Operation Hanoi Thief: Pseudo-Polyglot Payloads in Cyberattacks Targeting IT Professionals
Operation Hanoi Thief represents a cunning cyberattack campaign uncovered by SEQRITE Labs APT-Team, first detected on November 3, 2025. This operation deploys innovative pseudo-polyglot payloads hidden in weaponized resume documents, primarily targeting IT departments and HR recruiters in Vietnam. Attackers disguise malware as legitimate job applications within malicious ZIP files, exploiting file format ambiguities to evade detection.
The campaign highlights evolving tactics in advanced persistent threats (APTs), where pseudo-polyglot payloads mimic multiple file types simultaneously. This technique tricks antivirus software and sandboxes by appearing benign in one parser but malicious in another. In 2026, as remote hiring surges, such attacks pose heightened risks to IT professionals seeking to protect organizational networks.
What Is Operation Hanoi Thief and How Does It Target IT Pros?
Operation Hanoi Thief is a spear-phishing campaign named for its Hanoi origins and data-theft objectives. It focuses on Vietnam’s tech sector, luring victims with tailored job offers for IT roles like developers and sysadmins. SEQRITE Labs identified over 50 incidents by early 2026, with a 30% infection rate among opened attachments.
Key Characteristics of the Campaign
- Initial Vector: Malicious ZIP archives emailed as “resume.zip” from spoofed recruiter domains.
- Payload Innovation: Pseudo-polyglot files that parse as RTF documents or executables depending on the viewer.
- C2 Infrastructure: Connections to Vietnamese IP ranges for command-and-control.
Attackers craft payloads to bypass endpoint detection, achieving initial access in under 10 seconds post-extraction. This operation connects to broader APT trends, like those from Lazarus Group, but features unique polyglot engineering.
How Do Pseudo-Polyglot Payloads Work in Cyberattacks?
Pseudo-polyglot payloads exploit ambiguities in file formats, appearing as harmless PDFs or Word docs while embedding executable code. In Operation Hanoi Thief, these payloads combine RTF headers with PE executables, fooling tools like Microsoft Word but executing via Windows loaders. The latest research from MITRE ATT&CK (2026 update) classifies this as TA0005 evasion.
Step-by-Step Breakdown of Pseudo-Polyglot Execution
- File Crafting: Embed shellcode in RTF streams, appending MZ headers for EXE compatibility.
- Delivery: Package in ZIP with double extensions (e.g., resume.pdf.exe).
- Parsing Trick: Office apps ignore trailing bytes; loaders interpret as PE.
- Payload Drop: Deploys RAT like NanoCore, stealing credentials.
- Exfiltration: Data sent via HTTPS to attacker servers.
This method succeeds in 40-60% of tests against legacy AV, per 2026 AV-TEST reports. Variations include JavaScript polyglots in HTML resumes.
“Polyglot files redefine malware delivery, turning trusted formats into trojans.” – SEQRITE Labs Report, 2026
Attack Vectors and Techniques in Operation Hanoi Thief
The primary vector involves phishing emails mimicking LinkedIn recruiters, with subject lines like “IT Developer Position – Immediate Hire.” Attachments use social engineering, referencing real job postings scraped from VietnamWorks. Currently, 70% of targets are mid-sized firms in Hanoi and Ho Chi Minh City.
Common Techniques, Tactics, and Procedures (TTPs)
- Spoofing: Emails from compromised HR accounts, achieving 25% open rates.
- Obfuscation: Base64-encoded payloads in polyglot blobs.
- Persistence: Registry keys mimicking legitimate services.
- Lateral Movement: RDP exploits post-compromise.
Quantitative data shows a 15% rise in similar ZIP-based attacks in Southeast Asia since Q4 2025. Perspectives vary: attackers gain efficiency, while defenders face parser chaos.
Pros and Cons of Pseudo-Polyglot Techniques for Attackers
| Advantages | Disadvantages |
|---|---|
| High evasion rate (50%+ bypass) | Complex crafting increases dev time |
| Multi-platform compatibility | Modern EDR flags anomalies |
| Low detection footprint | Requires user interaction |
Who Are the Targets and What Are the Implications for IT Security?
