CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

A notorious hacking group has been caught targeting stock investors in Vietnam through a supply chain attack, hijacking a popular investment software platform to deliver a powerful backdoor. The operation, carried out by OceanLotus (also known as APT32), marks a notable shift in the group’s tactics as it turns focus increasingly toward domestic targets inside […] The post OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors By Tushar Subhra Dutta June 11, 2026 A notorious hacking group has been caught targeting stock investors in Vietnam through a supply chain attack, hijacking a popular investment software platform to deliver a powerful backdoor. The operation, carried out by OceanLotus (also known as APT32), marks a notable shift in the group’s tactics as it turns focus increasingly toward domestic targets inside the country. OceanLotus has been active since at least 2012 and is believed to be aligned with the interests of the Vietnamese government. The group has historically targeted organizations across China and Southeast Asia, but recent tracking data shows it is now placing growing emphasis on surveillance within Vietnam itself. The attack on FireAnt MetaKit represents a concerning new chapter in that ongoing shift. Welivesecurity researchers said in a report shared with Cyber Security News (CSN) that they identified the campaign and noted that it ran from approximately October 2025 through March 2026. The group compromised the update server of FireAnt MetaKit, a widely used stock market data delivery tool, and replaced legitimate software updates with a malicious payload. This trojanized update ultimately deployed SPECTRALVIPER, OceanLotus’s signature backdoor. Despite the broad reach a supply chain attack of this kind could have, only a small subset of users actually received SPECTRALVIPER. FireAnt MetaKit update configurations (Source – Welivesecurity) This selective delivery suggests the attackers were after specific individuals, likely tied to Vietnam’s ongoing anti-corruption investigations and financial market scrutiny. That level of precision shows the operational discipline that makes this threat group so dangerous. The timing also carries important geopolitical weight. Vietnamese authorities had been conducting wide-ranging financial investigations after revelations that about 80 major companies misreported bond sales, causing a 5.5% drop in the country’s main stock index. Researchers believe OceanLotus may have been supporting those domestic investigative efforts, acting as a digital arm of the state’s surveillance apparatus. OceanLotus APT Compromises FireAnt MetaKit FireAnt is a Vietnam-based fintech company offering real-time market data, technical analysis tools, and AI-driven investment insights. MetaKit is a specialized software component within that ecosystem, designed to feed financial data directly into trading platforms like AmiBroker and MetaTrader. Download request issued by the downloader (Source – Welivesecurity) On October 2, 2025, researchers detected the first malicious payload originating from FireAnt MetaKit’s legitimate update URL at http://metakit.fireant[.]vn/Software/setup.exe. The update configuration file lacked any integrity validation mechanism, meaning there was nothing in place to verify whether the software being delivered was genuine. Due to this gap, Metakit.exe silently executed the malicious downloader as if it were a routine update. The downloader then profiled the host machine and sent that data to a staging server to request the next-stage payload. IntelAudioService.exe file info (Source – Welivesecurity) The attacker’s infrastructure evolved across the campaign. Command and control servers initially used the IP 139.162.11[.]152 before migrating to 142.91.98[.]77. SPECTRALVIPER was then delivered via DLL side-loading, using a file named DtlCrashCatch.dll alongside a renamed executable called IntelAudioService.exe, which injected the backdoor into the OneDrive.Sync.Service.exe process. SPECTRALVIPER Backdoor: Architecture and Capabilities SPECTRALVIPER operates as a fully featured backdoor that communicates with its command and control server over HTTPS. It sends an initial beacon to a hardcoded URL, embedding encrypted host information inside the HTTP Cookie header. In this campaign, the backdoor used the domain financemachinelearning[.]com, carefully crafted to blend into network traffic associated with stock market activity. Execution chain of the FireAnt supply-chain attack (Source – Welivesecurity) The malware supports lateral movement through an orchestration model, where one instance acts as a controller and distributes commands to other infected machines via named pipe channels. It can also inject additional binaries or shellcode received from the server into target processes. Notably, an operational security mistake left internal class names intact in