{"id":372,"date":"2026-06-12T04:42:40","date_gmt":"2026-06-12T04:42:40","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/06\/12\/from-external-espionage-to-domestic-targeting\/"},"modified":"2026-06-12T04:42:40","modified_gmt":"2026-06-12T04:42:40","slug":"from-external-espionage-to-domestic-targeting","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/06\/12\/from-external-espionage-to-domestic-targeting\/","title":{"rendered":"From external espionage to domestic targeting"},"content":{"rendered":"<div>\n<p>Our tracking of OceanLotus activities from 2024\u20132026 reveals a shift in operational focus. During this period, the Vietnam-aligned OceanLotus adopted a more selective approach to external operations while placing increasing emphasis on domestic espionage. We identified two distinct campaigns involving the SPECTRALVIPER backdoor: a supply-chain attack targeting stock investors in Vietnam and a prolonged espionage operation against a Vietnamese infrastructure and transport construction company.<\/p>\n<p>Whether the shift represents a temporary adjustment or a long-term strategic change remains unclear; however, this 15-year-old APT group continues to demonstrate aggressive tactics and a level of craftiness in its tooling.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>From mid-2024 to February 2026, OceanLotus compromised the network of a Vietnamese infrastructure and transport construction corporation with its signature implant, SPECTRALVIPER.<\/li>\n<li>From October 2025 to March 2026, OceanLotus carried out a supply-chain attack leveraging FireAnt Metakit, a software platform widely used by stock investors in Vietnam.<\/li>\n<li>Despite the broad potential impact of such an attack, we observed only a few individuals who ultimately received SPECTRALVIPER, indicating selective targeting.<\/li>\n<li>An OPSEC mistake provides us with an internal view of SPECTRALVIPER\u2019s architecture.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>OceanLotus profile<\/h2>\n<p>OceanLotus, also known as APT32, is a cyberespionage group allegedly aligned with the interests of the <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/cyber-espionage-apt32\/\" target=\"_blank\" rel=\"noopener\">Vietnamese government<\/a>. According to our telemetry, activity attributed to this group dates back to 2012, and possibly earlier. OceanLotus mainly targets China and Southeast Asia (with a focus on Vietnam); it has been associated with a variety of operations, ranging from a massive <a href=\"https:\/\/www.volexity.com\/blog\/2017\/11\/06\/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society\/\" target=\"_blank\" rel=\"noopener\">digital profiling<\/a> campaign to highly targeted attacks against Vietnamese human-rights activists.<\/p>\n<p>OceanLotus is known for continuously innovating and expanding its arsenals of Windows and Linux backdoors, often implementing unique network protocols or tailoring the data collection capabilities to specific operational objectives. Its well-known tools include <a href=\"https:\/\/securelist.com\/use-of-dns-tunneling-for-cc-communications\/78203\/\" target=\"_blank\" rel=\"noopener\">Denis<\/a> (aka SOUNDBITE), implementing DNS tunneling for C&amp;C communications; PHOREAL, which leverages the ICMP protocol for C&amp;C communications; WINDSHIELD, which features an interesting proxy bypass mechanism; and its latest backdoor, <a href=\"https:\/\/www.elastic.co\/security-labs\/elastic-charms-spectralviper\" target=\"_blank\" rel=\"noopener\">SPECTRALVIPER<\/a>, which includes orchestration capabilities.<\/p>\n<h2>OceanLotus: Exposure and realignment<\/h2>\n<p>Between 2017 and 2020, OceanLotus attracted significant public attention following multiple reports detailing its cyberespionage activities. These included large-scale watering-hole attacks targeting Southeast Asia in 2017\u20132018, <a href=\"https:\/\/web.archive.org\/web\/20200111050736\/https:\/www.br.de\/nachrichten\/wirtschaft\/fr-autoindustrie-im-visier-von-hackern-bmw-ausgespaeht,RjnLkD4\">intrusions<\/a> into corporations such as BMW and Hyundai in 2019, and the <a href=\"https:\/\/interaktiv.br.de\/ocean-lotus\/en\/\" target=\"_blank\" rel=\"noopener\">targeting<\/a> of a Vietnamese dissident in Germany that same year. The group was also linked to <a href=\"https:\/\/www.amnesty.org\/en\/latest\/research\/2021\/02\/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks\/\" target=\"_blank\" rel=\"noopener\">operations<\/a> against human rights defenders between 2019 and 2020, as well as <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/apt32-targeting-chinese-government-in-covid-19-related-espionage\/\" target=\"_blank\" rel=\"noopener\">espionage targeting<\/a> the Wuhan municipal government in 2020.<\/p>\n<p>However, the group\u2019s operations faced a setback in 2020 when Facebook publicly identified <a href=\"https:\/\/about.fb.com\/news\/2020\/12\/taking-action-against-hackers-in-bangladesh-and-vietnam\/\" target=\"_blank\" rel=\"noopener\">the company<\/a> believed to be used as a front for OceanLotus. Following this exposure, public reporting on the group diminished significantly, and its activities received comparatively little attention for several years.