IT professionals and HR staff in Vietnam’s booming tech industry are prime targets, with 80% of lures promising salaries 20-30% above market rates. Implications include credential theft, leading to ransomware or supply-chain attacks. In 2026, Vietnam reported a 45% cyber incident uptick, per VNISA stats.
Broader Impacts and Related Subtopics
Supply-Chain Risks: Compromised IT hires enable insider threats, as seen in SolarWinds echoes.
Economic Toll: Average breach costs $4.5M in Asia-Pacific (IBM 2026).
Geopolitical Angle: Linked to nation-state actors testing regional defenses.
Different Defensive Approaches
- Behavioral Analysis: Monitor file parsing anomalies with UEBA tools.
- Zero-Trust: Sandbox all attachments via cloud gateways.
- AI-Driven Detection: ML models spotting polyglot signatures (95% accuracy, per CrowdStrike).
Detection and Mitigation Strategies for Pseudo-Polyglot Threats
Detect Operation Hanoi Thief by scanning ZIPs for dual signatures using YARA rules. Mitigation starts with email gateways blocking Vietnamese spoofed domains. The latest 2026 NIST guidelines emphasize multi-parser validation.
Step-by-Step Mitigation Guide
- Enable Safe Links: Microsoft Defender or Proofpoint for URL/attachment detonation.
- Deploy EDR: Tools like SentinelOne flag PE-in-RTF.
- Train Staff: Simulate phishing quarterly; reduce clicks by 60%.
- Patch Systems: Update Office to block macro-polyglots.
- Monitor IOCs: Track C2 domains from SEQRITE feeds.
Success rates: Organizations with MFA+training see 90% fewer breaches.
Related Cyber Campaigns and Future Trends in APT Attacks
Operation Hanoi Thief mirrors campaigns like Earth Lusca’s resume phishing. Future trends predict 25% growth in polyglot use by 2027, per Gartner. AI-generated lures will personalize attacks further.
Comparing Similar Operations
- Earth Lusca: Taiwan-focused, 2024; similar ZIP tactics.
- Lazarus: Crypto theft via job scams; global scale.
- Storm-0062: HR-targeted in APAC; 40% polyglot adoption.
Multiple perspectives: While polyglots empower attackers, quantum-resistant crypto offers defender edges.
Conclusion: Staying Ahead of Operation Hanoi Thief and Evolving Threats
Operation Hanoi Thief underscores the need for vigilant cybersecurity in hiring processes. By understanding pseudo-polyglot payloads and implementing layered defenses, IT pros can thwart these threats. In 2026, proactive monitoring and employee education remain key to resilience against APTs targeting professionals.
Adopt a knowledge graph mindset: Link resumes to phishing indicators, polyglots to evasion TTPs, and Vietnam to regional risks for holistic protection.
Frequently Asked Questions (FAQ) About Operation Hanoi Thief
What is a pseudo-polyglot payload?
A pseudo-polyglot payload is a malicious file designed to be interpreted as multiple formats, like RTF and EXE, to bypass security checks. In Operation Hanoi Thief, it hides malware in job resumes. Detection requires multi-format analysis.
When was Operation Hanoi Thief first detected?
SEQRITE Labs spotted it on November 3, 2025. By 2026, it affected dozens of Vietnamese firms.
How can I protect against pseudo-polyglot attacks?
Use sandboxing, EDR tools, and phishing training. Scan ZIPs with YARA for dual headers.
Who is behind Operation Hanoi Thief?
Attributed to Vietnamese threat actors, possibly state-linked, focusing on IT data theft.
Are there similar campaigns targeting other regions?
Yes, like Earth Lusca in Taiwan. Expect global spread with AI enhancements by 2027.
What are the success rates of these attacks?
Infection rates hit 30% for opened files, but drop to under 5% with proper defenses.
Leave a Comment