OceanLotus/APT32 SPECTRALVIPER via FireAnt MetaKit update-server supply-chain compromise

campaign · campaign:oceanlotus-apt32-fireant-supplychain-2026

Coverage timeline

first 2026-06-12 → last 2026-06-12

Briefs

1 distinct

Sources cited

3 hosts

Sections touched

research

Co-occurring entities

see Related entities below

Story timeline

2026-06-12CTI Daily Brief — 2026-06-12
researchFirst coverage [SINGLE-SOURCE ESET]. Unsigned HTTP update + no version.xml integrity; selective SPECTRALVIPER delivery.

Where this entity is cited

research1

Source distribution

attack.mitre.org3 (60%)
welivesecurity.com1 (20%)
securelist.com1 (20%)

Related entities

Check Point Research March-April 2026 AI Threat Landscape Digest — single operator runs two AI platforms in parallel to breach nine Mexican government agencies; EvilTokens jailbreak-as-a-service
annual-reportannual-report:checkpoint-research-ai-threat-landscape-march-april-2026-mexico-nine-agencies-eviltokens×1
Check Point: TDS-gated ecosystem impersonating Ghidra/dnSpy/ILSpy delivers SessionGate, RemusStealer, AnimateClipper
campaigncampaign:tds-security-tool-impersonation-checkpoint×1
OceanLotus (APT32) — Vietnam-nexus APT; PyPI supply chain campaign
actoractor:OceanLotus×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

All cited sources (5)

Items in briefs about OceanLotus/APT32 SPECTRALVIPER via FireAnt MetaKit update-server supply-chain compromise (1)

[SINGLE-SOURCE] ESET: OceanLotus (APT32) compromises a stock-trading platform's update server — selective SPECTRALVIPER delivery, no integrity checks to defeat

From CTI Daily Brief — 2026-06-12 · published 2026-06-12 · view item permalink →

ESET documents two SPECTRALVIPER-delivered OceanLotus (APT32) intrusions running from mid-2024 into 2026: a long-dwell espionage compromise of a Vietnamese infrastructure/transport construction firm (likely via RCE on a public-facing Microsoft SQL Server, T1190) and — more transferable — a supply-chain attack on FireAnt MetaKit, a stock-investment platform, between October 2025 and March 2026 (ESET WeLiveSecurity, 2026-06-11). The platform's update mechanism fetched its version.xml over plain HTTP with no integrity validation; OceanLotus replaced the update binary with a downloader that fingerprinted hosts and delivered the SPECTRALVIPER backdoor via process injection and DLL side-loading (T1195.002, T1055) to only a small subset of victims — investigative targeting, not mass compromise. ESET's disclosure attempts to the vendor went unanswered. [SINGLE-SOURCE — ESET Research.] Defender takeaway: the pattern (unsigned updates, cleartext transport, no version-file integrity check) is endemic in regional/vertical software far beyond Vietnam — inventory third-party auto-updaters in your estate and flag any fetching over HTTP or lacking signature validation; egress-monitor the hosts that run them.