Operation Hanoi Thief is a targeted spear-phishing campaign aimed at Vietnamese IT professionals and recruitment personnel. The attack vector involves sending malicious ZIP archives containing a fake resume and an LNK file. When the LNK file is opened, it executes a pseudo-polyglot payload that leverages DLL sideloading to deploy a C++ DLL implant called LOTUSHARVEST. This implant functions as an information stealer, primarily harvesting browser credentials and browsing history from infected systems. The stolen data is then exfiltrated to attacker-controlled domains such as eol4hkm8mfoeevs.m.pipedream.net and uuhlswlx.requestrepo.com. The campaign employs multiple anti-analysis techniques to evade detection and abuses trusted Windows utilities to blend in with normal system activity. Although there are similarities to previous Chinese-origin APT campaigns, definitive attribution to a nation-state actor remains inconclusive. The campaign focuses on the Information Technology and Recruitment sectors within Vietnam, exploiting the trust and interest in job applications to lure victims. The attack chain involves techniques mapped to MITRE ATT&CK such as spear-phishing attachments (T1566.001), DLL sideloading (T1574.002), credential dumping (T1555.003), and data exfiltration (T1041). No CVEs or known exploits in the wild are associated with this campaign, indicating it relies on social engineering and living-off-the-land tactics rather than software vulnerabilities. The medium severity rating reflects the targeted nature and potential for credential compromise, which could lead to further network intrusion or espionage.

For European organizations, the direct impact of Operation Hanoi Thief is currently limited due to its focus on Vietnamese IT and recruitment sectors. However, the tactics used—such as spear-phishing with malicious LNK files, DLL sideloading, and information stealing—are common in APT campaigns and could be adapted or replicated against European targets. If threat actors behind this campaign expand their targeting or share tools and techniques, European IT and recruitment sectors could face similar risks, including credential theft leading to unauthorized access, lateral movement, and data breaches. The exfiltration of browser credentials and history can compromise user accounts and sensitive information, potentially affecting confidentiality and integrity. The use of trusted Windows tools and anti-analysis techniques complicates detection and response, increasing the risk of prolonged undetected presence. Organizations with significant interactions or partnerships with Vietnamese entities might also face indirect risks through supply chain or third-party compromise. Overall, the campaign exemplifies the persistent threat of targeted social engineering combined with sophisticated payload delivery, which European organizations must be prepared to defend against.

1. Implement targeted security awareness training focusing on spear-phishing, especially educating users to scrutinize unsolicited resumes or attachments from unknown sources. 2. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting DLL sideloading and anomalous use of Windows utilities. 3. Monitor and block network traffic to known malicious domains and IPs associated with the campaign, such as those identified in the indicators of compromise. 4. Enforce application whitelisting and restrict execution of LNK files from email attachments or untrusted locations. 5. Regularly audit and monitor browser credential stores and implement multi-factor authentication (MFA) to reduce the impact of stolen credentials. 6. Use threat intelligence feeds to update detection rules with hashes and domains linked to LOTUSHARVEST and related payloads. 7. Conduct regular incident response exercises simulating spear-phishing and DLL sideloading attacks to improve detection and containment capabilities. 8. Limit user privileges to prevent unauthorized DLL loading and reduce the attack surface. 9. Employ network segmentation to contain potential breaches and prevent lateral movement. 10. Collaborate with regional cybersecurity communities to share intelligence and best practices regarding emerging APT campaigns.