Posted in

Vietnam Under Siege: The Rise of Hanoi Thief

by Rakesh0

A new cyberespionage operation—dubbed Operation Hanoi Thief—has emerged as one of the most advanced and targeted threat activities seen in Southeast Asia in recent years. Uncovered on November 3, 2025, the campaign specifically targets IT professionals and recruitment teams in Vietnam, exploiting the trust built into hiring workflows to gain covert access to sensitive corporate data.

Security analysts from Seqrite have linked the campaign to likely Chinese-origin actors, citing overlaps in tooling, techniques, and operational behavior observed in previous state-sponsored operations.

Below is a full breakdown of how the attackers infiltrate systems, evade detection, and deploy their custom implant—LOTUSHARVEST.

1. The Initial Attack Vector: A Deceptive Job Application

The attack begins with an expertly crafted spear-phishing email, distributing a ZIP archive named:

Le-Xuan-Son_CV.zip

The file impersonates a software developer from Hanoi, creating trust and urgency—two of the most effective social engineering triggers used in modern cyberespionage.

Inside the archive, victims find a shortcut file disguised as a PDF:

CV.pdf.lnk

When opened, this file silently triggers the next stage of the infection chain.

2. Living off the Land: Abuse of Built-In Windows Tools

The attackers adopt a classic “Living off the Land” (LOLBins) strategy, leveraging legitimate tools in the Windows ecosystem to avoid detection.

The malicious LNK file calls:

ftp.exe -s:<script>

The -s flag instructs ftp.exe to execute commands from a hidden script—allowing the download and execution of the payload without raising alerts.

The script itself is embedded inside a pseudo-polyglot file named:

offsec-certified-professional.png

This file is especially dangerous because it:

  • Functions as a valid image lure
  • Contains hidden malicious content
  • Evades signature-based detection
  • Blends into normal recruitment attachments

By embedding the script inside legitimate PNG headers, the attackers bypass many traditional defenses.

3. Payload Deployment: LOTUSHARVEST

The heart of the attack lies in the deployment of a custom intelligence-gathering implant known as LOTUSHARVEST.

Once the polyglot file is processed, the script:

Extracts a Base64-encoded blob

 Decodes it into a malicious DLL

 → MsCtfMonitor.dll

 Side-loads it through a legitimate binary

 → ctfmon.exe, a trusted component copied to C:\ProgramData

This DLL sideloading technique allows the malware to masquerade as legitimate system activity.

For stealth, the script also misuses an internal Windows component:

DeviceCredentialDeployment.exe

This tool helps the attackers mask command-line arguments, making the execution chain significantly harder to trace.

Additionally, the threat actors rename system utilities such as certutil.exe to lala.exe to bypass rule-based monitoring systems.

4. Stealth and Anti-Analysis Techniques

LOTUSHARVEST incorporates multiple anti-analysis functions including:

  • IsDebuggerPresent
  • IsProcessorFeaturePresent

If the malware detects reverse engineering, sandboxing, or debugging environments, it crashes intentionally—a common strategy in modern state-sponsored implants.

These capabilities demonstrate not only advanced malware development but a clear focus on long-term persistence and intelligence theft.

5. Primary Objective: Data Theft and Reconnaissance

Once active, LOTUSHARVEST harvests:

  • Browser login credentials
  • Cookies
  • Saved passwords
  • Browsing history
  • Session tokens
  • Sensitive authentication artifacts

The targeting of IT specialists and HR recruitment teams is strategic:

IT teams

Have elevated access to authentication systems, infrastructure, and internal tools.

HR teams

Regularly receive CVs and document attachments—making spear-phishing nearly indistinguishable from real applications.

By compromising these roles, attackers bypass perimeter security and gain direct access to core enterprise environments.

6. Attribution Indicators

Seqrite analysts report strong signs pointing to a Chinese state-linked threat group, based on:

  • Overlaps in malware architecture
  • Recognizable command-and-control patterns
  • Use of known regional targeting priorities
  • Shared TTPs with previous espionage operations

While attribution remains ongoing, the technical sophistication suggests a highly resourced actor with deep expertise in OSINT-driven spear-phishing and credential harvesting operations.

Final Thoughts: A Warning for Global HR and IT Teams

Operation Hanoi Thief is a stark reminder that cyberespionage campaigns increasingly exploit human processes—not just technical vulnerabilities. By inserting malware into the natural flow of hiring and recruitment, attackers gain unparalleled access with minimal suspicion.

For defenders, this campaign underscores the need for:

  • Zero Trust validation
  • Enhanced email security
  • Behavioral detection over signature detection
  • Continuous monitoring of built-in Windows utilities
  • Training for HR teams on spear-phishing risks

As threat actors grow more creative, organizations must evolve beyond traditional defenses and prepare for attacks that look—and feel—completely legitimate.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *