The standard narrative around APT32, commonly known as OceanLotus, positions the group as a Vietnam state-affiliated actor conducting external espionage: targeting foreign governments, corporations, and journalists. The pattern is familiar across state-sponsored threat groups.
A new ESET research report changes that picture, at least in part. Between October 2025 and March 2026, OceanLotus ran a supply chain attack against FireAnt MetaKit, a popular platform used by Vietnamese retail stock investors. The goal was domestic intelligence collection inside Vietnam's financial sector.
How the attack worked
FireAnt MetaKit is stock investment software with a legitimate user base among Vietnamese retail investors. OceanLotus compromised the platform's distribution mechanism and used it to deliver the SPECTRALVIPER backdoor to a selectively targeted subset of users. The selectivity is significant: despite broad potential reach via a compromised software platform, the attacker chose specific victims rather than deploying payload to everyone.
The delivery mechanism was a DLL side-loading chain. A legitimate binary loaded a rogue DLL named DtlCrashCatch.dll, which then injected into OneDrive.Sync.Service.exe, a process that appears routine in Windows environments. The C2 domain used was financemachinelearning[.]com, crafted to blend into network traffic patterns associated with stock market activity. Defenders scanning for unusual outbound traffic would need to look carefully to flag it.
ESET also documented a parallel campaign targeting a Vietnamese infrastructure and transport construction company, running from mid-2024 through February 2026, approximately 18 months. The two campaigns share TTPs and infrastructure but targeted distinct sectors.
What domestic pivot means for threat modeling
State intelligence services have always had domestic surveillance programs. What is notable here is the documented use of APT-grade tooling, specifically SPECTRALVIPER, a sophisticated backdoor previously associated with foreign espionage operations, in domestic financial surveillance.
This matters for threat modeling outside Vietnam. Supply chain attacks against financial software platforms can reach retail investors at scale. The attack surface is not the bank or the broker; it is the third-party trading and analysis software that sits between the investor and the market.
Organizations providing financial tooling should assess their software update pipelines, code signing practices, and distribution security against an adversary model that includes state-affiliated actors willing to compromise popular software.
OceanLotus and the ZiChatBot PyPI campaign
Kaspersky documented a related campaign from the same period: three malicious Python wheel packages on PyPI attributed to OceanLotus with medium confidence, delivering a backdoor called ZiChatBot that used Zulip's team chat API as its C2 channel. The packages were removed after Kaspersky disclosed, with no confirmed infections.
The combination of a supply chain attack against desktop financial software and a PyPI campaign targeting Python developers suggests OceanLotus is broadening its supply chain repertoire.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your organization works in financial software supply chain security and wants to discuss threat modeling for this class of attack.