<\/p>\n<p>OceanLotus resurfaced publicly in 2023 with a report from Elastic Security Labs that <a href=\"https:\/\/www.elastic.co\/security-labs\/elastic-charms-spectralviper\" target=\"_blank\" rel=\"noopener\">described<\/a> an attack using a previously undocumented backdoor it named SPECTRALVIPER and that targeted Vietnamese businesses. Building on this, our research examines the group\u2019s more recent activity, observed from mid-2024 through early 2026. During this period, we identified two distinct campaigns that both relied on SPECTRALVIPER as their primary backdoor but had very different target victim profiles.<\/p>\n<p>The first campaign involved the compromise of an infrastructure and transport construction corporation. This intrusion began in mid-2024 and persisted through January 2026.<\/p>\n<p>The second campaign was a supply-chain attack that began in late 2025 and continued until March 2026. In this operation, OceanLotus compromised the update server of <a href=\"https:\/\/metakit.fireant.vn\/intro\/\" target=\"_blank\" rel=\"noopener\">FireAnt Metakit<\/a>, a Vietnamese stock investment platform, and replaced legitimate software updates with a malicious payload that ultimately deployed SPECTRALVIPER. This campaign appears to have targeted stock investors and may be linked to Vietnam\u2019s recent efforts to promote securities market reforms, suggesting a possible connection to domestic monitoring or investigative objectives.<\/p>\n<p>Finally, in July 2025, a <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/supply-chain-risk-python-termncolor-and-colorinal-explained\" target=\"_blank\" rel=\"noopener\">supply-chain attack<\/a> involving the upload of malicious wheel packages to the Python Package Index (PyPI) was <a href=\"https:\/\/securelist.com\/oceanlotus-suspected-pypi-zichatbot-campaign\/119603\/\" target=\"_blank\" rel=\"noopener\">attributed<\/a> to OceanLotus. However, our telemetry did not identify any affected victims, and we lack sufficient visibility to independently verify that attribution.<\/p>\n<p>Overall, the available evidence points to a potential shift in OceanLotus\u2019s operational patterns. Since the exposure of its physical front company in 2020, the group appears to have adopted a more selective approach to foreign espionage while placing increasing emphasis on domestic targets.<\/p>\n<h2>Context of this campaign<\/h2>\n<p>It is worth noting that OceanLotus\u2019s latest activities seem to align with various recent developments taking place on Vietnam\u2019s domestic scene.<\/p>\n<p>In recent years, Vietnamese authorities have embarked upon a major crusade against corruption \u2013 a program baptized <a href=\"https:\/\/thediplomat.com\/2024\/02\/why-vietnams-escalating-anti-corruption-campaign-might-backfire\/\" target=\"_blank\" rel=\"noopener\">Blazing Furnace<\/a>. Similar to Xi Jinping\u2019s big anti-corruption push in China, this effort, launched by the Communist Party of Vietnam, is intended to demonstrate to the population that the party is willing and able to clean up its ranks to maintain its legitimacy. Since 2016, this policy has led to several <a href=\"https:\/\/www.aljazeera.com\/economy\/2023\/7\/11\/vietnam-officials-go-on-trial-over-alleged-covid-flight-bribes\" target=\"_blank\" rel=\"noopener\">high-profile trials<\/a> involving <a href=\"https:\/\/time.com\/7023880\/vietnam-government-accountant-death-penalty-corruption\/\" target=\"_blank\" rel=\"noopener\">party officials<\/a> or <a href=\"https:\/\/www.reuters.com\/article\/markets\/commodities\/vietnams-blazing-furnace-crackdown-burns-40-bln-off-stocks-idUSL3N2WP3M0\/\" target=\"_blank\" rel=\"noopener\">businessmen<\/a> accused of bribing politicians. Furthermore, two <a href=\"https:\/\/www.bbc.com\/news\/world-asia-68622794\" target=\"_blank\" rel=\"noopener\">Vietnamese presidents<\/a> have even been forced to resign since 2023, after they were publicly associated with corruption scandals. In 2025 alone, the party reportedly sanctioned <a href=\"https:\/\/vietnamnet.vn\/en\/23-senior-officials-disciplined-in-vietnam-in-2025-6-face-criminal-charges-2476120.html\" target=\"_blank\" rel=\"noopener\">9,600 of its members<\/a> in cases related to corruption, economic crimes, and abuse of position.<\/p>\n<p>In this context, it seems likely that Vietnam\u2019s security apparatus is now deploying increasingly important resources to fight corruption (and financial crime more broadly). We believe that OceanLotus could be somehow associated with these efforts, and that this may be another reason behind the group\u2019s apparent refocus on domestic intelligence and surveillance in the last two years or so. In fact, the two targets we identified in this campaign echo judicial sagas that recently agitated Vietnam\u2019s public arena.<\/p>\n<p>In late October 2025, for instance, Vietnam\u2019s financial regulation agency revealed that about 70 major national companies had been found to have <a href=\"https:\/\/www.ft.com\/content\/44e504e3-d4ed-4851-b25f-a47a785c5fdc?syn-25a6b1a6=1\" target=\"_blank\" rel=\"noopener\">misreported bond sales<\/a> over the past decade \u2013 a revelation that led to a 5.5% slump in the country\u2019s main stock index. This announcement suggests that Vietnamese law-enforcement was possibly deploying wide-ranging investigative efforts against the country\u2019s stock market at the time that OceanLotus was observed compromising the FireAnt stock trading app.