OceanLotus Hits Vietnam Investors With SPECTRALVIPER in FireAnt Attack

The Vietnam-aligned threat actor known as OceanLotus has been attributed to two distinct campaigns that targeted domestic entities and stock investors with a backdoor known as SPECTRALVIPER. The campaigns involve a prolonged cyber espionage operation aimed at a Vietnamese infrastructure and transport construction corporation between mid-2024 and February 2026, as well as a supply chain attack

According to ESET research reported by The Hacker News, the Vietnam‑aligned OceanLotus group conducted two espionage campaigns using the SPECTRALVIPER backdoor: a long‑running compromise of a Vietnamese infrastructure and transport construction firm (mid‑2024 to February 2026) and a supply‑chain attack on FireAnt Metakit, a widely used stock investment platform in Vietnam.[2][3] In the FireAnt case, OceanLotus compromised the vendor’s update server and abused an update configuration that lacked integrity and signature validation, allowing malicious binaries to be pushed as routine software updates to selected investors.[2] For AI and software ecosystems, these incidents illustrate how attackers can weaponize trusted update channels and third‑party components, making unsecured update mechanisms and weak SBOM/dependency governance a critical systemic risk. CyberSE.AI would advise organizations to implement rigorous code‑signing and update verification, maintain detailed SBOMs for AI and non‑AI components, and conduct regular AI security readiness reviews to detect and mitigate similar supply‑chain compromises before they impact AI‑enabled business processes.