Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Operation Hanoi Thief represents a sophisticated spear-phishing campaign targeting Vietnamese IT teams and HR recruitment firms through weaponized fake resumes. This deceptive cyber attack campaign, discovered on November 3, 2025, deploys the LOTUSHARVEST malware implant to steal browser credentials and sensitive data from compromised systems. The attack combines social engineering tactics with advanced evasion techniques, making it a significant threat to organizations handling recruitment processes in Vietnam’s technology sector.
Operation Hanoi Thief is an emerging spear-phishing campaign that strategically targets IT teams and HR recruiters across Vietnam through fake resumes embedded with pseudo-polyglot payloads. The attack begins when victims receive targeted emails containing ZIP archives with convincing resume documents and malicious LNK shortcuts. These weaponized resumes appear legitimate while hiding dangerous payloads designed to bypass security detection systems and infiltrate corporate networks.
The first malicious archive in Operation Hanoi Thief surfaced publicly on November 3, 2025, containing an LNK file disguised as a PDF document. The attackers crafted fake software developer resumes and even created dormant GitHub profiles years in advance to establish credibility for their fake candidates. When victims open the shortcut file, it silently triggers command chains that abuse legitimate Windows binaries like ctfmon.exe to execute malicious instructions in the background without raising immediate suspicion.
The pseudo-polyglot files used in Operation Hanoi Thief are engineered to confuse both human security analysts and automated scanning tools. These files appear as plain text to some analysis tools while others recognize them as PDF documents. The attackers place malicious scripts before PDF headers, enabling code execution without triggering standard security alerts. These scripts manipulate trusted Windows binaries to conceal command prompts, rename system files, and deploy the malicious DLL named MsCtfMonitor.dll into C:\ProgramData through DLL sideloading techniques.
Once active on compromised systems, LOTUSHARVEST operates as a stealthy information stealer with multiple anti-analysis safeguards. The C++ based DLL implant checks for virtual environments and debugger presence while generating fake exceptions to confuse malware analysts and disrupt sandbox analysis. On real machines, LOTUSHARVEST collects browser-stored credentials, recently visited URLs, computer names, and usernames. The malware uses the WinINet API to exfiltrate stolen information over HTTPS to attacker-controlled domains, including randomly generated subdomains hosted on services like Pipedream and RequestRepo.
While attribution for Operation Hanoi Thief remains under investigation, the campaign’s tactics, techniques, and procedures echo previous activity associated with Chinese threat groups. The use of fake CVs, niche lure themes targeting specific industries, and similar command-and-control infrastructure patterns align with historical Chinese APT operations. However, the LOTUSHARVEST implant differs from more commonly observed Chinese-linked tools like PlugX, suggesting either evolution in threat actor capabilities or involvement of a previously unknown group targeting Vietnamese organizations.
Organizations should treat unexpected resumes with heightened scrutiny, especially those delivered in ZIP format from unknown senders. Security teams should establish verification procedures requiring HR personnel to confirm sender identities through LinkedIn or official company channels before opening any resume attachments. When resume submissions appear suspicious or originate from unverified sources, employees should immediately flag them to security teams for analysis rather than opening potentially malicious files.
IT administrators should disable or strictly restrict dangerous file formats including .lnk, .bat, and .exe extensions from reaching HR and recruitment team inboxes. Most legitimate recruitment workflows do not require these executable file types, and blocking them eliminates a major attack vector exploited by Operation Hanoi Thief. Organizations should implement email filtering rules and endpoint protection policies that prevent these high-risk file types from being delivered to users handling job applications and candidate submissions.
HR and recruitment teams should review all resume attachments within protected, isolated environments such as sandboxes or virtual machines that cannot connect to the main corporate network. This isolation strategy ensures that even if a weaponized resume executes malicious code, the infection cannot spread to production systems or compromise sensitive corporate data. Organizations should provide dedicated systems or cloud-based sandbox solutions specifically for screening external documents from untrusted sources.
Since LOTUSHARVEST specifically targets browser-stored credentials, organizations must discourage employees from saving passwords in web browsers. Security teams should mandate the use of enterprise password managers with encryption and implement multi-factor authentication (MFA) across all corporate applications and services. This layered approach to credential protection significantly reduces the value of stolen browser data even if systems become compromised by malware like LOTUSHARVEST.
Organizations should implement next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions capable of identifying and blocking sophisticated malware campaigns like Operation Hanoi Thief. These advanced security tools leverage behavioral analysis and machine learning algorithms to detect suspicious activity patterns that traditional signature-based antivirus solutions might miss. EDR platforms provide visibility into attack chains, enabling security teams to identify and respond to threats before they cause significant damage.
SHA256 Hashes:
Security teams should add these SHA256 hash values to threat intelligence feeds and endpoint protection systems to detect and block LOTUSHARVEST malware variants associated with Operation Hanoi Thief.
T1587 – Develop Capabilities: Operation Hanoi Thief attackers developed custom malware capabilities including the LOTUSHARVEST implant.
T1587.001 – Malware: Threat actors created the C++ based LOTUSHARVEST DLL specifically for this campaign.
T1566 – Phishing: The campaign relies on phishing techniques to gain initial access to target systems.
T1566.001 – Spearphishing Attachment: Attackers send targeted emails with malicious resume attachments to specific individuals in Vietnamese organizations.
T1204 – User Execution: The attack requires victims to manually open malicious files disguised as resumes.
T1204.002 – Malicious File: Users unknowingly execute malicious LNK shortcuts embedded in resume packages.
T1059 – Command and Scripting Interpreter: Operation Hanoi Thief abuses Windows command interpreters to execute malicious scripts.
T1218 – System Binary Proxy Execution: The campaign misuses legitimate Windows binaries like ctfmon.exe to execute malicious payloads.
T1574 – Hijack Execution Flow: Attackers manipulate the normal execution flow of legitimate Windows processes.
T1574.001 – DLL Side-Loading: LOTUSHARVEST uses DLL sideloading with ctfmon.exe to load malicious code.
T1036 – Masquerading: Malicious files masquerade as legitimate resume documents and PDF files.
T1036.007 – Double File Extension: The campaign uses deceptive file extensions to hide malicious file types.
T1140 – Deobfuscate/Decode Files or Information: Scripts decode and deploy the LOTUSHARVEST payload during execution.
T1555 – Credentials from Password Stores: LOTUSHARVEST targets password storage mechanisms on compromised systems.
T1555.003 – Credentials from Web Browsers: The malware specifically extracts credentials stored in web browsers.
T1082 – System Information Discovery: LOTUSHARVEST collects computer names, usernames, and other system identifiers.
T1083 – File and Directory Discovery: The malware performs reconnaissance of file systems on infected machines.
T1217 – Browser Information Discovery: The implant specifically targets browser data including visited URLs.
T1005 – Data from Local System: LOTUSHARVEST aggregates stolen credentials and browsing history from infected endpoints.
T1041 – Exfiltration Over C2 Channel: Stolen data is transmitted to attacker-controlled command and control infrastructure.
T1071 – Application Layer Protocol: The campaign uses standard application protocols for command and control communications.
T1071.001 – Web Protocols: LOTUSHARVEST communicates with C2 servers over HTTPS using the WinINet API.
Seqrite Threat Analysis: https://www.seqrite.com/blog/9479-2/
Get through updates and upcoming events, and more directly in your inbox