<\/p>\n<p>Based on these elements, we believe that OceanLotus\u2019s supply-chain attack was probably conducted as part of current investigative efforts against corruption and financial crime in Vietnam.<\/p>\n<h2>Targeting stock investors<\/h2>\n<h3>The supply chain<\/h3>\n<p>We estimate that the FireAnt supply-chain attack began around October 2025 and continued until March 2026. During this period, we identified a few stock investors exposed to the supply-chain; however, only a small subset of them ultimately received the SPECTRALVIPER backdoor. Our team made multiple attempts to notify FireAnt of the incident but received no response.<\/p>\n<p>FireAnt is a Vietnam\u2011based fintech company that offers a platform for stock market data, analysis, and investment support tools for both individual and institutional investors. It is considered one of the leading digital investment platforms in Vietnam, providing real\u2011time market data, technical analysis features, and AI\u2011driven insights, along with a community component where investors can share information and opinions. Within this ecosystem, FireAnt MetaKit is a specialized software component focused on data delivery. It is designed to provide real\u2011time and historical financial market data directly to technical analysis platforms such as AmiBroker, MetaStock, and MetaTrader.<\/p>\n<p>On October 2<sup>nd<\/sup>, 2025, we detected the first malicious payload originating from FireAnt MetaKit\u2019s legitimate update URL <span style=\"font-family: courier new, courier, monospace;\">http:\/\/metakit.fireant[.]vn\/Software\/setup.exe<\/span>. The domain resolved to the genuine IP address of the FireAnt update server, suggesting a supply-chain compromise scenario. Our analysis of this payload reveals a first-iteration downloader, indicating that this activity likely represents the early stage of the campaign, where OceanLotus was testing the delivery mechanism on the initial victims. In Table\u00a01, we compare this initial downloader with the stable version observed later in the campaign.<\/p>\n<p style=\"text-align: center;\"><em>Table\u00a01. Comparison between the test version and the stable version of the downloader<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"141\"><strong>Criteria<\/strong><\/td>\n<td width=\"217\"><strong>First iteration<\/strong><\/td>\n<td width=\"284\"><strong>Stable version<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"141\"><strong>First seen<\/strong><\/td>\n<td width=\"217\">2025\u201110\u201102<\/td>\n<td width=\"284\">2025\u201110\u201117<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><strong>Code obfuscation<\/strong><\/td>\n<td width=\"217\">None<\/td>\n<td width=\"284\">Heavily obfuscated<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><strong>Next-stage download<\/strong><\/td>\n<td width=\"217\">Hardcoded URLs<\/td>\n<td width=\"284\">API request<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><strong>Payload<\/strong><\/td>\n<td width=\"217\">An old SPECTRALVIPER sample that appeared in a previous campaign.<\/td>\n<td width=\"284\">Fresh SPECTRALVIPER samples.<\/td>\n<\/tr>\n<tr>\n<td width=\"141\"><strong>Infrastructure<\/strong><\/td>\n<td width=\"217\">Reused from the previous campaign.<\/td>\n<td width=\"284\">New infrastructure. SPECTRALVIPER C&amp;C domain <span style=\"font-family: courier new, courier, monospace;\">financemachinelearning<wbr\/>[.]com<\/span> was crafted to target stock investors.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>In addition to observing payloads delivered directly from the FireAnt update server, we identified flaws in the update protocol used by the FireAnt MetaKit software. Specifically, the update configuration file at <span style=\"font-family: courier new, courier, monospace;\">http:\/\/metakit.fireant.vn\/Software\/version.xml<\/span> lacks any integrity validation mechanism, as shown in Figure\u00a01.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. FireAnt MetaKit update configurations\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/oceanlotus\/figure-1.png\" alt=\"Figure 1. FireAnt MetaKit update configurations\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. FireAnt MetaKit update configurations<\/em><\/figcaption><\/figure>\n<p>Second, the lack of SSL\/TLS encryption in the network protocol used for obtaining both the <span style=\"font-family: courier new, courier, monospace;\">version.xml<\/span> file and any updated binary makes FireAnt MetaKit vulnerable to interception attacks; however, we have not observed OceanLotus leveraging this technique in this campaign.<\/p>\n<h3>The execution chain<\/h3>\n<p>Due to the absence of signature validation, <span style=\"font-family: courier new, courier, monospace;\">Metakit.exe<\/span> executed the malicious downloader as a legitimate update. Once launched, the downloader performed basic host reconnaissance and transmitted the collected information via an HTTP POST request to a staging server, requesting the next-stage payload (Figure\u00a02).