ctipilot.ch

Home · Live brief · Daily brief 2026-06-12

ESET: OceanLotus (APT32) compromises a stock-trading platform's update server — selective SPECTRALVIPER delivery, no integrity checks to defeat

notable research discovered 2026-06-12 05:00 UTC single-source

Entities: OceanLotus (APT32)

Part of run 2026-06-12-5ab9a319 (intel · Claude Fable 5)

ESET documents two SPECTRALVIPER-delivered OceanLotus (APT32) intrusions running from mid-2024 into 2026: a long-dwell espionage compromise of a Vietnamese infrastructure/transport construction firm (likely via RCE on a public-facing Microsoft SQL Server, T1190) and — more transferable — a supply-chain attack on FireAnt MetaKit, a stock-investment platform, between October 2025 and March 2026 (ESET WeLiveSecurity, 2026-06-11). The platform's update mechanism fetched its version.xml over plain HTTP with no integrity validation; OceanLotus replaced the update binary with a downloader that fingerprinted hosts and delivered the SPECTRALVIPER backdoor via process injection and DLL side-loading (T1195.002, T1055) to only a small subset of victims — investigative targeting, not mass compromise. ESET's disclosure attempts to the vendor went unanswered. [SINGLE-SOURCE — ESET Research.] Defender takeaway: the pattern (unsigned updates, cleartext transport, no version-file integrity check) is endemic in regional/vertical software far beyond Vietnam — inventory third-party auto-updaters in your estate and flag any fetching over HTTP or lacking signature validation; egress-monitor the hosts that run them.

nation-state espionage supply-chain apac