Cybersecurity experts have recorded a surge in activities linked to the Operation Hanoi Thief campaign, directly targeting both individual users and businesses in Vietnam. This is a highly targeted APT operation leveraging the data-stealing malware LOTUSHARVEST to harvest login credentials and send them to the attackers’ command-and-control servers.
1. Attack Techniques
The threat actors distribute malicious LNK (Windows Shortcut) files disguised as:
Once opened, hidden PowerShell or VBS scripts are executed to download and deploy the LOTUSHARVEST malware — written in Python, Go or .NET.
2. Data Harvesting Capabilities of LOTUSHARVEST
.png)
Sensitive data exfiltrated by LOTUSHARVEST (Illustration)
After infiltration, the malware silently collects various sensitive data, including:
• Passwords, cookies, and browser data
• Account information for social platforms, email, e-wallets, and financial services
• System data and running processes
• Application login tokens
All harvested data is sent to attacker-controlled command-and-control servers.
3. Indicators of Compromise (IOCs)
Illustrative image
Domains
Suspicious File Path
C:\ProgramData\MsCtfMonitor.dll
Observed Lure Filenames
Suspicious Execution Commands
/c ftp.exe -s:"offsec-certified-professional.png"
SHA256 Hashes
• 1beb8fb1b6283dc7fffedcc2f058836d895d92b2fb2c37d982714af648994fed
• 77373ee9869b492de0db2462efd5d3eff910b227e53d238fae16ad011826388a
• 693ea9f0837c9e0c0413da6198b6316a6ca6dfd9f4d3db71664d2270a65bcf38
• 48e18db10bf9fa0033affaed849f053bd20c59b32b71855d1cc72f613d0cac4b
4. Emergency Response Recommendations
If you suspect that your device is infected with stealer malware, take the following actions immediately:
1. Disconnect from the Internet
Prevent further data exfiltration to the attackers’ C2 servers.
2. Change all passwords using a clean device
Prioritize:
1. Primary email accounts
2. Banking / e-wallet accounts
3. Social media
4. Work platforms (Teams/Slack/Google/Office 365)
5. Password managers
3. Run system scans using trusted tools
4. Collect logs for investigation
- • PowerShell history (Microsoft-Windows-PowerShell/Operational)
- • Event Viewer Security Logs
- • Browser data (cookies, unusual logins) → Provide to HPT IR/HSOC for analysis.
5. Review suspicious login sessions
• Google: myaccount.google.com/device-activity
• Microsoft: account.microsoft.com
• Facebook/Instagram/Zalo: review logged-in devices
• Enterprise email: review abnormal forwarding or inbox rules
6. Reinstall the operating system (if deeply compromised)
Reinstalling Windows is the safest option if a backdoor or full system compromise is suspected.
5. Long-Term Prevention Measures
To mitigate the risks of similar APT campaigns, users and organizations should:
• Block unverified LNK files received via email
• Enable MFA/2FA on all critical accounts
• Train employees to recognize malicious shortcuts
• Monitor outbound traffic and suspicious connections
Conclusion
The Operation Hanoi Thief campaign highlights the growing sophistication of cyberattacks targeting Vietnam. Proactive monitoring, heightened awareness, and comprehensive defense measures are essential to safeguarding digital assets for both individuals and organizations.
Source: Seqrite (reference)
🛡️ Protect Your Systems with HPT’s Security Solutions & Services
HPT works alongside organizations to strengthen cyber defense capabilities and provide rapid incident response.
Learn more at: Security Solutions & Services