Operation Hanoi Thief: Sophisticated Cyberattack Targets IT and HR

SEQRITE Labs APT-Team uncovered a sophisticated cyberattack campaign dubbed 'Operation Hanoi Thief,' targeting IT departments and HR recruiters with weaponized resume documents. The campaign, detected on November 3, 2025, uses a pseudo-polyglot payload technique to disguise malware as legitimate job application materials. The attack begins with a malicious ZIP file delivered via spear-phishing emails, containing a shortcut file and a pseudo-polyglot payload disguised as a resume image. The attackers demonstrated sophisticated social engineering, including authentic-looking credentials and geographic details. The multi-stage infection chain exploits ftp.exe to execute the payload, ultimately deploying LOTUSHARVEST, a 64-bit information-stealing DLL implant. The malware targets browser credentials and browsing history from Google Chrome and Microsoft Edge, exfiltrating data to attacker-controlled infrastructure. The campaign underscores the evolving sophistication of social engineering attacks targeting recruitment processes.