Ján Trenčanský
ESET Research#ESETresearch has discovered a supply-chain attack targeting stock investors in Vietnam, distributing SPECTRALVIPER through the update mechanism of the FireAnt Metakit stock investment platform. https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
ESET telemetry suggests that the attack started around October 2025 and ended in March 2026. In our investigation, only a small subset of exposed users received the final backdoor, SPECTRALVIPER, suggesting selective targeting.
Detailed analysis of the supply chain, the contour of OceanLotus’s victimology in recent years, and the architecture of its signature backdoor, SPECTRALVIPER, is available at:
https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/oceanlotus
ESET telemetry suggests that the attack started around October 2025 and ended in March 2026. In our investigation, only a small subset of exposed users received the final backdoor, SPECTRALVIPER, suggesting selective targeting.
Detailed analysis of the supply chain, the contour of OceanLotus’s victimology in recent years, and the architecture of its signature backdoor, SPECTRALVIPER, is available at:
https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/oceanlotus
