A sophisticated cyberespionage campaign dubbed “Operation Hanoi Thief” has surfaced, specifically targeting IT professionals and recruitment teams in Vietnam.
Discovered on November 3, 2025, this threat activity employs a complex multi-stage infection chain designed to harvest sensitive browser credentials and history.
The attackers leverage a malicious spear-phishing strategy, distributing a ZIP archive named Le-Xuan-Son_CV.zip, which masquerades as a legitimate job application from a software developer based in Hanoi.
The infection initiates when a victim interacts with a shortcut file, CV.pdf.lnk, contained within the archive. This file triggers a sequence of events utilizing “Living off the Land” (LOLBin) tactics.
Specifically, it abuses the Windows ftp.exe utility with the -s flag to execute a batch script hidden within a pseudo-polyglot file named offsec-certified-professional.png.
This file dual-functions as a harmless image lure and a malicious container, effectively evading traditional detection mechanisms by burying its payload within legitimate image headers.
.webp "Operation Hanoi Thief Attacking IT Professionals with Pseudo-Polyglot Payload to Hide Malware 3")
This command line argument is a critical indicator of the attack’s stealthy nature.
Seqrite security analysts identified that this campaign is likely of Chinese origin, citing overlaps in tactics with previous state-sponsored activities.
The primary objective appears to be intelligence gathering, focusing on the theft of login data and browsing habits from victims in the technology and HR sectors.
By exploiting the trust inherent in recruitment processes, the threat actors successfully bypass initial perimeter security layers.
Technical Analysis of the LOTUSHARVEST Payload
The core of this attack is the execution of the LOTUSHARVEST implant. Once the initial script runs, it abuses DeviceCredentialDeployment.exe to conceal its command-line activities and renames system utilities like certutil.exe to lala.exe to bypass monitoring.
In the infection chain, the script then extracts a base64-encoded blob from the polyglot file, decoding it into a malicious DLL named MsCtfMonitor.dll.
.webp "Operation Hanoi Thief Attacking IT Professionals with Pseudo-Polyglot Payload to Hide Malware 4")
This DLL is side-loaded using a legitimate ctfmon.exe binary copied to the C:ProgramData directory.
LOTUSHARVEST functions as a robust information stealer, employing anti-analysis checks like IsDebuggerPresent and IsProcessorFeaturePresent to crash if analyzed.
It targets Google Chrome and Microsoft Edge, querying SQLite databases to extract the top 20 visited URLs and decrypting up to five saved credentials using CryptUnprotectData.
Finally, the stolen data is formatted into JSON and exfiltrated via an HTTPS POST request to the attacker-controlled server eol4hkm8mfoeevs.m.pipedream.net/service.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
