The Vietnam-aligned threat actor known as OceanLotus has spent more than a decade targeting foreign entities, especially China. But something changed recently.
ESET researchers have uncovered two distinct campaigns where OceanLotus deployed the OceanLotus SPECTRALVIPER backdoor campaigns against domestic Vietnamese targets. Not foreign dissidents. Not Chinese companies. Vietnamese infrastructure firms and local stock investors.
The shift is significant. And it may signal a long-term strategic change for one of Southeast Asia's most persistent advanced persistent threat (APT) groups.
Two Campaigns, One Backdoor
Quick Security Checklist
- Scan your system or website
- Update all dependencies
- Change passwords
- Enable 2FA
During ESET’s analysis of both attacks, it became clear that they were two distinct global espionage efforts occurring at the same time.
1. An ongoing state-sponsored intelligence-collection effort targeting infrastructure and transportation company in Vietnam that was originally launched in mid-2024 and concluded in February 2026.
2. A supply-chain malware attack via FireAnt Metakit, a popular software platform for stock-market investors in Vietnam, that occurred between October 2025 and March 2026.
Both campaigns used the same tool: the OceanLotus SPECTRALVIPER backdoor campaigns deployed a custom backdoor first documented by Elastic Security Labs in June 2023.
Who Is OceanLotus?
APT32 (also known as OceanLotus) is believed to have been active since at least 2012 and is thought to operate at the direction of the Vietnamese state.
They are believed to have previously targeted:
1. Chinese government and businesses
2. Vietnamese dissidents and defenders of human rights,
3. Civilian groups and organizations,
4. Companies involved in the manufacturing and technology industries.
In December 2020, Meta publicly linked OceanLotus to a Vietnamese IT company called CyberOne Group (also known as CyberOne Security, CyberOne Technologies, and Hành Tinh Company Limited). The company denied the allegations, but the exposure had consequences. OceanLotus largely went off the grid for nearly three years.
Now they're back. And their focus has shifted.
Campaign 1: Construction Company
OceanLotus was able to maintain an ongoing relationship with a confidential name infrastructure and transportation construction company for over 15 months, from the period of November 2024 through February 2026.
How did they get in? ESET isn't certain, but the evidence suggests exploitation of remote code execution vulnerabilities in a public-facing Microsoft SQL server. Once inside, the attackers deployed the OceanLotus SPECTRALVIPER backdoor campaigns' signature payload.
Three different variants of SPECTRALVIPER were identified across multiple compromised hosts on the same network.
The backdoor contacted a command-and-control server at gatewayrvcenter[.]com to:
1. Transmit host-profiling data
2. Receive operator instructions
3. Facilitate lateral movement
4. Load additional binaries or shellcode into target processes
This wasn't a smash-and-grab. This was sustained, patient espionage.
Campaign 2: The Stock Investor Supply Chain Attack
The second campaign's scope/extent is more troubling. The OceanLotus group used the penetration of the FireAnt Metakit, a widely used program by Vietnamese stock traders to execute their supply chain attack with SPECTRALVIPER backdoor campaigns.
Below is a description of how they executed this.
1. The attackers identified that FireAnt's update configuration file at metakit.fireant[.]vn/Software/version.xml lacked any integrity validation mechanism.
2. The lack of signature validation prevented the application from knowing whether or not the installation (setup.exe) had been altered in any way.
3. OceanLotus used malicious downloader programs in place of legitimate updates.
4. Users running FireAnt Metakit performed an update that they believed to be valid and executed an attacker's code.
The malicious downloader performed basic host reconnaissance and transmitted the collected information via an HTTP POST request to a staging server. It then requested the next-stage payload.
That payload was a DLL sideloading chain. A legitimate binary launched a rogue DLL called DtlCrashCatch.dll, which then injected itself into the OneDrive.Sync.Service.exe process. That injection triggered the final SPECTRALVIPER backdoor.
Once active, SPECTRALVIPER contacted financemachinelearning[.]com to send encrypted host information back to the attackers.
ESET noted that the attack was highly selective. Only a small subset of stock investors received the malicious update. That suggests OceanLotus knew exactly who they wanted to target.
The Good News (Sort Of)
ESET has not observed any further malicious updates being distributed through the compromised FireAnt channel since March 9, 2026. The campaign appears to have concluded.
But the construction firm compromise lasted 15 months. The supply chain attack ran for about six months. OceanLotus got what they came for.