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Download request issued by the downloader\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/oceanlotus\/figure-2.png\" alt=\"Figure 2. Download request issued by the downloader\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Download request issued by the downloader<\/em><\/figcaption><\/figure>\n<p>Across all observed samples, the download API <span style=\"font-family: courier new, courier, monospace;\">V1\/Update\/GetUpdate<\/span> remained consistent. However, the staging infrastructure evolved over time, with C&amp;C servers initially hosted at <span style=\"font-family: courier new, courier, monospace;\">139.162.11[.]152<\/span> and later migrating to <span style=\"font-family: courier new, courier, monospace;\">142.91.98[.]77<\/span>.<\/p>\n<p>In the subsequent stage, the downloader deployed a side-loading chain involving <span style=\"font-family: courier new, courier, monospace;\">DtlCrashCatch.dll<\/span>, which is SPECTRALVIPER configured as a loader, and its companion executable, <span style=\"font-family: courier new, courier, monospace;\">IntelAudioService.exe<\/span>. The latter was executed with the command:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">C:\\Users\\[redacted]\\IntelAudio\\Service\\IntelAudioService.exe \/appmodel \/StateRepository \/Service<\/span><\/p>\n<p>Analysis revealed that <span style=\"font-family: courier new, courier, monospace;\">IntelAudioService.exe<\/span> is in fact a copy of the legitimate, signed executable <span style=\"font-family: courier new, courier, monospace;\">dtlupdate.exe<\/span>, as shown in Figure\u00a03.<\/p>\n<figure class=\"image\"><img decoding=\"async\" style=\"width: 60%; margin: 0 auto; display: block;\" title=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/oceanlotus\/figure-3.png\" alt=\"Figure 3. IntelAudioService.exe file info\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. <\/em><span style=\"font-family: courier new, courier, monospace;\">IntelAudioService.exe<\/span><em> file info<\/em><\/figcaption><\/figure>\n<p>Once executed, <span style=\"font-family: courier new, courier, monospace;\">DtlCrashCatch.dll<\/span> injects itself into the <span style=\"font-family: courier new, courier, monospace;\">OneDrive.Sync.Service.exe<\/span> process, enabling execution in backdoor mode. The backdoor then issues a beacon request to the hardcoded URL <span style=\"font-family: courier new, courier, monospace;\">https:\/\/financemachinelearning[.]com\/apparatus\/wind\/twig\/statement.html<\/span>, embedding encrypted host information within the HTTP Cookie header. Historically, this data was prefixed with <span style=\"font-family: courier new, courier, monospace;\">euconsent-v2=<\/span>; however, in this campaign, we observed the use of the prefix, <span style=\"font-family: courier new, courier, monospace;\">zd_cs_pm=<\/span> (Figure\u00a04), marking the first instance of this variation.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 4. Comparison of HTTP Cookie headers in two SPECTRALVIPER beacon requests\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/oceanlotus\/figure-4.png\" alt=\"Figure 4. Comparison of HTTP Cookie headers in two SPECTRALVIPER beacon requests\" width=\"\" height=\"\"\/><figcaption><em>Figure 4. Comparison of HTTP Cookie headers in two SPECTRALVIPER beacon requests<\/em><\/figcaption><\/figure>\n<p>The complete execution chain is summarized in Figure\u00a05.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. Execution chain of the FireAnt supply-chain attack\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/oceanlotus\/figure-5-1.png\" alt=\"Figure 5. Execution chain of the FireAnt supply-chain attack (1)\" width=\"\" height=\"\"\/><figcaption><em>Figure 5. Execution chain of the FireAnt supply-chain attack<\/em><\/figcaption><\/figure>\n<p>Since March 9<sup>th<\/sup>, 2026, we have not observed any further malicious updates being distributed through the compromised channel, suggesting that the supply-chain attack has probably concluded.<\/p>\n<h2>Targeting a large corporation<\/h2>\n<p>We assess that the compromise of the corporate network of a Vietnamese infrastructure and transport construction corporation began as early as November 2024 and persisted until February 2026. Although the initial access vector was not directly observed, our analysis of victim&#8217;s public-facing servers suggests that the attacker may have exploited remote code execution (RCE) vulnerabilities in a Microsoft SQL server to establish an initial foothold.<\/p>\n<p>During this period, we identified multiple SPECTRALVIPER variants deployed across the network, using both shared and distinct C&amp;C servers. Notably, these deployments exhibited slight variations, possibly tailored to the environments of compromised hosts (Figure\u00a06).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Comparison of SPECTRALVIPER samples detected on the same network\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/oceanlotus\/figure-6-1.png\" alt=\"Figure 6. Comparison of SPECTRALVIPER samples detected on the same network (1)\" width=\"\" height=\"\"\/><figcaption><em>Figure 6. Comparison of SPECTRALVIPER samples detected on the same network<\/em><\/figcaption><\/figure>\n<p><span style=\"font-family: courier new, courier, monospace;\">Genuine.exe<\/span>, <span style=\"font-family: courier new, courier, monospace;\">Updater.exe<\/span>, and <span style=\"font-family: courier new, courier, monospace;\">AutoCAD242.exe<\/span> in Figure\u00a06 are variants of the same legitimate and signed executable <span style=\"font-family: courier new, courier, monospace;\">Toolbox.exe<\/span> (Figure\u00a07), all of which require the command line parameter <span style=\"font-family: courier new, courier, monospace;\">-uiDll<\/span> for the side-loading mechanism to function correctly. Similar to the supply-chain attack, the side-loaded DLL is SPECTRALVIPER in its loader configuration, which subsequently injects the SPECTRALVIPER backdoor into a host process.