A spear-phishing campaign dubbed 'Operation Hanoi Thief' is targeting Vietnamese IT professionals and recruitment teams. The attack uses a malicious ZIP file containing a fake resume and an LNK file. The LNK file executes a pseudo-polyglot payload, which deploys a C++ DLL implant called LOTUSHARVEST through DLL sideloading. This implant functions as an information stealer, harvesting browser credentials and history before exfiltrating data to attacker-controlled servers. The campaign employs anti-analysis techniques and abuses trusted Windows tools. While similarities with previous Chinese-origin campaigns exist, definitive state sponsorship attribution remains inconclusive. The operation primarily affects the Information Technology and Recruitment sectors in Vietnam.