A notorious hacking group has been caught targeting stock investors in Vietnam through a supply chain attack, hijacking a popular investment software platform to deliver a powerful backdoor.
The operation, carried out by OceanLotus (also known as APT32), marks a notable shift in the group’s tactics as it turns focus increasingly toward domestic targets inside the country.
OceanLotus has been active since at least 2012 and is believed to be aligned with the interests of the Vietnamese government.
The group has historically targeted organizations across China and Southeast Asia, but recent tracking data shows it is now placing growing emphasis on surveillance within Vietnam itself.
The attack on FireAnt MetaKit represents a concerning new chapter in that ongoing shift.
Welivesecurity researchers said in a report shared with Cyber Security News (CSN) that they identified the campaign and noted that it ran from approximately October 2025 through March 2026.
The group compromised the update server of FireAnt MetaKit, a widely used stock market data delivery tool, and replaced legitimate software updates with a malicious payload. This trojanized update ultimately deployed SPECTRALVIPER, OceanLotus’s signature backdoor.
Despite the broad reach a supply chain attack of this kind could have, only a small subset of users actually received SPECTRALVIPER.
This selective delivery suggests the attackers were after specific individuals, likely tied to Vietnam’s ongoing anti-corruption investigations and financial market scrutiny. That level of precision shows the operational discipline that makes this threat group so dangerous.
The timing also carries important geopolitical weight. Vietnamese authorities had been conducting wide-ranging financial investigations after revelations that about 80 major companies misreported bond sales, causing a 5.5% drop in the country’s main stock index.
Researchers believe OceanLotus may have been supporting those domestic investigative efforts, acting as a digital arm of the state’s surveillance apparatus.
FireAnt is a Vietnam-based fintech company offering real-time market data, technical analysis tools, and AI-driven investment insights.
MetaKit is a specialized software component within that ecosystem, designed to feed financial data directly into trading platforms like AmiBroker and MetaTrader.
.webp)
On October 2, 2025, researchers detected the first malicious payload originating from FireAnt MetaKit’s legitimate update URL at http://metakit.fireant[.]vn/Software/setup.exe.
The update configuration file lacked any integrity validation mechanism, meaning there was nothing in place to verify whether the software being delivered was genuine.
Due to this gap, Metakit.exe silently executed the malicious downloader as if it were a routine update. The downloader then profiled the host machine and sent that data to a staging server to request the next-stage payload.
.webp)
The attacker’s infrastructure evolved across the campaign. Command and control servers initially used the IP 139.162.11[.]152 before migrating to 142.91.98[.]77.
SPECTRALVIPER was then delivered via DLL side-loading, using a file named DtlCrashCatch.dll alongside a renamed executable called IntelAudioService.exe, which injected the backdoor into the OneDrive.Sync.Service.exe process.
SPECTRALVIPER Backdoor: Architecture and Capabilities
SPECTRALVIPER operates as a fully featured backdoor that communicates with its command and control server over HTTPS. It sends an initial beacon to a hardcoded URL, embedding encrypted host information inside the HTTP Cookie header.
In this campaign, the backdoor used the domain financemachinelearning[.]com, carefully crafted to blend into network traffic associated with stock market activity.
.webp)
The malware supports lateral movement through an orchestration model, where one instance acts as a controller and distributes commands to other infected machines via named pipe channels.
It can also inject additional binaries or shellcode received from the server into target processes. Notably, an operational security mistake left internal class names intact in one sample, giving researchers a rare window into the backdoor’s underlying architecture.
Organizations relying on third-party investment tools should verify the integrity of software updates they receive, especially when those applications lack HTTPS-based update protocols.
