Operation Hanoi Thief: A Sophisticated Cyberespionage Campaign Targeting IT Professionals in Vietnam
A newly identified cyberespionage operation, dubbed Operation Hanoi Thief, has been actively targeting IT professionals and recruitment teams in Vietnam. Discovered on November 3, 2025, this campaign employs a complex, multi-stage infection chain designed to harvest sensitive browser credentials and browsing history.
Infection Vector:
The attackers initiate their scheme through a spear-phishing strategy, distributing a ZIP archive named `Le-Xuan-Son_CV.zip`. This file masquerades as a legitimate job application from a software developer based in Hanoi. Within the archive is a shortcut file, `CV.pdf.lnk`, which, when interacted with, triggers a sequence of events utilizing Living off the Land (LOLBin) tactics.
Execution Mechanism:
Upon activation, the shortcut file abuses the Windows `ftp.exe` utility with the `-s` flag to execute a batch script hidden within a pseudo-polyglot file named `offsec-certified-professional.png`. This file serves dual purposes: it appears as a harmless image while simultaneously acting as a malicious container. By embedding the payload within legitimate image headers, the attackers effectively evade traditional detection mechanisms.
Technical Analysis of the LOTUSHARVEST Payload:
The core of this attack is the execution of the `LOTUSHARVEST` implant. Once the initial script runs, it abuses `DeviceCredentialDeployment.exe` to conceal its command-line activities and renames system utilities like `certutil.exe` to `lala.exe` to bypass monitoring.
In the infection chain, the script then extracts a base64-encoded blob from the polyglot file, decoding it into a malicious DLL named `MsCtfMonitor.dll`. This DLL is side-loaded using a legitimate `ctfmon.exe` binary copied to the `C:\ProgramData` directory.
`LOTUSHARVEST` functions as a robust information stealer, employing anti-analysis checks like `IsDebuggerPresent` and `IsProcessorFeaturePresent` to crash if analyzed. It targets Google Chrome and Microsoft Edge, querying SQLite databases to extract the top 20 visited URLs and decrypting up to five saved credentials using `CryptUnprotectData`. Finally, the stolen data is formatted into JSON and exfiltrated via an HTTPS POST request to the attacker-controlled server `eol4hkm8mfoeevs.m.pipedream.net/service`.
Attribution and Objectives:
Seqrite security analysts have identified that this campaign is likely of Chinese origin, citing overlaps in tactics with previous state-sponsored activities. The primary objective appears to be intelligence gathering, focusing on the theft of login data and browsing habits from victims in the technology and HR sectors. By exploiting the trust inherent in recruitment processes, the threat actors successfully bypass initial perimeter security layers.
Mitigation Strategies:
To defend against such sophisticated attacks, organizations should implement the following measures:
1. Employee Training: Educate staff on recognizing phishing attempts and the dangers of interacting with unsolicited attachments.
2. Email Filtering: Deploy advanced email filtering solutions to detect and block malicious attachments and links.
3. Endpoint Protection: Utilize endpoint detection and response (EDR) solutions to identify and mitigate suspicious activities.
4. Regular Updates: Ensure all software and systems are up-to-date with the latest security patches.
5. Access Controls: Limit user privileges to the minimum necessary to reduce potential attack surfaces.
6. Network Monitoring: Implement continuous network monitoring to detect unusual data exfiltration activities.
Conclusion:
Operation Hanoi Thief underscores the evolving sophistication of cyberespionage campaigns targeting specific professional sectors. By leveraging trusted processes and employing advanced evasion techniques, attackers can infiltrate organizations and exfiltrate sensitive data. Proactive security measures and continuous vigilance are essential to mitigate such threats.
