OceanLotus Compromised FireAnt MetaKit to Target Stock Investors With SPECTRALVIPER
9 min. read 
Published on
OceanLotus used a software supply-chain attack against FireAnt MetaKit to target stock investors in Vietnam with the SPECTRALVIPER backdoor. The campaign ran from around October 2025 to March 2026 and abused a trusted update mechanism used by investment software users.
The campaign was detailed by ESET Research, which said OceanLotus compromised the FireAnt MetaKit update server and replaced legitimate updates with a malicious downloader. The attacker did not infect every exposed user. Only a small subset ultimately received SPECTRALVIPER, which suggests selective targeting.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
OceanLotus, also known as APT32, has long been associated with espionage activity in Southeast Asia. The new findings point to a stronger focus on domestic Vietnamese targets, including stock investors and a separate infrastructure and transport construction company.
FireAnt MetaKit Became a Trusted Delivery Channel
FireAnt is a Vietnam-based financial technology platform used by investors for market data, analysis, and trading support. FireAnt MetaKit is a data delivery tool that feeds real-time and historical market data into technical analysis platforms such as AmiBroker, MetaStock, and MetaTrader.
That made the update channel valuable to attackers. Investors who already trusted the software could receive what looked like a routine update, while the malicious payload arrived from a legitimate FireAnt update URL.
ESET detected the first malicious payload from the FireAnt MetaKit update server on October 2, 2025. The domain resolved to FireAnt’s genuine update infrastructure, which supports the supply-chain compromise assessment.
| Campaign detail | Information |
|---|---|
| Threat actor | OceanLotus, also known as APT32 |
| Target group | Stock investors in Vietnam |
| Compromised software | FireAnt MetaKit |
| Campaign window | Approximately October 2025 to March 2026 |
| Malware delivered | SPECTRALVIPER backdoor |
| Delivery method | Trojanized software update |
The Update Process Lacked Key Integrity Checks
The attack succeeded because FireAnt MetaKit trusted update data without strong enough validation. The update configuration file did not include an integrity validation mechanism, and the update process did not validate a digital signature before running the downloaded file.
ESET also noted that the update process used HTTP for the version file and updated binary, which made the protocol vulnerable to interception. However, researchers said they did not observe OceanLotus using interception in this campaign. The stronger evidence points to compromise of the legitimate update server.
This maps to a classic software supply-chain compromise. MITRE ATT&CK describes compromise of a software supply chain as a technique where attackers manipulate trusted software or update channels to reach victims.
How the FireAnt MetaKit Attack Chain Worked
The malicious update delivered a file named setup.exe. Once MetaKit executed it as a normal update, the downloader collected basic host information and sent it to a staging server through an HTTP POST request.
Early samples used hardcoded URLs and older SPECTRALVIPER payloads. Later versions became more stable, more obfuscated, and used an API request to obtain the next-stage payload. The attacker also changed infrastructure during the campaign, moving staging activity from 139.162.11[.]152 to 142.91.98[.]77.
The final stage used DLL side-loading. The chain involved DtlCrashCatch.dll, configured as a SPECTRALVIPER loader, and IntelAudioService.exe, a renamed copy of the legitimate signed dtlupdate.exe executable.
- MetaKit checked its update configuration.
- The compromised update server served a malicious setup.exe.
- Metakit.exe ran the payload as if it were a legitimate update.
- The downloader profiled the host and contacted a staging server.
- The attacker delivered SPECTRALVIPER through a DLL side-loading chain.
- DllCrashCatch.dll injected the backdoor into OneDrive.Sync.Service.exe.
SPECTRALVIPER Gives OceanLotus Remote Control
SPECTRALVIPER is a custom backdoor previously analyzed by Elastic Security Labs. Elastic described it as a heavily obfuscated x64 backdoor with PE loading, injection, file upload and download, file and directory manipulation, and token impersonation capabilities.
In the FireAnt campaign, the backdoor communicated with a hardcoded command-and-control URL hosted under financemachinelearning[.]com. That domain name fits the stock-investor theme and could blend into financial network traffic more easily than an obviously suspicious domain.
The malware embedded encrypted host data inside the HTTP Cookie header when beaconing to the command-and-control server. ESET also observed a new cookie prefix, zd_cs_pm=, in this campaign.
| SPECTRALVIPER feature | Why it matters |
|---|---|
| HTTPS command and control | Helps traffic blend into normal encrypted web activity |
| Encrypted host data in cookies | Moves profiling data through a common HTTP field |
| Process injection | Runs the backdoor inside another process |
| Loader capability | Can inject additional binaries or shellcode received from the server |
| Named pipe orchestration | Supports communication between infected machines |
OceanLotus Appears to Be Turning More Inward
The FireAnt MetaKit campaign is important because it shows OceanLotus targeting domestic Vietnamese users, not only foreign organizations or dissidents abroad. ESET’s reporting from 2024 to 2026 shows two domestic-focused operations involving SPECTRALVIPER.
The timing also matters. Vietnamese authorities have been conducting a major anti-corruption campaign, and ESET notes that Vietnam’s financial regulator revealed in late October 2025 that about 70 major companies had misreported bond sales over the previous decade.
