A sophisticated supply chain attack orchestrated by the Vietnamese state-aligned threat group OceanLotus (APT32) has targeted domestic stock investors by compromising the update mechanism of FireAnt MetaKit, a widely used investment data platform. The campaign, active from approximately October 2025 through March 2026, deployed the group’s signature SPECTRALVIPER backdoor to a carefully selected subset of users — a precision that points toward intelligence-gathering rather than mass compromise.
The Compromised Platform: FireAnt MetaKit
FireAnt is a Vietnam-based fintech company offering real-time stock market data, technical analysis tools, and AI-driven investment insights. MetaKit, a core component of its software ecosystem, feeds financial data directly into trading platforms like AmiBroker and MetaTrader. The platform’s update server at http://metakit.fireant[.]vn/Software/setup.exe became the entry point for the attack.
Critically, the update configuration file used by MetaKit lacked any integrity validation mechanism. There was no HTTPS encryption, no code signature verification, and no checksum enforcement — leaving users entirely exposed to tampered updates served from the vendor’s own infrastructure. On October 2, 2025, ESET researchers first detected a malicious payload being distributed through this legitimate update URL.
Attack Chain and SPECTRALVIPER Deployment
When a victim’s installation of MetaKit checked for updates, it silently executed a malicious downloader disguised as a routine software update. This downloader profiled the host machine and transmitted the collected data to a staging server, which then decided whether to deliver the next-stage payload — the SPECTRALVIPER backdoor. The selective delivery mechanism suggests the attackers were screening targets, likely focusing on individuals connected to Vietnam’s ongoing financial market investigations.
SPECTRALVIPER was delivered using DLL side-loading: a renamed copy of a legitimate signed executable (IntelAudioService.exe, derived from dtlupdate.exe) was used to load a malicious DLL named DtlCrashCatch.dll. The backdoor then injected itself into the OneDrive.Sync.Service.exe process to blend into normal system activity.
The attacker’s command-and-control infrastructure evolved during the campaign. Initial staging traffic was routed through IP 139.162.11[.]152, later migrating to 142.91.98[.]77. The SPECTRALVIPER C2 domain was financemachinelearning[.]com — deliberately crafted to appear related to stock market activity and evade network monitoring.
Capabilities of SPECTRALVIPER
Once installed, SPECTRALVIPER operates as a fully featured remote access backdoor communicating over HTTPS. It sends an initial encrypted beacon to a hardcoded URL, embedding host information within the HTTP Cookie header. The backdoor supports several advanced capabilities:
- Lateral movement via a named-pipe orchestration model, where one infected host acts as a controller for others
- In-memory injection of additional payloads or shellcode received from the C2 server
- Persistent access to internal network segments and sensitive data
An operational security mistake by the threat actor left internal class names intact in one sample, giving researchers a rare window into the backdoor’s code structure and confirming its attribution to the OceanLotus toolset.
Geopolitical Context
The timing of this campaign aligns closely with Vietnam’s domestic anti-corruption drive in the financial sector. Vietnamese authorities had been conducting wide-ranging investigations after revelations that approximately 80 major companies misreported bond sales, triggering a 5.5% drop in the country’s main stock index. Researchers at ESET believe OceanLotus may have been supporting these domestic surveillance efforts, acting as a digital extension of state investigative activities — a notable shift from the group’s historically outward-facing espionage operations against China and Southeast Asian neighbors.
Recommendations
Organizations relying on third-party financial software tools should take immediate steps to improve their update security posture:
- Verify that all software update mechanisms use HTTPS with valid certificates
- Require code-signing for software packages received through automated update channels
- Monitor endpoints for unexpected DLL side-loading activity and process injection patterns
- Block known IoCs including the C2 domains and IPs listed in ESET’s advisory
- Treat unsigned or unverified software updates with the same scrutiny applied to suspicious email attachments
This campaign serves as a stark reminder that supply chain attacks are not limited to large Western software vendors. Fintech and investment platforms, particularly in emerging markets, are increasingly attractive targets for state-sponsored actors seeking financial intelligence or surveillance capabilities.