By rssfeeds-admin 
The campaign, believed to be of Chinese origin, delivers a final-stage DLL implant, LOTUSHARVEST, that steals browser credentials and browsing history from victims.
class="wp-block-heading" id="h-spear-phishing-with-fake-resumes">Spear-Phishing with Fake Resumes
The campaign begins with a malicious ZIP archive sent through spear-phishing emails. The ZIP file, titled Le-Xuan-Son_CV.zip, contains two items a shortcut file (CV.pdf.lnk) and a disguised image file (offsec-certified-professional.png).
The PNG file is not a normal image but a pseudo-polyglot document that acts as both a decoy and a script container.
When the victim opens the shortcut, it abuses the legitimate Windows binary ftp.exe to execute hidden batch commands embedded in the pseudo-polyglot file.
This technique is an example of LOLBIN (Living-Off-the-Land Binary) abuse, allowing the attacker to use trusted system tools instead of dropping separate executables, making detection harder.
The script first displays a fake resume to appear legitimate, then extracts and decodes malicious data hidden inside the PNG. It drops a DLL called MsCtfMonitor.dll into the C:ProgramData folder.
It copies a trusted Windows file (ctfmon.exe) into the same directory to trigger DLL sideloading, ensuring that Windows loads the infected DLL instead of the legitimate library.
LOTUSHARVEST: Credential-Stealing DLL Implant
The final payload, LOTUSHARVEST, is an information-stealing program written in 64-bit C++. The implant gathers browser credentials, stored logins, and recent browsing history from Google Chrome and Microsoft Edge.
Using Windows APIs such as CryptUnprotectData, it decrypts saved passwords. It prepares a JSON file containing the stolen data, along with the victim’s computer and user names.
The malware then connects to attacker-controlled endpoints including eol4hkm8mfoeevs.m.pipedream.net and uuhlswlx.requestrepo.com and exfiltrates the data using HTTPS POST requests.
Analysts also noted anti-analysis checks in the DLL, such as IsDebuggerPresent and fake crash routines, designed to confuse researchers and evade sandbox detection.
SEQRITE researchers found similarities between this activity and past Chinese-state-linked campaigns that used fake resumes as lures.
However, the unique stealer-focused nature of LOTUSHARVEST makes the attribution moderately confident rather than conclusive.
The company has classified related detections under Trojan 50086—SL and Trojan A18678918 in its protection systems.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Hanoi Thief Threat Actors Deploy Pseudo-Polyglot Malware Payloads Against IT Professionals appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.