<\/p>\n<figure class=\"image\"><img decoding=\"async\" style=\"width: 60%; margin: 0 auto; display: block;\" title=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/oceanlotus\/figure-7.png\" alt=\"Figure 7. File information of the side-loader host\" width=\"\" height=\"\"\/><figcaption><em>Figure 7. File information of the side-loader host<\/em><\/figcaption><\/figure>\n<p>Table\u00a02 lists the C&amp;C domains observed during this incident.<\/p>\n<p style=\"text-align: center;\"><em>Table\u00a02. SPECTRALVIPER\u2019s C&amp;C domains observed from the incident<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"255\"><strong>C&amp;C domain<\/strong><\/td>\n<td width=\"236\"><strong>IP<\/strong><\/td>\n<td width=\"151\"><strong>First seen<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"255\"><span style=\"font-family: courier new, courier, monospace;\">gatewayrvcenter[.]com<\/span><\/td>\n<td width=\"236\"><span style=\"font-family: courier new, courier, monospace;\">139.180.128[.]42<\/span><\/td>\n<td width=\"151\">2025-09-20<\/td>\n<\/tr>\n<tr>\n<td width=\"255\"><span style=\"font-family: courier new, courier, monospace;\">coachcybersecurity[.]com<\/span><\/td>\n<td width=\"236\"><span style=\"font-family: courier new, courier, monospace;\">139.99.33[.]239<\/span><\/td>\n<td width=\"151\">2024-07-08<\/td>\n<\/tr>\n<tr>\n<td width=\"255\"><span style=\"font-family: courier new, courier, monospace;\">mxprodesign[.]com<\/span><\/td>\n<td width=\"236\"><span style=\"font-family: courier new, courier, monospace;\">166.88.77[.]186<\/span><\/td>\n<td width=\"151\">2024-07-12<\/td>\n<\/tr>\n<tr>\n<td width=\"255\"><span style=\"font-family: courier new, courier, monospace;\">power-sync-services[.]com<\/span><\/td>\n<td width=\"236\"><span style=\"font-family: courier new, courier, monospace;\">103.119.47[.]104<\/span><\/td>\n<td width=\"151\">2024-07-06<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>SPECTRALVIPER: A structural view<\/h2>\n<p>Our analysis of SPECTRALVIPER aligns closely with <a href=\"https:\/\/www.elastic.co\/security-labs\/elastic-charms-spectralviper#spectralviper-code-analysis\">findings<\/a> reported by Elastic Security Labs. Rather than reiterating previously published details, we extend that work by providing additional insight into the structure of the malware\u2019s internal classes.<\/p>\n<p>During our investigation, we identified two samples containing RTTI information, which allowed us to reconstruct a partial class hierarchy. This perspective provides deeper visibility into SPECTRALVIPER\u2019s capabilities, as well as its underlying architectural design.<\/p>\n<p>At a high level, SPECTRALVIPER operates as an active backdoor communicating with its C&amp;C server over HTTPS. It initiates communication by sending a beacon to a hardcoded address using a predefined User-Agent header, with encrypted host-profiling data embedded in the HTTP Cookie header and prefixed with either <span style=\"font-family: courier new, courier, monospace;\">euconsent-v2=<\/span> or <span style=\"font-family: courier new, courier, monospace;\">zd_cs_pm=<\/span>.<\/p>\n<p>The C&amp;C domain names appear to be carefully crafted for each campaign to blend in with the victim\u2019s network traffic. For instance, <span style=\"font-family: courier new, courier, monospace;\">financemachinelearning[.]com<\/span> was used in operations targeting stock investors, while <span style=\"font-family: courier new, courier, monospace;\">gatewayrvcenter[.]com<\/span> was observed in activity targeting the infrastructure and transport construction company\u2019s network.<\/p>\n<p>SPECTRALVIPER also supports lateral movement through an orchestration model, in which one instance is designated as an orchestrator responsible for communicating with the C&amp;C infrastructure. This orchestrator distributes commands to other compromised hosts via named pipe channels. Within the codebase, inter-instance communication is implemented through methods such as <span style=\"font-family: courier new, courier, monospace;\">XGU::Pivot::StartLink<\/span> and <span style=\"font-family: courier new, courier, monospace;\">XGU::Pivot::Internal::WaitNew_RemotePipe<\/span>.<\/p>\n<p>Analysis of these method names suggests that XGU represents an internal framework underpinning SPECTRALVIPER. The <span style=\"font-family: courier new, courier, monospace;\">Pivot<\/span> subclass inherits from XGU and is responsible for orchestration functionality. Another key subclass, <span style=\"font-family: courier new, courier, monospace;\">Feature<\/span>, encapsulates the malware\u2019s remote-control capabilities, as illustrated in Figure\u00a08.