ctipilot.ch

OceanLotus (APT32)

actor · actor:oceanlotus single-source

OceanLotus (APT32) — Vietnam-nexus APT; PyPI supply chain campaign

Coverage timeline
1
first 2026-05-07 → last 2026-06-12
Entries
1
1 distinct days
Sources cited
4
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-06-12ESET: OceanLotus (APT32) compromises a stock-trading platform's update server — selective SPECTRALVIPER delivery, no integrity checks to defeat
    researchESET: OceanLotus (APT32) compromises a stock-trading platform's update server — selective SPECTRALVIPER delivery, no integrity checks to defeat

Where this entity is cited

  • research1

Source distribution

  • attack.mitre.org3 (75%)
  • welivesecurity.com1 (25%)

Entries about OceanLotus (APT32) (1)

2026-06-12 · view entry permalink →

ESET: OceanLotus (APT32) compromises a stock-trading platform's update server — selective SPECTRALVIPER delivery, no integrity checks to defeat

notable research discovered 2026-06-12 05:00 UTC single-source

ESET documents two SPECTRALVIPER-delivered OceanLotus (APT32) intrusions running from mid-2024 into 2026: a long-dwell espionage compromise of a Vietnamese infrastructure/transport construction firm (likely via RCE on a public-facing Microsoft SQL Server, T1190) and — more transferable — a supply-chain attack on FireAnt MetaKit, a stock-investment platform, between October 2025 and March 2026 (ESET WeLiveSecurity, 2026-06-11). The platform's update mechanism fetched its version.xml over plain HTTP with no integrity validation; OceanLotus replaced the update binary with a downloader that fingerprinted hosts and delivered the SPECTRALVIPER backdoor via process injection and DLL side-loading (T1195.002, T1055) to only a small subset of victims — investigative targeting, not mass compromise. ESET's disclosure attempts to the vendor went unanswered. [SINGLE-SOURCE — ESET Research.] Defender takeaway: the pattern (unsigned updates, cleartext transport, no version-file integrity check) is endemic in regional/vertical software far beyond Vietnam — inventory third-party auto-updaters in your estate and flag any fetching over HTTP or lacking signature validation; egress-monitor the hosts that run them.

nation-state espionage supply-chain apac