRALVIPER variants across the compromised corporate network |
| C2 | T1071 |
T1071.001 Web Protocols — SPECTRALVIPER beacons over HTTPS to hardcoded C2 with a fixed User-Agent; traffic disguised in euconsent-v2= / zd_cs_pm= Cookie headers |
| C2 | T1573 |
Encrypted Channel — all C2 communications and exfiltrated data sent over HTTPS encryption |
| C2 | T1105 |
Ingress Tool Transfer — SPECTRALVIPER loader pulls additional binaries or shellcode from C2 as directed by the operator |
| Exfiltration | T1041 |
Exfiltration Over C2 Channel — collected data exfiltrated via the same encrypted HTTPS C2 connection used for beaconing |
