A wave of fake job-application emails, attached with a file named “Le Xuan Son CV.zip,” is being sent to businesses of all sizes across Vietnam. This is the disguise for a cyberattack campaign called Hanoi Thief, whose objective is to infiltrate internal networks, gain system control, and steal customer data and corporate secrets. Inside the ZIP file is a shortcut file crafted to look like a normal CV, but in reality it contains the LOTUSHARVEST malware, designed to harvest saved passwords, login cookies, and browsing history from Chrome, Edge, and other browsers, then transmit the stolen data back to the attackers’ servers.

According to Bkav experts, the shortcut file inside “Le Xuan Son CV.zip” is masked with PDF/PNG-like icons, making recipients believe it is a legitimate CV. With just one click, LOTUSHARVEST is immediately triggered and begins its intrusion into the system.

What makes this attack particularly concerning is the sophisticated LOTUSHARVEST malware, which can hide deeply, auto-execute, and persist within the device. LOTUSHARVEST abuses library-loading mechanisms to maintain long-term control and gain access to accounts and sensitive data—far beyond what conventional security measures can defend against. The stolen data becomes the “key” for attackers to escalate their intrusion, deploy additional malicious tools, and turn the business into a multi-layered target or a victim of ransomware in later stages.

Nguyen Dinh Thuy, Malware Analysis Specialist at Bkav, stated: “All indications show that the Hanoi Thief campaign is meticulously planned and aimed directly at Vietnamese businesses. By exploiting HR departments—who frequently receive external documents but are not always equipped with sufficient cybersecurity awareness—attackers use fake CVs or document-like files that can continuously mutate into different variants, making the infection risk extremely unpredictable.”

Bkav has recorded Vietnamese companies that have already fallen victim to this campaign. Due to the severity of LOTUSHARVEST and the Hanoi Thief operation, users must exercise maximum caution with documents received via email, as just one careless click can open the door to attackers.

Businesses and organizations should regularly conduct cybersecurity training for employees, raising awareness and vigilance against online scams. Internal monitoring systems must be strengthened, especially for detecting abnormal libraries or suspicious files.

Default operating-system tools provide only basic protection and are completely insufficient against modern malware capable of hiding, persisting for long periods, and infiltrating deeply into systems. Therefore, companies must deploy email-monitoring systems and use licensed professional antivirus solutions for effective protection.

Bkav