A phishing campaign linked to Chinese actors is using an uncommon payload technique to steal browser credentials from IT professionals in Vietnam.
According to Cyber Press, researchers have reported a spear phishing campaign that delivers malicious ZIP files posing as resumes, ultimately installing a credential-stealing DLL implant called LOTUSHARVEST. The attackers rely on a pseudo polyglot file that acts as both an image and a script container, which enables hidden commands to run when the victim opens the decoy. The implant collects saved browser credentials and recent browsing activity from Chrome and Edge and sends the data to attacker-controlled servers.
The phishing emails contain an archive that includes a shortcut file and a disguised PNG. When opened, the shortcut abuses the trusted Windows binary ftp.exe to run batch commands embedded inside the pseudo polyglot file. This method is an example of a living off the land activity and allows execution without dropping obvious executables. The script displays a resume to maintain credibility, then extracts encoded malware that is used to carry out a DLL sideloading sequence. A copied version of ctfmon.exe runs the attacker-supplied DLL instead of the legitimate file, which establishes persistence and enables data collection.
Analysts noted that the implant uses Windows cryptographic functions to decrypt stored browser passwords before packaging the stolen data into a JSON file. The payload communicates over HTTPS with remote collection points and includes anti-analysis routines intended to complicate forensic review. Researchers also observed some overlaps with past activity attributed to Chinese state-linked groups, although the focus on credential harvesting rather than broad espionage made attribution tentative.
According to GBHackers, the Hanoi Thief operation “underscores the evolving sophistication of social engineering attacks targeting recruitment processes,” showing how threat actors now blend credible job-related lures with technical payloads designed to avert detection. Researchers noted that organizations should strengthen defenses by adopting “enhanced email filtering, employee security awareness training, and behavioral monitoring to detect DLL sideloading attempts.” The report adds that the attackers’ reliance on pseudo-polyglot files marks “an emerging evasion technique that warrants attention from the broader cybersecurity community.”
It is a file crafted to satisfy multiple format signatures, allowing it to appear as a harmless document while also containing executable script content.
They routinely open attachments from unfamiliar senders, making them attractive initial points of entry for attackers seeking access to corporate networks.
It allows a malicious DLL to run under the context of a trusted executable, which can bypass some monitoring tools and make analysis more difficult.
The implant gathers saved browser credentials, browsing history, machine identifiers, and user information before sending the data to remote servers.
Training on identifying suspicious resumes, limiting execution of shortcuts from email, restricting use of signed system binaries, and applying behavioural detection controls can reduce risk.