Operation Hanoi Thief: Threat Actor targets Vietnamese IT professionals and recruitment teams.

Operation Hanoi Thief is a spear‑phishing campaign targeting Vietnamese IT and recruitment professionals that uses a ZIP containing a malicious .lnk and a pseudo‑polyglot document to execute a batch script via a LOLBIN (ftp.exe), decode and drop a DLL (MsCtfMonitor.dll / LOTUSHARVEST) and perform DLL sideloading through ctfmon.exe; the 64‑bit DLL harvests browser history and saved credentials and exfiltrates them to attacker‑controlled endpoints (notable IOCs include several SHA‑256 hashes and domains such as eol4hkm8mfoeevs.m.pipedream.net), and the report provides technical indicators, MITRE ATT&CK mapping, and a medium‑confidence attribution to a Chinese origin actor.