A sophisticated cyberespionage campaign named “Operation Hanoi Thief” has emerged, specifically targeting IT professionals and recruitment teams in Vietnam. Discovered on November 3, 2025, this threat activity employs a complex multi-stage infection chain designed to harvest sensitive browser credentials and history. The campaign’s primary objective is intelligence gathering, focusing on the theft of login data and browsing habits from victims in the technology and human resources sectors.
The attackers utilize a malicious spear-phishing strategy, distributing a ZIP archive named Le-Xuan-Son_CV.zip, which masquerades as a legitimate job application from a software developer based in Hanoi. The infection chain initiates when a victim interacts with a shortcut file, CV.pdf.lnk, contained within the archive. This file triggers a sequence of events utilizing “Living off the Land” (LOLBin) tactics, a common technique in modern cyberattacks.
Technical Analysis of Operation Hanoi Thief’s Pseudo-Polyglot Payload
The core of this attack leverages a pseudo-polyglot file named offsec-certified-professional.png. This file dual-functions as a harmless image lure and a malicious container, effectively evading traditional detection mechanisms by burying its payload within legitimate image headers. The attackers abuse the Windows ftp.exe utility with the -s flag to execute a batch script hidden within this cleverly disguised file. This specific command line argument is a critical indicator of the attack’s stealthy nature.
According to Seqrite security analysts, this campaign is likely of Chinese origin, citing overlaps in tactics with previous state-sponsored activities. By exploiting the trust inherent in recruitment processes, the threat actors successfully bypass initial perimeter security layers and gain access to sensitive information within organizations.
Once the initial script runs, it abuses DeviceCredentialDeployment.exe to conceal its command-line activities. Furthermore, the attackers rename system utilities like certutil.exe to lala.exe to bypass monitoring defenses. This multi-layered approach highlights the sophistication of Operation Hanoi Thief.
In the infection chain, the script then extracts a base64-encoded blob from the polyglot file. This blob is decoded into a malicious DLL named MsCtfMonitor.dll. This DLL is then side-loaded using a legitimate ctfmon.exe binary that has been copied to the C:ProgramData directory, a common tactic to blend in with normal system operations.
The loaded DLL, identified as the LOTUSHARVEST implant, functions as a robust information stealer. It employs anti-analysis checks, such as IsDebuggerPresent and IsProcessorFeaturePresent, designed to cause the implant to crash if it detects analysis tools, further hindering investigation efforts.
LOTUSHARVEST specifically targets popular web browsers, including Google Chrome and Microsoft Edge. It queries SQLite databases used by these browsers to extract valuable information. Specifically, it retrieves the top 20 most frequently visited URLs. Additionally, it attempts to decrypt up to five saved user credentials using the Windows Cryptographic API function CryptUnprotectData.
Finally, the stolen data is formatted into a JSON structure before being exfiltrated. The data is sent via an HTTPS POST request to a command-and-control server located at eol4hkm8mfoeevs.m.pipedream.net/service. This final step completes the data theft phase of the Operation Hanoi Thief campaign.
Organizations, particularly those in the technology and HR sectors in Vietnam, should remain vigilant against sophisticated spear-phishing attempts. Awareness of these advanced tactics, including the use of pseudo-polyglot files and LOLBin utilities, is crucial for enhancing defensive postures. Further analysis of the threat actor’s infrastructure and the evolution of their techniques will be necessary to develop long-term mitigation strategies. The attribution to Chinese state-sponsored activity suggests potential implications for broader geopolitical cybersecurity concerns.