{
  "name": "Operation Hanoi Thief: Vietnam APT",
  "slug": "operation-hanoi-thief-vietnam-apt",
  "description": "A spear-phishing campaign dubbed 'Operation Hanoi Thief' is targeting Vietnamese IT professionals and recruitment teams. The attack uses a malicious ZIP file containing a fake resume and an LNK file. The LNK file executes a pseudo-polyglot payload, which deploys a C++ DLL implant called LOTUSHARVEST through DLL sideloading. This implant functions as an information stealer, harvesting browser credentials and history before exfiltrating data to attacker-controlled servers. The campaign employs anti-analysis techniques and abuses trusted Windows tools. While similarities with previous Chinese-origin campaigns exist, definitive state sponsorship attribution remains inconclusive. The operation primarily affects the Information Technology and Recruitment sectors in Vietnam.",
  "published": "2025-11-28T13:06:46+00:00",
  "created_at": "2025-11-28T13:06:46+00:00",
  "modified_at": "2025-12-21T17:17:18+00:00",
  "created_at_opencti": "2025-11-28T13:06:46+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-11-28",
    "browser credentials",
    "dll sideloading",
    "information stealer",
    "it-professionals",
    "lotusharvest",
    "recruiters",
    "spear-phishing",
    "vietnam"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "1beb8fb1b6283dc7fffedcc2f058836d895d92b2fb2c37d982714af648994fed"
      },
      {
        "id": "",
        "name": "48e18db10bf9fa0033affaed849f053bd20c59b32b71855d1cc72f613d0cac4b"
      },
      {
        "id": "",
        "name": "77373ee9869b492de0db2462efd5d3eff910b227e53d238fae16ad011826388a"
      },
      {
        "id": "",
        "name": "693ea9f0837c9e0c0413da6198b6316a6ca6dfd9f4d3db71664d2270a65bcf38"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:507e72cc168a5400",
        "name": "LOTUSHARVEST",
        "slug": "lotusharvest"
      }
    ],
    "attack_patterns": [
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "3e7e47ba-d8ad-4aa8-a4fc-1167cec2e125",
        "name": "T1587.001"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Information Technologies Consulting"
      },
      {
        "id": "",
        "name": "eol4hkm8mfoeevs.m.pipedream.net"
      },
      {
        "id": "",
        "name": "uuhlswlx.requestrepo.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6929ac76bedd4839dedec743",
    "https://www.seqrite.com/blog/9479-2/"
  ]
}