FireAnt MetaKit’s update mechanism did not use TLS encryption, leaving it exposed to interception. Unsigned and unverified software updates should always be treated with the same caution as suspicious email attachments.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | http://metakit.fireant[.]vn/Software/setup.exe | Legitimate FireAnt MetaKit update URL used to deliver malicious payload |
| URL | http://metakit.fireant.vn/Software/version.xml | FireAnt MetaKit update configuration file lacking integrity validation |
| URL | https://financemachinelearning[.]com/apparatus/wind/twig/statement.html | SPECTRALVIPER C&C beacon URL used in the stock investor campaign |
| IP Address | 139.162.11[.]152 | Initial C&C staging server (Akamai Connected Cloud) |
| IP Address | 142.91.98[.]77 | Migrated C&C staging server (LEASEWEB SINGAPORE PTE. LTD.) |
| IP Address | 139.180.128[.]42 | C&C IP associated with domain gatewayrvcenter[.]com (IRT-CHOOPALL-AP) |
| IP Address | 139.99.33[.]239 | C&C IP associated with coachcybersecurity[.]com (OVH Singapore PTE. LTD.) |
| IP Address | 166.88.77[.]186 | C&C IP associated with mxprodesign[.]com (Evyxt Enterprise) |
| IP Address | 103.119.47[.]104 | C&C IP associated with power-sync-services[.]com |
| IP Address | 38.60.245[.]37 | IP associated with leadingfilipinoteams[.]com (Kaopv Cloud HK Limited) |
| IP Address | 194.68.26[.]241 | IP associated with financemachinelearning[.]com (M247 Europe SRL) |
| Domain | financemachinelearning[.]com | SPECTRALVIPER C&C domain crafted to target stock investors |
| Domain | gatewayrvcenter[.]com | SPECTRALVIPER C&C domain used in infrastructure/transport company campaign |
| Domain | coachcybersecurity[.]com | SPECTRALVIPER C&C domain |
| Domain | mxprodesign[.]com | SPECTRALVIPER C&C domain |
| Domain | power-sync-services[.]com | SPECTRALVIPER C&C domain |
| Domain | leadingfilipinoteams[.]com | C&C domain observed in the campaign |
| File Name | setup.exe | Malicious downloader delivered via FireAnt MetaKit update mechanism |
| File Name | DtlCrashCatch.dll | SPECTRALVIPER configured as a loader via DLL side-loading |
| File Name | IntelAudioService.exe | Renamed copy of legitimate signed executable dtlupdate.exe used for side-loading |
| File Name | NotificationConfig.json | Associated configuration file (Win64/Agent.HRA) |
| File Name | system.config.xml | Associated configuration file (Win64/Agent.GFV) |
| File Name | SetupUi.dll | Associated file (Win32/Agent_AGen.FHH) |
| SHA-1 Hash | D511B77459673EC42163F19E300FF1D233B6C39F | setup.exe — Win32/Agent.AIBESP |
| SHA-1 Hash | 59A8553A4F8130F576AB234E0B220BE4D4DA0E98 | setup.exe — Win32/TrojanDownloader.Agent.IKCSP |
| SHA-1 Hash | 9CA1A5C7F79882DB913534C1E62B26BCDCB9F6DD | setup.exe — Win32/TrojanDownloader.Agent.IIZSP |
| SHA-1 Hash | A8E2BBBFCB86500322D2367744FA12755AB0C165 | setup.exe — Win32/TrojanDownloader.Agent_AGen.JLSP |
| SHA-1 Hash | F74F1FEB62B662CDA489FDB2453727824E55ACB9 | setup.exe — Win32/TrojanDownloader.Agent.IJNSP |
| SHA-1 Hash | F8F8209987CA7F139DE6A62F9E6EE21BD2AE93A9 | setup.exe — Win32/TrojanDownloader.Agent.IJXSP |
| SHA-1 Hash | 19A69F856EFA811C376F68E4FEB0997B4724F8BD | setup.exe — Win32/Agent.AIBESP |
| SHA-1 Hash | 490194E9BB5128ECA8693AD9E610891C2ED185AF | setup.exe — Win32/Agent.AIBESP |
| SHA-1 Hash | 51176139B0B2220B802C1578A4994DF68DF5BCD1 | setup.exe — Win32/Agent.AICBSP |
| SHA-1 Hash | 91F042F59BE4BDCB6E5EA21B91DECD731C175B54 | setup.exe — Win32/Agent.AICBSP |
| SHA-1 Hash | A177ED0BFFEB1EFE1D9D31D72A82EF2625AE646D | setup.exe — Win32/Agent.AIBESP |
| SHA-1 Hash | B7B2D2DB544F9EEA74453CDF2B8BEEA58CF07C48 | setup.exe — Generic.CPN2WW8SP |
| SHA-1 Hash | 4AD36AD6C165B5174967020CB1A3358F78D7A283 | setup.exe — Win32/Agent.AIBESP |
| SHA-1 Hash | 57352B3CEEE32216E5AA20BAA848483D7AB5A6FB | setup.exe — Win32/Agent.AIBESP |
| SHA-1 Hash | 9BC06DF9F932746A05EE728C8B103BD3BA6BF395 | setup.exe — Generic.ETQ997N SP |
| SHA-1 Hash | 865A1739337D3303B3AB02C5E694C22B79C42B7D | system.config.xml — Win64/Agent.GFV |
| SHA-1 Hash | 41CB8CD78B8DB76563E4F972ABE817CEEE9CF9B0 | DtlCrashCatch.dll — N/A |
| SHA-1 Hash | 0037DBB0FEA981D02F6F76DE81EBAEFCB68B7D20 | NotificationConfig.json — Win64/Agent.HRA |
| SHA-1 Hash | 5D6194BB48FEBB91A10D1462461A012FAFC0918B | DtlCrashCatch.dll — Win64/Agent.HRA |
| SHA-1 Hash | B028E947150764A71DEEF498DE6F8C95ECCCB445 | SetupUi.dll — Win32/Agent_AGen.FHH |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
