From Campus to C2: Tracking a Persistent Chinese Operation Against Vietnamese Universities

- This report describes an OSINT-driven analysis of an exposed open-directory that revealed a China-linked intrusion campaign compromising at least 25 Vietnamese universities: recovered Cobalt Strike and VShell servers, webshells (including .NET in-memory loaders), tunneling/RDP proxies, plaintext credentials, victim lists, exploitation logs (sqlmap, Metasploit), and numerous TTPs used for persistence, lateral movement, privilege escalation, and data collection.