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 8. Definition of the Feature class\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/oceanlotus\/figure-8-1.png\" alt=\"Figure 8. Definition of the Feature class (1)\" width=\"\" height=\"\"\/><figcaption><em>Figure 8. Definition of the <\/em><span style=\"font-family: courier new, courier, monospace;\">Feature<\/span> <em>class<\/em><\/figcaption><\/figure>\n<p>Beyond its role as a backdoor, SPECTRALVIPER functions as a capable loader, able to inject itself \u2013 as well as additional binaries or shellcode received from the C&amp;C \u2013 into target processes. In both campaigns we analyzed, SPECTRALVIPER was configured to initially execute in a loader role, injecting its backdoor component into a separate process rather than relying on a standalone loader. These process manipulation and injection capabilities are implemented through the <span style=\"font-family: courier new, courier, monospace;\">ProcessReflector<\/span> and <span style=\"font-family: courier new, courier, monospace;\">ProcessManager<\/span> classes, as shown in Figure\u00a09.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 9. ProcessManager and ProcessReflector definitions\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/oceanlotus\/figure-9-1.png\" alt=\"Figure 9. ProcessManager and ProcessReflector definitions (1)\" width=\"\" height=\"\"\/><figcaption><em>Figure 9. <\/em><span style=\"font-family: courier new, courier, monospace;\">ProcessManager<\/span><em> and <\/em><span style=\"font-family: courier new, courier, monospace;\">ProcessReflector<\/span><em> definitions<\/em><\/figcaption><\/figure>\n<h2>Conclusion<\/h2>\n<p>In this blogpost, we have provided updates on OceanLotus, a Vietnam-aligned APT group. According to our telemetry, activity observed between 2024 and 2026 suggests that the group has put an increasing focus on domestic espionage. We describe two incidents during this period: a supply-chain attack leveraging FireAnt MetaKit to target stock investors in Vietnam, and the compromise of a Vietnamese infrastructure and transport construction company. In both cases, OceanLotus deployed its signature backdoor, SPECTRALVIPER, on victim systems. Notably, an operational security (OPSEC) lapse resulted in RTTI names being left intact in a SPECTRALVIPER sample, enabling us to reconstruct aspects of the backdoor\u2019s internal architecture.<\/p>\n<blockquote>\n<div><em>For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\u00a0<\/em><\/div>\n<div><em>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=oceanlotus-external-espionage-domestic-targeting&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Threat Intelligence<\/a> page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/oceanlotus\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<p>\u00a0<\/p>\n<table style=\"height: 1288px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 18px;\">\n<td style=\"height: 18px;\" width=\"179\"><strong>SHA\u20111<\/strong><\/td>\n<td style=\"height: 18px;\" width=\"113\"><strong>Filename<\/strong><\/td>\n<td style=\"height: 18px;\" width=\"123\"><strong>Detection<\/strong><\/td>\n<td style=\"height: 18px;\" width=\"227\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">511B77459673EC42163F<wbr\/>19E300FF1D233B6C39FB<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/Agent.AIBE<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">59A8553A4F8130F576AB<wbr\/>234E0B220BE4D4DA0E98<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/TrojanDown<wbr\/>loader.Agent.IKC<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">9CA1A5C7F79882DB9135<wbr\/>34C1E62B26BCDCB9F6DD<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/TrojanDown<wbr\/>loader.Agent.IIZ<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">A8E2BBBFCB86500322D2<wbr\/>367744FA12755AB0C165<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/TrojanDown<wbr\/>loader.Agent_AGen.JL<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">F74F1FEB62B662CDA489<wbr\/>FDB2453727824E55ACB9<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/TrojanDown<wbr\/>loader.Agent.IJN<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">F8F8209987CA7F139DE6<wbr\/>A62F9E6EE21BD2AE93A9<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/TrojanDown<wbr\/>loader.Agent.IJX<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">19A69F856EFA811C376F<wbr\/>68E4FEB0997B4724F8BD<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/Agent.AIBE<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">490194E9BB5128ECA869<wbr\/>3AD9E610891C2ED185AF<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/Agent.AIBE<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">51176139B0B2220B802C<wbr\/>1578A4994DF68DF5BCD1<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/Agent.AICB<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">91F042F59BE4BDCB6E5E<wbr\/>A21B91DECD731C175B54<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/Agent.AICB<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">A177ED0BFFEB1EFE1D9D<wbr\/>31D72A82EF2625AE646D<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/Agent.AIBE<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">B7B2D2DB544F9EEA7445<wbr\/>3CDF2B8BEEA58CF07C48<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Generik.CPNQYWW<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">4AD36AD6C165B5174967<wbr\/>020CB1A3358F78D7A283<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/Agent.AIBE<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">57352B3CEEE32216E5AA<wbr\/>20BAA848483D7AB5A6FB<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Win32\/Agent.AIBE<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">9BC06DF9F932746A05EE<wbr\/>728C8B103BD3BA6BF395<\/span><\/td>\n<td style=\"height: 72px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">setup.exe<\/span><\/td>\n<td style=\"height: 72px;\" width=\"123\">Generik.ETQXXVN<\/td>\n<td style=\"height: 72px;\" width=\"227\">SPECTRALVIPER downloader delivered from the FireAnt update server.