SPECTRALVIPER greift Vietnam-Zulieferkette und Anleger an

OceanLotus, an APT threat actor active since 2012, is deploying the SPECTRALVIPER backdoor for targeted espionage and supply-chain attacks in Vietnam. According to ESET, the group exploited update chains to target stock investors and used RCE vulnerabilities to infiltrate infrastructure firms between 2024 and 2026.

How did OceanLotus target Vietnamese investors?

OceanLotus abused a popular update chain known as FireAnt Metakit to distribute a downloader to a selective group of stock investors, according to ESET. The attackers compromised an official update URL to place the SPECTRALVIPER backdoor loader as a fake update.

This breach was possible because the update chain’s configuration file lacked sufficient signature or integrity validation. Once the loader ran, it performed host reconnaissance and used encrypted HTTP transfers to communicate with a Command-and-Control (C2) server.

What happened during the infrastructure sector attacks?

A separate campaign targeted an unnamed Vietnamese infrastructure and transport construction company from November 2024 through February 2026. Analysts suggest the entry point was likely a Remote-Code-Execution (RCE) vulnerability in a public Microsoft-SQL Server environment.

Once inside, the group used DLL-side-loading to organize the backdoor. Security observers noted multiple variants of the malware across different compromised systems, suggesting that simple hash-based detection is insufficient for this threat.

How does SPECTRALVIPER bypass security?

The malware uses an infection design that leverages legitimate binary files to load a “rogue” DLL. This DLL then injects itself into trusted Windows processes, specifically “OneDrive.Sync.Service.exe,” to trigger the backdoor.

Because the malware runs within the context of a trusted process, it is harder for defenders to block. SPECTRALVIPER acts as a loader, allowing the attackers to pull additional shellcode or components from the C2 server to increase their adaptability.

Who else has tracked the OceanLotus group?

Different security providers have observed the group’s evolution. Elastic Security Labs first described SPECTRALVIPER in June 2023 while tracking a campaign ring involving Vietnamese public companies. Meta later linked OceanLotus to a Vietnamese IT firm that ceased operations after the group’s activities became public.

Additionally, Kaspersky reported three malicious Python packages on the Python Package Index. These packages contained dropper characteristics that closely resemble known OceanLotus components.

What may happen next in these campaigns?

The group’s tendency to shut down specific update distributions suggests OceanLotus may continue to design modular campaigns that can be deactivated quickly upon detection. Future operations could rely more heavily on “Living-off-the-Land” techniques, such as the continued use of process injection and DLL-side-loading.

Developers may face increased pressure to implement mandatory signatures and integrity checks for all updates. Analysts expect a possible shift where the group prioritizes domestic information gathering over external targets.

Frequently Asked Questions

What is SPECTRALVIPER?

It is a backdoor project used by the OceanLotus threat actor for espionage and supply-chain attacks, acting as a loader for additional malicious components.

Which specific software was exploited to reach investors?

The attackers exploited the FireAnt Metakit update chain by abusing an official update URL.

How did the group enter the infrastructure company’s network?

The entry was likely achieved through a Remote-Code-Execution vulnerability in a publicly accessible Microsoft-SQL Server.

How should companies change their update processes to prevent supply-chain attacks?