Full Report
A combination of phishing lures, a previously spotted infostealer and Telegram bots are fueling a campaign by apparent Vietnamese-speaking hackers to capture and sell sensitive data globally.
Analysis Summary
# Threat Actor: Unnamed Vietnamese-Speaking Cybercriminal Group (Associated with PXA Stealer Ecosystem)
## Attribution & Identity
* **Identification:** Hackers linked to Vietnamese-speaking cybercriminal groups.
* **Known Aliases/Associated Groups:** Associated with the central Telegram channel `@Lonenone` (which displays a Vietnam flag emoji).
## Activity Summary
* **Current Campaign Focus:** Ongoing cybercrime campaign focused on mass data exfiltration and monetization through automated resale on Telegram.
* **Historical Activity:** Previously linked by Cisco Talos to campaigns using PXA Stealer to target government and education entities in Europe and Asia.
* **Recent Operations (July observation):** Used a signed Microsoft Word executable, disguised as a document showing a fake copyright infringement notice, to lure victims.
## Tactics, Techniques & Procedures
* **Initial Access:** Delivered malware via phishing lures disguised as legitimate software downloads (e.g., Microsoft Word 2013, Haihaisoft PDF Reader) or malicious documents (e.g., fake copyright infringement notice).
* **Collection:** Used the **PXA Stealer** malware to collect passwords, financial credentials, browser cookies, cryptocurrency wallet data, data from digital wallets, VPN clients, Discord, and cloud file-sharing applications.
* **Exfiltration:** Stolen data is compressed into ZIP files and exfiltrated using the **Cloudflare Workers** service to designated Telegram bot channels.
* **Monetization:** Stolen data is fed into Telegram-based subscription services (like Sherlock, Daisy Cloud, and Moon Cloud) for automated resale to other threat actors.
* **Automation:** Utilizes multiple Telegram bots with Vietnamese-language names for command/control and data handling.
## Targeting
* **Sectors:** Government, Education, and general entities susceptible to infostealer payloads.
* **Geography:** Global, active in at least 62 countries, including the United States, South Korea, the Netherlands, Austria, and Hungary.
* **Victims:** Researchers observed logs corresponding to over 4,000 unique victim IP addresses.
## Tools & Infrastructure
* **Malware Families Used:** PXA Stealer (Python-based infostealer).
* **Infrastructure:**
* **C2/Distribution Channel:** Telegram (central channel `@Lonenone` and associated bots).
* **Exfiltration Relay:** Cloudflare Workers service (Note: Reported and actioned upon by Cloudflare).
* **Monetization Platforms:** Telegram-based subscription services including Sherlock, Daisy Cloud, and Moon Cloud.
## Implications
This operation represents a highly organized cybercrime ecosystem leveraging widely used, legitimate services (Telegram, Cloudflare Workers) for efficient, high-volume data theft and monetization. The actors specialize in feeding the broader infostealer market, suggesting a significant ongoing threat to credential security and financial data globally. The rapid evolution reported by researchers indicates a resilient and adaptive threat.
## Mitigations
* Implement strict scrutiny of externally sourced software installations, especially software masquerading as common office tools.
* Monitor for unusual data exfiltration patterns, particularly traffic routed through cloud services like Cloudflare Workers when unexpected.
* Strengthen defenses against credential harvesting by securing digital wallets and multi-factor authentication on critical accounts.
* Be aware of and monitor Telegram channels often associated with the sale of stolen credentials from Vietnamese threat actor groups.