Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

SPECTRALVIPER

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT32

OceanLotus has been attributed to two distinct campaigns that targeted domestic entities and stock investors with a backdoor known as SPECTRALVIPER... SPECTRALVIPER also facilitates lateral movement and functions as a loader by injecting additional binaries or shellcode retrieved from the C2 server into target processes.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence1

The latest findings from ESET show that the FireAnt Metakit supply chain attack likely began around October 2, 2025, and lasted until March 2026. The attack is said to have leveraged the software's legitimate update URL to serve SPECTRALVIPER to a small subset of stock investors.

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence1

Although the exact initial access pathway used by the threat actor is unclear, it's suspected to have involved the exploitation of remote code execution vulnerabilities in a public-facing Microsoft SQL server.

Privilege Escalation

1 technique
T1055Process InjectionEvidence1

The payload is a DLL side-loading chain that employs a legitimate binary to launch a rogue DLL ("DtlCrashCatch.dll"), which then injects itself into the OneDrive.Sync.Service.exe process to trigger the execution of SPECTRALVIPER.

Stealth

1 technique
T1055Process InjectionEvidence1

The payload is a DLL side-loading chain that employs a legitimate binary to launch a rogue DLL ("DtlCrashCatch.dll"), which then injects itself into the OneDrive.Sync.Service.exe process to trigger the execution of SPECTRALVIPER.

Discovery

1 technique
T1082System Information DiscoveryEvidence1

Once launched, the downloader performed basic host reconnaissance and transmitted the collected information via an HTTP POST request to a staging server, requesting the next-stage payload.

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1

Once launched, the downloader performed basic host reconnaissance and transmitted the collected information via an HTTP POST request to a staging server, requesting the next-stage payload.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.