The Vietnam-aligned threat actor OceanLotus targeted a Vietnamese infrastructure and transport construction company and stock investors in Vietnam with the SPECTRALVIPER backdoor, according to a technical analysis by ESET. The campaigns ran from mid-2024 through February 2026 in one case and from October 2025 to March 2026 in the other.
KEY FACTS
- Target set Vietnamese domestic entities, including a transport construction firm and stock investors.
- Malware SPECTRALVIPER was used as the main backdoor.
- Supply chain route The FireAnt Metakit update channel was used to deliver malicious code to a small subset of investors.
- Persistence Access to the construction firm appears to have lasted from November 2024 to February 2026.
The report said the FireAnt Metakit campaign used the software’s legitimate update URL to serve a malicious downloader, which then led to a DLL side-loading chain. The update configuration file lacked integrity validation, so the altered binary could run as if it were a normal update.
After launch, the downloader collected basic host details and sent them to a staging server for the next-stage payload. The chain then injected a rogue DLL into OneDrive.Sync.Service.exe to trigger SPECTRALVIPER, which contacted a command-and-control server to send encrypted host information.
In the separate intrusion against the construction company, the initial access method was not confirmed. ESET said it was likely tied to exploitation of remote code execution flaws on a public-facing Microsoft SQL server. The malware again used DLL side-loading and appeared in three variants across compromised hosts on the same network.
The report also said no further malicious updates were seen through the compromised FireAnt channel after March 9, 2026. OceanLotus, active since 2012, has previously been linked to espionage campaigns aimed at media, human rights, civil society and other targets in Southeast Asia.
WHY IT MATTERS
The findings show how a long-running espionage group can use trusted software updates and internal network access to reach selected victims. They also point to a continued focus on domestic targets in Vietnam, which can make detection harder and limit the number of affected users.