Operation Hanoi Thief: Vietnam APT

Nov. 28, 2025, 7:03 p.m.

Description

A spear-phishing campaign dubbed 'Operation Hanoi Thief' is targeting Vietnamese IT professionals and recruitment teams. The attack uses a malicious ZIP file containing a fake resume and an LNK file. The LNK file executes a pseudo-polyglot payload, which deploys a C++ DLL implant called LOTUSHARVEST through DLL sideloading. This implant functions as an information stealer, harvesting browser credentials and history before exfiltrating data to attacker-controlled servers. The campaign employs anti-analysis techniques and abuses trusted Windows tools. While similarities with previous Chinese-origin campaigns exist, definitive state sponsorship attribution remains inconclusive. The operation primarily affects the Information Technology and Recruitment sectors in Vietnam.

External References

https://www.seqrite.com/blog/9479-2/
https://otx.alienvault.com/pulse/6929ac76bedd4839dedec743
Tags
vietnam
spear-phishing
information-stealer
dll-sideloading
2025-11-28
it-professionals
lotusharvest
browser-credentials
recruiters

Date

  • Created: Nov. 28, 2025, 2:06 p.m.
  • Published: Nov. 28, 2025, 2:06 p.m.
  • Modified: Nov. 28, 2025, 7:03 p.m.

Indicators

  • 77373ee9869b492de0db2462efd5d3eff910b227e53d238fae16ad011826388a
  • 48e18db10bf9fa0033affaed849f053bd20c59b32b71855d1cc72f613d0cac4b
  • 693ea9f0837c9e0c0413da6198b6316a6ca6dfd9f4d3db71664d2270a65bcf38
  • 1beb8fb1b6283dc7fffedcc2f058836d895d92b2fb2c37d982714af648994fed
  • eol4hkm8mfoeevs.m.pipedream.net
  • uuhlswlx.requestrepo.com
Download all indicators here!

Attack Patterns

  • LOTUSHARVEST

Additional Informations

  • Information Technology