OceanLotus targets stock investors and construction firm with SPECTRALVIPER backdoor

Vietnam-aligned threat actor OceanLotus has been linked to two distinct campaigns targeting domestic entities and stock investors with a backdoor known as SPECTRALVIPER, according to ESET. These campaigns represent a shift in the group's operational focus, with an increasing emphasis on domestic espionage rather than external targets, with further coverage provided by The Hacker News.

The first campaign involved a cyber espionage operation against a Vietnamese infrastructure and transport construction corporation from November 2024 to February 2026. The second campaign, running from October 2025 to March 2026, was a supply chain attack leveraging FireAnt Metakit, a software platform used by stock investors. This attack exploited the software's update URL to distribute the SPECTRALVIPER backdoor. The group also targeted the construction firm, likely using remote code execution vulnerabilities, and deployed SPECTRALVIPER via DLL side-loading.

SPECTRALVIPER facilitates host reconnaissance, C2 communication, and lateral movement. OceanLotus, active since 2012, has a history of targeting media, human rights organizations, and dissidents, but these recent activities suggest a strategic adjustment towards domestic targets following past exposure.

Source: The Hacker News