Other Tools in the OceanLotus Arsenal
SPECTRALVIPER isn't the only tool OceanLotus uses. The group's known malware family includes:
1. SOUNDBITE (also called Denis)
2. PHOREAL (aka Rizzo)
3. WINDSHIELD (aka Remy)
More recently, Kaspersky discovered three malicious packages on the Python Package Index (PyPI) repository designed to deliver a previously unknown malware family called ZiChatBot. The dropper used to deliver ZiChatBot shares 64% similarity to a dropper previously used by OceanLotus.
The group also has a history of using watering hole attacks to digitally profile site visitors. In 2017 and 2018, they focused on hundreds of individuals and organizations tied to media, human rights, and civil society causes.
Why the Shift to Domestic Targets?
ESET puts it plainly: "Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear."
But the timing is notable. After CyberOne Group was publicly exposed in 2020, OceanLotus went quiet for nearly three years. When they returned, their operational patterns had changed.
ESET's assessment: "Since the exposure of its physical front company in 2020, the group appears to have adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets."
That could mean a few things. Maybe foreign targets hardened their defenses. Maybe domestic intelligence priorities changed. Or maybe OceanLotus is simply lying low by operating closer to home.
What Makes SPECTRALVIPER Dangerous?
The OceanLotus SPECTRALVIPER backdoor campaigns use a backdoor with several concerning features:
1. DLL side-loading – malware executes as if it were from a “trusted source”
2. Process inject into valid Windows processes like OneDrive.Sync.Service.exe
3. Encrypted C2 communication makes it difficult to identify on the network
4. Capability to move laterally allows a backdoor to propagate through the compromised network
5. Loader function allows the retrieval of other payloads at runtime
This is more than a basic RAT; it is a complete espionage platform.
How to Protect Your Organization
If you're in Vietnam or if you do business with Vietnamese partners here's what the OceanLotus SPECTRALVIPER backdoor campaigns teach us:
1. Validate software updates. Any application that downloads binaries without signature verification is a supply chain risk.
2. Be cautious of DLL sideloading, as it may allow legitimate executables to run executable files that they otherwise wouldn't be allowed to run.
3. Be aware of changes in the running of OneDrive.sync.service.exe; if someone injects a process into that service, it likely means that there are malicious activities taking place.
4. Update any publicly-exposed SQL Server databases immediately; in most cases, hackers use remote execution vulnerabilities to gain unauthorized access to someone else's SQL Server database.
5. Segment critical infrastructure. The construction firm compromise lasted 15 months. Assume breach and isolate sensitive systems.
The Bottom Line
The OceanLotus SPECTRALVIPER backdoor campaigns represent a notable shift for a 15-year-old APT group. After years of focusing outward on China, on dissidents, on foreign corporations, OceanLotus is now targeting Vietnamese infrastructure and local investors.
Whether this is temporary or permanent doesn't matter much to the victims. The backdoor works the same either way.
If you use FireAnt Metakit, the malicious updates have stopped. But the infrastructure compromise lasted over a year. And OceanLotus has shown they're willing to wait.
FAQ Section
What is OceanLotus?
OceanLotus (also known as APT32 or Canvas Cyclone) is a Vietnam-aligned advanced persistent threat group active since at least 2012.
What are the OceanLotus SPECTRALVIPER backdoor campaigns?
These are two recent operations where OceanLotus deployed the SPECTRALVIPER backdoor against a Vietnamese construction firm and stock investors via a FireAnt Metakit supply chain attack.
How did the FireAnt supply chain attack work?
FireAnt Metakit's update configuration file lacked signature validation. OceanLotus replaced the legitimate update binary with a malicious downloader, which then deployed SPECTRALVIPER.
Who or what was targeted by these operations?
Vietnam's infrastructure and transportation sector development agency (which was first targeted in mid-2024, then again in January - February of 2026) and as well as Vietnamese commodity investors using FireAnt Metakits (which began being targeted at the end of October 2025, then again from February - March of 2026).
Has OceanLotus changed to domestic espionage?
As a result of the evidence presented in this article, ESET believes there have been significant changes taking place in OceanLotus' focus regarding domestic targets since the CyberOne Group front for the group was made public in July, 2020.
Is the attack through FireAnt's supply chain still ongoing?
Since March 9, 2026, ESET has not detected any malicious updates being sent out using CyberOne Group as the location from which the updates were distributed; thus, ESET believes this operation has now concluded.
