OceanLotus deployed SPECTRALVIPER via FireAnt updates — attacks on investors and a construction company

Colleagues, a cybersecurity note: ESET observed OceanLotus campaigns.
Brief
- FireAnt updates (Metakit) delivered SPECTRALVIPER: version.xml lacked integrity checks, allowing a malicious loader to run.
- Access to a Vietnamese construction company (Nov 2024–Feb 2026): DLL side‑loading and injections into OneDrive.Sync.Service.exe.
- Tactics: selective delivery, C2 channels, and a shift toward internal reconnaissance.
Why it matters: unsigned updates and DLL side‑loading bypass defenses and compromise critical systems.
Recommended actions: verify update signatures, enforce integrity checks, detect DLL side‑loading, and patch public MSSQL servers.
Which mitigation should we prioritize?
#cybersecurity #supplychain #APT #detection


Latest comments
No comments yet.