Operation Hanoi Thief: Hackers Use ‘Pseudo-Polyglot’ LNK/Image to Deploy LOTUSHARVEST Stealer via DLL Sideloading
Ddos 
Infection Chain | Image: SEQRITE Labs APT-Team
A sophisticated new cyber-espionage campaign is sweeping through Vietnam’s technology and recruitment sectors, weaponizing the hiring process to deploy a stealthy information stealer. Discovered by the SEQRITE Labs APT-Team on November 3, 2025, the campaign employs a complex infection chain hidden within seemingly innocent job applications.
Researchers have dubbed this activity “Operation Hanoi Thief”. The name was chosen “because of the final payload and its stealer-oriented capabilities and the geographic location in the resume being around Hanoi, the capital of Vietnam.”
The attack begins with a classic spear-phishing tactic: a malicious email containing a ZIP archive named Le-Xuan-Son_CV.zip. Inside, the victim finds what appears to be the curriculum vitae of a software developer named “Le Xuan Son,” complete with a Hanoi address and a GitHub profile.
To establish credibility, the attackers created a fake GitHub account for the applicant back in 2021. However, a closer look reveals the account has no activity, suggesting it “was specifically set up for this phishing campaign.”
What makes this campaign technically distinct is how the malware is delivered. The ZIP file contains two files: a document and a shortcut (LNK) file. “The threat actor primarily uses a file type which we are terming as a pseudo-polyglot payload to hide the malicious intentions”.
The file, named offsec-certified-professional.png, is a “Frankenstein” of data formats. It serves as a visual lure (the resume image), a PDF document, and a container for a malicious batch script simultaneously.
The infection chain relies on a clever abuse of a standard Windows tool, ftp.exe. When the victim clicks the LNK file, it doesn’t just open a document. Instead, it triggers ftp.exe to execute the commands hidden inside the polyglot file.
“The ZIP file contains two files, a document which serves as both the lure and the second stager payload and an LNK file which triggers the initial reaction.”
Once the script executes, it extracts a Base64 encoded blob from the image file and decodes it into a malicious DLL named MsCtfMonitor.dll . This is the campaign’s primary weapon, a C++ implant researchers have named LOTUSHARVEST.
The malware uses a technique called DLL sideloading, copying the legitimate Windows tool ctfmon.exe to a new folder where it unknowingly loads the malicious DLL . Once active, LOTUSHARVEST goes to work as a ruthless information stealer.
It specifically targets browser data from Google Chrome and Microsoft Edge, extracting:
- Browsing History: The “20 most recently visited URLs.”
- Credentials: Stored login data, decrypted using Windows APIs .
The stolen data is then exfiltrated to attacker-controlled domains such as eol4hkm8mfoeevs[.]m[.]pipedream[.]net.
While the specific identity of the attackers remains unconfirmed, the forensic evidence points toward a familiar direction. “The tactics and overlaps with earlier activity suggest a Chinese-origin threat actor, though state sponsorship is not confirmed.”
However, the use of a pure “stealer” rather than a traditional backdoor (like PlugX) marks a deviation from typical state-sponsored Chinese tooling, adding a layer of mystery to the operation.
Related Posts:
- Apple Planning $350 Smart Display (2026) and Robotic Desktop Device (2027), Manufactured in Vietnam
- North Korea hacker group APT37 is using zero-day vulnerability to attack Japan, Vietnam and the Middle East countries
- Fake Shops, Real Theft: Android Malware Targets Banks
- CoralRaider: Vietnamese Hackers Wage Stealthy Campaign, Targeting Social Media and Financial Data
Donate