<\/td>\n<\/tr>\n<tr style=\"height: 38px;\">\n<td style=\"height: 38px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">865A1739337D3303B3AB<wbr\/>02C5E694C22B79C42B7D<\/span><\/td>\n<td style=\"height: 38px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">system.config<wbr\/>.xml<\/span><\/td>\n<td style=\"height: 38px;\" width=\"123\">Win64\/Agent.GFV<\/td>\n<td style=\"height: 38px;\" width=\"227\">SPECTRALVIPER backdoor.<\/td>\n<\/tr>\n<tr style=\"height: 38px;\">\n<td style=\"height: 38px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">8CD78B8DB76563E4F972<wbr\/>ABE817CEEE9CF9B00037<\/span><\/td>\n<td style=\"height: 38px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">DtlCrashCatch<wbr\/>.dll<\/span><\/td>\n<td style=\"height: 38px;\" width=\"123\">N\/A<\/td>\n<td style=\"height: 38px;\" width=\"227\">SPECTRALVIPER backdoor.<\/td>\n<\/tr>\n<tr style=\"height: 38px;\">\n<td style=\"height: 38px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">B0FEA981D02F6F76DE81<wbr\/>EBAEFCB68B7D205D6194<\/span><\/td>\n<td style=\"height: 38px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">NotificationC<wbr\/>onfig.json<\/span><\/td>\n<td style=\"height: 38px;\" width=\"123\">Win64\/Agent.HRA<\/td>\n<td style=\"height: 38px;\" width=\"227\">SPECTRALVIPER backdoor.<\/td>\n<\/tr>\n<tr style=\"height: 38px;\">\n<td style=\"height: 38px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">48FEBB91A10D1462461A<wbr\/>012FAFC0918BB028E947<\/span><\/td>\n<td style=\"height: 38px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">DtlCrashCatch<wbr\/>.dll<\/span><\/td>\n<td style=\"height: 38px;\" width=\"123\">Win64\/Agent.HRA<\/td>\n<td style=\"height: 38px;\" width=\"227\">SPECTRALVIPER backdoor.<\/td>\n<\/tr>\n<tr style=\"height: 38px;\">\n<td style=\"height: 38px;\" width=\"179\"><span style=\"font-family: courier new, courier, monospace;\">150764A71DEEF498DE6F<wbr\/>8C95ECCCB4455C1B601F<\/span><\/td>\n<td style=\"height: 38px;\" width=\"113\"><span style=\"font-family: courier new, courier, monospace;\">SetupUi.dll<\/span><\/td>\n<td style=\"height: 38px;\" width=\"123\">Win32\/Agent_AGen<wbr\/>.FHH<\/td>\n<td style=\"height: 38px;\" width=\"227\">SPECTRALVIPER backdoor.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<table style=\"height: 616px;\" border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px;\" width=\"128\"><strong>IP<\/strong><\/td>\n<td style=\"height: 68px;\" width=\"128\"><strong>Domain<\/strong><\/td>\n<td style=\"height: 68px;\" width=\"111\"><strong>Hosting provider<\/strong><\/td>\n<td style=\"height: 68px;\" width=\"85\"><strong>First seen<\/strong><\/td>\n<td style=\"height: 68px;\" width=\"189\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">38.60.245[.]37<\/span><\/td>\n<td style=\"height: 68px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">leadingfilipin<wbr\/>oteams[.]com<\/span><\/td>\n<td style=\"height: 68px;\" width=\"111\">Kaopu Cloud HK Limited<\/td>\n<td style=\"height: 68px;\" width=\"85\">2025\u201110\u201105<\/td>\n<td style=\"height: 68px;\" width=\"189\">SPECTRALVIPER C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">139.99.33[.]239<\/span><\/td>\n<td style=\"height: 86px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">coachcybersecu<wbr\/>rity[.]com<\/span><\/td>\n<td style=\"height: 86px;\" width=\"111\">OVH Singapore PTE. LTD<\/td>\n<td style=\"height: 86px;\" width=\"85\">2025\u201109\u201120<\/td>\n<td style=\"height: 86px;\" width=\"189\">SPECTRALVIPER C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">139.162.11[.]152<\/span><\/td>\n<td style=\"height: 86px;\" width=\"128\">N\/A<\/td>\n<td style=\"height: 86px;\" width=\"111\">Akamai Connected Cloud<\/td>\n<td style=\"height: 86px;\" width=\"85\">2025\u201110\u201102<\/td>\n<td style=\"height: 86px;\" width=\"189\">SPECTRALVIPER hosting server.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">139.180.128[.]42<\/span><\/td>\n<td style=\"height: 86px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">gatewayrvcente<wbr\/>r[.]com<\/span><\/td>\n<td style=\"height: 86px;\" width=\"111\">IRT\u2011CHOOPALLC\u2011AP<\/td>\n<td style=\"height: 86px;\" width=\"85\">2025\u201109\u201120<\/td>\n<td style=\"height: 86px;\" width=\"189\">SPECTRALVIPER C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 86px;\">\n<td style=\"height: 86px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">142.91.98[.]77<\/span><\/td>\n<td style=\"height: 86px;\" width=\"128\">N\/A<\/td>\n<td style=\"height: 86px;\" width=\"111\">LEASEWEB SINGAPORE PTE. LTD.<\/td>\n<td style=\"height: 86px;\" width=\"85\">2025\u201112\u201103<\/td>\n<td style=\"height: 86px;\" width=\"189\">SPECTRALVIPER hosting server.