one sample, giving researchers a rare window into the backdoor’s underlying architecture. Organizations relying on third-party investment tools should verify the integrity of software updates they receive, especially when those applications lack HTTPS-based update protocols. FireAnt MetaKit’s update mechanism did not use TLS encryption, leaving it exposed to interception. Unsigned and unverified software updates should always be treated with the same caution as suspicious email attachments. Indicators of Compromise (IoCs):- Type Indicator Description URL http://metakit.fireant[.]vn/Software/setup.exe Legitimate FireAnt MetaKit update URL used to deliver malicious payload URL http://metakit.fireant.vn/Software/version.xml FireAnt MetaKit update configuration file lacking integrity validation URL https://financemachinelearning[.]com/apparatus/wind/twig/statement.html SPECTRALVIPER C&C beacon URL used in the stock investor campaign IP Address 139.162.11[.]152 Initial C&C staging server (Akamai Connected Cloud) IP Address 142.91.98[.]77 Migrated C&C staging server (LEASEWEB SINGAPORE PTE. LTD.) IP Address 139.180.128[.]42 C&C IP associated with domain gatewayrvcenter[.]com (IRT-CHOOPALL-AP) IP Address 139.99.33[.]239 C&C IP associated with coachcybersecurity[.]com (OVH Singapore PTE. LTD.) IP Address 166.88.77[.]186 C&C IP associated with mxprodesign[.]com (Evyxt Enterprise) IP Address 103.119.47[.]104 C&C IP associated with power-sync-services[.]com IP Address 38.60.245[.]37 IP associated with leadingfilipinoteams[.]com (Kaopv Cloud HK Limited) IP Address 194.68.26[.]241 IP associated with financemachinelearning[.]com (M247 Europe SRL) Domain financemachinelearning[.]com SPECTRALVIPER C&C domain crafted to target stock investors Domain gatewayrvcenter[.]com SPECTRALVIPER C&C domain used in infrastructure/transport company campaign Domain coachcybersecurity[.]com SPECTRALVIPER C&C domain Domain mxprodesign[.]com SPECTRALVIPER C&C domain Domain power-sync-services[.]com SPECTRALVIPER C&C domain Domain leadingfilipinoteams[.]com C&C domain observed in the campaign File Name setup.exe Malicious downloader delivered via FireAnt MetaKit update mechanism File Name DtlCrashCatch.dll SPECTRALVIPER configured as a loader via DLL side-loading File Name IntelAudioService.exe Renamed copy of legitimate signed executable dtlupdate.exe used for side-loading File Name NotificationConfig.json Associated configuration file (Win64/Agent.HRA) File Name system.config.xml Associated configuration file (Win64/Agent.GFV) File Name SetupUi.dll Associated file (Win32/Agent_AGen.FHH) SHA-1 Hash D511B77459673EC42163F19E300FF1D233B6C39F setup.exe — Win32/Agent.AIBESP SHA-1 Hash 59A8553A4F8130F576AB234E0B220BE4D4DA0E98 setup.exe — Win32/TrojanDownloader.Agent.IKCSP SHA-1 Hash 9CA1A5C7F79882DB913534C1E62B26BCDCB9F6DD setup.exe — Win32/TrojanDownloader.Agent.IIZSP SHA-1 Hash A8E2BBBFCB86500322D2367744FA12755AB0C165 setup.exe — Win32/TrojanDownloader.Agent_AGen.JLSP SHA-1 Hash F74F1FEB62B662CDA489FDB2453727824E55ACB9 setup.exe — Win32/TrojanDownloader.Agent.IJNSP SHA-1 Hash F8F8209987CA7F139DE6A62F9E6EE21BD2AE93A9 setup.exe — Win32/TrojanDownloader.Agent.IJXSP SHA-1 Hash 19A69F856EFA811C376F68E4FEB0997B4724F8BD setup.exe — Win32/Agent.AIBESP SHA-1 Hash 490194E9BB5128ECA8693AD9E610891C2ED185AF setup.exe — Win32/Agent.AIBESP SHA-1 Hash 51176139B0B2220B802C1578A4994DF68DF5BCD1 setup.exe — Win32/Agent.AICBSP SHA-1 Hash 91F042F59BE4BDCB6E5EA21B91DECD731C175B54 setup.exe — Win32/Agent.AICBSP SHA-1 Hash A177ED0BFFEB1EFE1D9D31D72A82EF2625AE646D setup.exe — Win32/Agent.AIBESP SHA-1 Hash B7B2D2DB544F9EEA74453CDF2B8BEEA58CF07C48 setup.exe — Generic.CPN2WW8SP SHA-1 Hash 4AD36AD6C165B5174967020CB1A3358F78D7A283 setup.exe — Win32/Agent.AIBESP SHA-1 Hash 57352B3CEEE32216E5AA20BAA848483D7AB5A6FB setup.exe — Win32/Agent.AIBESP SHA-1 Hash 9BC06DF9F932746A05EE728C8B103BD3BA6BF395 setup.exe — Generic.ETQ997N SP SHA-1 Hash 865A1739337D3303B3AB02C5E694C22B79C42B7D system.config.xml — Win64/Agent.GFV SHA-1 Hash 41CB8CD78B8DB76563E4F972ABE817CEEE9CF9B0 DtlCrashCatch.dll — N/A SHA-1 Hash 0037DBB0FEA981D02F6F76DE81EBAEFCB68B7D20 NotificationConfig.json — Win64/Agent.HRA SHA-1 Hash 5D6194BB48FEBB91A10D1462461A012FAFC0918B DtlCrashCatch.dll — Win64/Agent.HRA SHA-1 Hash B028E947150764A71DEEF498DE6F8C95ECCCB445 SetupUi.dll — Win32/Agent_AGen.FHH Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware Fortinet FortiSandbox Vulnerability Allows Attackers to Execute Unauthorized Commands Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server Latest News Cyber Security News Critical Langflow Vulnerability Exploited to Execute Malicious Code Cyber Security News Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking Cyber Security News Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty Cyber Security News GitHub to Automate Disable npm Script Installs to Block Supply Chain Attacks AI Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