OceanLotus APT Targets Vietnam with SPECTRALVIPER in FireAnt Supply Chain Attack

Vietnam-aligned threat actor OceanLotus has been linked to two parallel cyber-espionage campaigns targeting domestic entities, leveraging its signature SPECTRALVIPER backdoor in a long-running intrusion against a Vietnamese infrastructure and transport construction corporation and a separate supply chain attack via the FireAnt Metakit platform used by stock investors. The first campaign persisted from mid-2024 through February 2026, while the FireAnt Metakit operation ran from October 2, 2025, to March 2026, according to ESET researchers. The dual activity signals a strategic pivot by the 15-year-old APT group, historically focused on external targets including China, toward intensified domestic espionage operations.

The FireAnt Metakit supply chain compromise stands out for its surgical precision. Attackers abused the software's legitimate update URL to selectively deliver SPECTRALVIPER to a small subset of stock investor endpoints, demonstrating the kind of calculated tradecraft that has defined OceanLotus since its 2012 emergence. The group previously relied on watering-hole techniques to profile media, human rights, and civil society targets, and in December 2020, Meta publicly connected the cluster to Vietnamese IT firm CyberOne Group, after which the actor vanished for nearly three years before resurfacing in 2023 with SPECTRALVIPER, first documented by Elastic Security Labs. More recently, Kaspersky identified three malicious PyPI packages deploying a new malware family dubbed ZiChatBot, whose dropper shares a 64% similarity with prior OceanLotus tooling. Defenders monitoring this infrastructure can validate suspicious endpoint communications using a port scanner to detect atypical listening services associated with the backdoor.

SPECTRALVIPER joins an established OceanLotus arsenal that includes SOUNDBITE (Denis), PHOREAL (Rizzo), and WINDSHIELD (Remy), all of which enable persistent access and data exfiltration across compromised Windows environments. The abuse of trusted software update channels underscores why supply chain risk requires continuous validation of update server integrity; security teams should routinely verify transport encryption and certificate trust chains with an SSL/TLS checker to catch tampering at the channel level. Because APT operators frequently route C2 traffic through anonymizing infrastructure, analysts investigating suspected OceanLotus indicators can cross-reference egress IPs against a VPN/proxy detector to attribute suspicious connections to known anonymization services. Whether the domestic focus represents a temporary operational adjustment or a long-term strategic shift, OceanLotus continues to demonstrate the aggressive tooling and patient reconnaissance that have made it one of Southeast Asia's most persistent state-aligned threats.