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">166.88.77[.]186<\/span><\/td>\n<td style=\"height: 68px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">mxprodesign[.]<wbr\/>com<\/span><\/td>\n<td style=\"height: 68px;\" width=\"111\">Evoxt Enterprise<\/td>\n<td style=\"height: 68px;\" width=\"85\">2025\u201106\u201123<\/td>\n<td style=\"height: 68px;\" width=\"189\">SPECTRALVIPER C&amp;C server.<\/td>\n<\/tr>\n<tr style=\"height: 68px;\">\n<td style=\"height: 68px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">194.68.26[.]241<\/span><\/td>\n<td style=\"height: 68px;\" width=\"128\"><span style=\"font-family: courier new, courier, monospace;\">financemachine<wbr\/>learning[.]com<\/span><\/td>\n<td style=\"height: 68px;\" width=\"111\">M247 Europe SRL<\/td>\n<td style=\"height: 68px;\" width=\"85\">2025\u201110\u201130<\/td>\n<td style=\"height: 68px;\" width=\"189\">SPECTRALVIPER C&amp;C server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 19 <\/a>of the MITRE ATT&amp;CK framework.<\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Initial Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1195\/002\">T1195.002<\/a><\/td>\n<td width=\"151\">Supply Chain Compromise: Compromise Software Supply Chain<\/td>\n<td width=\"265\">FireAnt MetaKit update servers were compromised.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1190\">T1190<\/a><\/td>\n<td width=\"151\">Exploit Public-Facing Application<\/td>\n<td width=\"265\">Suspected Microsoft SQL RCE exploitation.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Execution<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1059\">T1059<\/a><\/td>\n<td width=\"151\">Command and Scripting Interpreter<\/td>\n<td width=\"265\">SPECTRALVIPER was deployed using curl.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1204\">T1204<\/a><\/td>\n<td width=\"151\">User Execution<\/td>\n<td width=\"265\">Users could have initiated the MetaKit update.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Persistence<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1574\/002\">T1574.002<\/a><\/td>\n<td width=\"151\">Hijack Execution Flow: DLL Side-Loading<\/td>\n<td width=\"265\">SPECTRALVIPER was executed via side-loading.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>Defense Evasion<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1055\">T1055<\/a><\/td>\n<td width=\"151\">Process Injection<\/td>\n<td width=\"265\">SPECTRALVIPER can be injected into various processes.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1036\">T1036<\/a><\/td>\n<td width=\"151\">Masquerading<\/td>\n<td width=\"265\">Side-loading hosts were renamed.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1027\">T1027<\/a><\/td>\n<td width=\"151\">Obfuscated Files or Information<\/td>\n<td width=\"265\">The malicious downloaders and the backdoor are heavily obfuscated.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1553\/002\">T1553.002<\/a><\/td>\n<td width=\"151\">Subvert Trust Controls: Code Signing<\/td>\n<td width=\"265\">The absence of signature validation in FireAnt MetaKit update protocol was abused.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Discovery<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1082\">T1082<\/a><\/td>\n<td width=\"151\">System Information Discovery<\/td>\n<td width=\"265\">The malicious downloaders and the backdoor profiled host machines.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Lateral Movement<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1570\">T1570<\/a><\/td>\n<td width=\"151\">Lateral Tool Transfer<\/td>\n<td width=\"265\">SPECTRALVIPER orchestration uses a named pipe.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1021\">T1021<\/a><\/td>\n<td width=\"151\">Remote Services<\/td>\n<td width=\"265\">The SPECTRALVIPER orchestrator can distribute commands to other instances.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1071\/001\">T1071.001<\/a><\/td>\n<td width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"265\">SPECTRALVIPER and the downloader both use HTTPS.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1573\">T1573<\/a><\/td>\n<td width=\"151\">Encrypted Channel<\/td>\n<td width=\"265\">All \u00a0SPECTRALVIPER C&amp;C communications are encrypted.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1105\">T1105<\/a><\/td>\n<td width=\"151\">Ingress Tool Transfer<\/td>\n<td width=\"265\">A fake update downloaded and executed SPECTRALVIPER.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1041\">T1041<\/a><\/td>\n<td width=\"151\">Exfiltration Over C2 Channel<\/td>\n<td width=\"265\">SPECTRALVIPER exfiltrates data over its C&amp;C channel.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=oceanlotus-external-espionage-domestic-targeting&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Our tracking of OceanLotus activities from 2024\u20132026 reveals a shift in operational focus. During this period, the Vietnam-aligned<\/p>\n","protected":false},"author":1,"featured_media":373,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-372","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=372"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/372\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/373"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}