A complicated cyberespionage marketing campaign dubbed “Operation Hanoi Thief” has surfaced, particularly focusing on IT professionals and recruitment groups in Vietnam.
Found on November 3, 2025, this menace exercise employs a fancy multi-stage an infection chain designed to reap delicate browser credentials and historical past.
The attackers leverage a malicious spear-phishing technique, distributing a ZIP archive named Le-Xuan-Son_CV.zip, which masquerades as a official job software from a software program developer primarily based in Hanoi.
The an infection initiates when a sufferer interacts with a shortcut file, CV.pdf.lnk, contained inside the archive. This file triggers a sequence of occasions using “Dwelling off the Land” (LOLBin) ways.
Particularly, it abuses the Home windows ftp.exe utility with the -s flag to execute a batch script hidden inside a pseudo-polyglot file named offsec-certified-professional.png.
This file dual-functions as a innocent picture lure and a malicious container, successfully evading conventional detection mechanisms by burying its payload inside official picture headers.
Knowledge Exfiltration (Supply – Seqrite)
This command line argument is a important indicator of the assault’s stealthy nature.
Seqrite safety analysts recognized that this marketing campaign is probably going of Chinese language origin, citing overlaps in ways with earlier state-sponsored actions.
The first goal seems to be intelligence gathering, specializing in the theft of login information and looking habits from victims within the know-how and HR sectors.
By exploiting the belief inherent in recruitment processes, the menace actors efficiently bypass preliminary perimeter safety layers.
Technical Evaluation of the LOTUSHARVEST Payload
The core of this assault is the execution of the LOTUSHARVEST implant. As soon as the preliminary script runs, it abuses DeviceCredentialDeployment.exe to hide its command-line actions and renames system utilities like certutil.exe to lala.exe to bypass monitoring.
Within the an infection chain, the script then extracts a base64-encoded blob from the polyglot file, decoding it right into a malicious DLL named MsCtfMonitor.dll.
An infection Chain (Supply – Seqrite)
This DLL is side-loaded utilizing a official ctfmon.exe binary copied to the C:ProgramData listing.
LOTUSHARVEST features as a sturdy info stealer, using anti-analysis checks like IsDebuggerPresent and IsProcessorFeaturePresent to crash if analyzed.
It targets Google Chrome and Microsoft Edge, querying SQLite databases to extract the highest 20 visited URLs and decrypting as much as 5 saved credentials utilizing CryptUnprotectData.
Lastly, the stolen information is formatted into JSON and exfiltrated by way of an HTTPS POST request to the attacker-controlled server eol4hkm8mfoeevs.m.pipedream.internet/service.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
