The OceanLotus advanced persistent threat (APT) group, also known as APT32, has executed a supply chain attack targeting Vietnamese stock investors by compromising the FireAnt MetaKit software. This operation signifies a strategic shift towards domestic surveillance within Vietnam.
Active since at least 2012, OceanLotus has historically focused on entities across China and Southeast Asia. However, recent activities indicate an increased emphasis on internal monitoring. The attack on FireAnt MetaKit exemplifies this trend.
According to a report shared with Cyber Security News, researchers identified that between October 2025 and March 2026, OceanLotus infiltrated FireAnt MetaKit’s update server. They replaced legitimate software updates with a malicious payload, deploying their signature backdoor, SPECTRALVIPER. Notably, only a select group of users received this trojanized update, suggesting a targeted approach likely linked to Vietnam’s anti-corruption investigations and financial market scrutiny.
The timing aligns with Vietnamese authorities’ probes into financial misconduct, following revelations of significant misreporting by major companies, which led to a 5.5% decline in the country’s main stock index. Researchers believe OceanLotus’s actions may have supported these domestic investigative efforts.
FireAnt, a Vietnam-based fintech company, offers real-time market data and AI-driven investment insights. MetaKit, a component within this ecosystem, feeds financial data into trading platforms like AmiBroker and MetaTrader. On October 2, 2025, researchers detected the first malicious payload from FireAnt MetaKit’s update URL. The absence of integrity validation in the update configuration allowed the execution of the malicious downloader, which profiled host machines and communicated with a staging server.
This incident underscores the critical need for robust software supply chain security. Organizations must implement stringent integrity checks and monitoring mechanisms to detect unauthorized modifications, ensuring the safety of end-users and maintaining trust in financial software platforms.
Source: Cyber Security News