Researchers believe the FireAnt operation was probably connected to investigative efforts against corruption and financial crime in Vietnam. That remains an assessment, not a public confirmation from Vietnamese authorities.
Only Some Exposed Users Received the Backdoor
A supply-chain compromise can affect thousands of users, but this campaign appears more selective. ESET says only a few stock investors were exposed through the supply chain, and only a small subset of those users ultimately received SPECTRALVIPER.
This targeting pattern suggests the attackers may have used host profiling to decide who should receive the final payload. The downloader collected system data before requesting the next stage, which would allow the operator to filter victims.
Selective delivery can make supply-chain attacks harder to detect. Many users may receive a normal update, while only targets matching the attacker’s criteria receive malware.
FireAnt MetaKit Users and Security Teams Should Review Systems
Anyone who used MetaKit during the campaign window should review systems for the reported indicators, especially if the software updated between October 2025 and March 2026.
Security teams should look for unusual update activity, setup.exe executions from the MetaKit path, staging server communication, DLL side-loading involving DtlCrashCatch.dll, and suspicious OneDrive.Sync.Service.exe behavior.
The activity also highlights why software vendors need signed updates, transport encryption, and update integrity checks. A trusted update channel can become a strong initial access path when those protections are missing.
Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| URL | http://metakit.fireant[.]vn/Software/setup.exe | Legitimate update URL used to deliver malicious downloader |
| URL | http://metakit.fireant[.]vn/Software/version.xml | Update configuration file lacking integrity validation |
| URL | https://financemachinelearning[.]com/apparatus/wind/twig/statement.html | SPECTRALVIPER beacon URL used in the stock investor campaign |
| IP address | 139.162.11[.]152 | Initial staging server |
| IP address | 142.91.98[.]77 | Later staging server |
| IP address | 194.68.26[.]241 | IP associated with financemachinelearning[.]com |
| Domain | financemachinelearning[.]com | SPECTRALVIPER command-and-control domain crafted for stock investor targeting |
| File name | setup.exe | Malicious downloader delivered through the MetaKit update mechanism |
| File name | DtlCrashCatch.dll | SPECTRALVIPER loader used in DLL side-loading |
| File name | IntelAudioService.exe | Renamed signed executable used for side-loading |
| File name | NotificationConfig.json | Associated SPECTRALVIPER configuration file |
| File name | system.config.xml | Associated SPECTRALVIPER backdoor file |
| SHA-1 | D511B77459673EC42163F19E300FF1D233B6C39F | setup.exe downloader sample |
| SHA-1 | 41CB8CD78B8DB76563E4F972ABE817CEEE9CF9B0 | DtlCrashCatch.dll sample |
| SHA-1 | 865A1739337D3303B3AB02C5E694C22B79C42B7D | system.config.xml sample |
Why the Attack Matters for Software Supply Chains
The FireAnt MetaKit compromise shows how attackers can turn niche but trusted software into a targeted delivery channel. Investment tools often sit on machines used for trading, finance, research, and private market analysis, which can make them valuable intelligence targets.
For software makers, the lesson is direct: update channels need TLS, signed packages, integrity validation, and monitoring for unexpected changes. MITRE also maps this kind of activity under software supply-chain compromise, which remains one of the most damaging initial access methods because victims trust the vendor path.
Defenders should also hunt for DLL side-loading and process injection, since SPECTRALVIPER uses those techniques to run inside trusted processes. Elastic’s earlier SPECTRALVIPER analysis gives useful background on the backdoor’s broader capabilities and its links to the OceanLotus ecosystem.
- Review FireAnt MetaKit update activity between October 2025 and March 2026.
- Search for setup.exe downloads from the MetaKit update path.
- Hunt for DtlCrashCatch.dll and IntelAudioService.exe side-loading behavior.
- Inspect OneDrive.Sync.Service.exe for suspicious injection or network activity.
- Block or monitor the listed C2 domains and IP addresses.
- Require signed software updates and verify package integrity.
- Use HTTPS for update configuration files and binaries.
- Monitor vendor update infrastructure for unexpected file changes.
The ESET report says no further malicious updates were observed through the compromised FireAnt channel after March 9, 2026. Even so, organizations should review historical telemetry because selective delivery means only some users may have received the backdoor.
FAQ
OceanLotus compromised the FireAnt MetaKit update server and used the trusted update mechanism to deliver a malicious downloader. The downloader profiled victims and could deliver the SPECTRALVIPER backdoor to selected stock investors in Vietnam.
OceanLotus, also known as APT32, is a Vietnam-aligned cyberespionage group active since at least 2012. It has historically targeted Southeast Asia and China, and recent activity suggests a growing focus on domestic Vietnamese targets.
SPECTRALVIPER is a custom backdoor linked to OceanLotus activity. It supports command-and-control communication, process injection, file operations, payload loading, and orchestration across compromised systems.
The update configuration lacked integrity validation, and the update process did not validate a digital signature before running the downloaded file. The protocol also used HTTP for update checks and downloads, which created additional interception risk.
Defenders should review FireAnt MetaKit update activity from October 2025 to March 2026, search for setup.exe downloads from the MetaKit update path, hunt for DtlCrashCatch.dll and IntelAudioService.exe side-loading, inspect OneDrive.Sync.Service.exe behavior, and monitor the listed C2 indicators.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages