Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

SPECTRALVIPER DLL sideloading backdoor activity

Malware Activity
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

The SPECTRALVIPER backdoor was executed on affected Windows hosts through a DLL sideloading chain during October 2025 to March 2026, giving operators a way to run code, collect host data, and reach C2 infrastructure. The delivery path abused FireAnt Metakit's update flow and a rogue DLL, extending the malware's reach into a Vietnam-focused supply-chain operation. The activity matters because the backdoor supports reconnaissance, encrypted reporting, and follow-on loading for deeper compromise.

Related Happenings

OceanLotus SPECTRALVIPER campaigns targeting Vietnam

Campaign
H score33 First: 11.06.2026 12:45 Last: 11.06.2026 12:45 Sources 1

How related: The Vietnam-aligned threat actor known as OceanLotus has been attributed to two distinct campaigns that targeted domestic entities and stock investors with a backdoor known as SPECTRALVIPER.

About this happening: **OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...

Open Happening

Remcos RAT runtime decryption and dynamic API loading analysis

Technical Analysis
H score16 First: 19.02.2026 18:30 Last: 19.02.2026 18:30 Sources 1

About this happening: A newly observed **Remcos RAT** variant now uses **runtime decryption** and **dynamic Windows API loading** to reduce detection and frustrate static analysis on **Windows systems*...

Open Happening

APT36 / SideCopy phishing-led campaign targeting Indian defense organizations

Campaign
H score48 First: 11.02.2026 16:52 Last: 11.02.2026 16:52 Sources 1

About this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...

Open Happening

MgBot backdoor delivery and injection via secondary loader

Malware Activity
H score16 First: 26.12.2025 16:44 Last: 26.12.2025 16:44 Sources 1

About this happening: The **MgBot** backdoor was delivered through a **secondary loader** and injected into **svchost.exe**, giving operators a stealthy foothold on infected systems. The payload suppor...

Open Happening

NANOREMOTE Windows backdoor with Google Drive API C2

Malware Activity
H score16 First: 11.12.2025 15:16 Last: 11.12.2025 15:16 Sources 1

About this happening: **NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...

Open Happening

Timeline

  1. 11.06.2026 12:45 1 articles · 8h ago

    Compromised FireAnt Metakit updates deliver SPECTRALVIPER

    Technical Analysis Update

    A compromised FireAnt Metakit update channel began delivering SPECTRALVIPER to a small subset of stock investors in Vietnam, using a legitimate binary to launch DtlCrashCatch.dll, inject into OneDrive.Sync.Service.exe, and contact staging and command-and-control infrastructure.

    Show sources
    Open in new tab
  2. 11.06.2026 12:45 2 articles · 8h ago

    Malicious FireAnt Metakit updates stop after March 9, 2026

    Detection Ioc Update

    ESET observed no further malicious updates through the compromised FireAnt Metakit channel after March 9, 2026, indicating the SPECTRALVIPER supply-chain operation may have ended.

    Show sources
    Open in new tab