Overview of the Vietnamese Stealer malware
Vietnamese Stealer is a specialized class of malware designed to exfiltrate personal and financial data from victim devices, primarily targeting users and organizations in Vietnam. This malware is developed in Python and leverages Telegram as its Command and Control (C2) channel for data exfiltration.
Rather than disrupting or damaging systems, Vietnamese Stealer focuses on harvesting browser credentials, session cookies, cryptocurrency wallet data and certain sensitive configuration files. This stolen information can be directly exploited to hijack accounts and compromise digital assets.
According to Kaspersky, infostealer incidents in Vietnam surged by 78.8% in the first half of 2025, with 191,976 blocked attacks, the majority of which involved spyware targeting organizations. This trend indicates that infostealers are emerging as one of the most prominent cyber threats in the domestic threat landscape.
Threat landscape of Info Stealers in Vietnam
During the 2024–2025 period, the underground market has witnessed a significant surge in stealer toolkits developed in Python and Golang, marketed under the Malware-as-a-Service (MaaS) model.
Common characteristics of campaigns observed in Vietnam include:
• Phishing emails disguised as invoices or tax-related documents
• Exploitation of user complacency when opening malicious attachments
• Abuse of legitimate platforms such as Telegram to conceal Command and Control (C2) activities
• Localization of lures in Vietnamese or Korean to increase attachment open rates
The use of Telegram as a Command and Control (C2) channel enables threat actors to:
• Eliminate the need to maintain dedicated server infrastructure
• Preserve anonymity through bot mechanisms and publicly available APIs
• Dynamically modify endpoints without requiring updates to the malware code
This trend reflects a growing level of operational maturity and cost efficiency within the infostealer ecosystem targeting Vietnam.
Attack Chain of Vietnamese Stealer
The Vietnamese Stealer campaign unfolds through three sophisticated phases:
Phase 1: Exploiting a DLL Side Loading vulnerability in a benign application to deploy the py.ico malware (Stage 1)
First, this malware exploites a DLL hijacking vulnerability in the ADNotificationManager.exe file as the starting point for a sophisticated attack campaign. The hacker group used the malicious DLL urlmon.dll as a springboard to deliver attack commands. The campaign incorporates social engineering tactics by distributing phishing emails containing a compressed archive disguised as a Korean VAT invoice (e.g., 부가가치세 영수증.jpg). When the victim opens the file, a decoy PDF document is displayed to create the appearance of legitimate activity (Decoy Execution), while the malware silently downloads the primary payload from external servers using the curl command.
Initial Dropper/Loader deployment phase
Phase 2: Gaining permission on the system via Task Schedule and downloading malware from Stage 2 via py.ico malware
The malware creates a scheduled task named MicrosoftEdgeUpdateTaskMachine, masquerading as a legitimate Microsoft Edge update mechanism to evade detection. This task is configured to trigger at user logon and to execute periodically on an hourly basis.
Phase 3: Collecting credentials, cookies, wallet information from the user's browser and transmitting the collected data via Telegram
Vietnamese Stealer harvests sensitive data from web browsers and cryptocurrency wallets and exfiltrates the collected information to the operator’s Telegram Command-and-Control (C2) channel.
The sophistication of the campaign also lies in its concealment capabilities. The malware is protected through multiple layers of obfuscation, decompression, and encoding, significantly hindering detection by traditional security mechanisms. Notably, the dynamic rotation of Command-and-Control (C2) infrastructure via publicly accessible Telegram metadata enables the operator to redirect data flows without modifying or redeploying the malware on infected endpoints. This approach substantially enhances evasion resilience and complicates forensic tracing efforts.
Cybersecurity risks for Vietnamese enterprises
Information-stealing malware introduces risks at both the individual and organizational levels, including:
• Compromise of corporate email accounts
• Abuse of online banking accounts
• Supply chain attacks leveraging legitimate account access
• Leakage of customer data and proprietary business information
For enterprises, the impact extends beyond financial losses to reputational damage and regulatory compliance exposure.
In the context of the evolving infostealer threat landscape, organizations must implement a multilayered defense strategy, including:
• Regular patch management for operating systems and applications
• Deployment of EDR/XDR solutions with behavioral monitoring capabilities
• Monitoring anomalous traffic to Telegram Bot APIs
• Conducting periodic penetration testing
• Implementing structured security awareness training programs for employees
The combination of 24x7 security monitoring technologies and continuous user awareness initiatives significantly reduces the risk of compromise from phishing-driven infection campaigns.
Comprehensive defensive solutions from HPT
To proactively protect enterprises against increasingly sophisticated cyber threats, HPT delivers a portfolio of specialized cybersecurity solutions and services tailored to modern threat landscapes:
• Penetration Testing Services: Simulated real-world attacks designed to identify weaknesses across the organization’s attack surface before adversaries can exploit them.
• 24x7 Security Operations Center (SOC) Monitoring: Continuous monitoring to detect, analyze, and respond to suspicious activities across servers and end-user endpoints in real time.
• Cybersecurity Consulting Services: Development of resilient backup strategies following the 3-2-1 rule, combined with incident response and recovery drills to ensure data availability and business continuity.
• User Awareness Assessment & Training (Email Phishing): Strengthening the “human firewall”, the organization’s most critical line of defense, through targeted phishing simulations and security awareness training.
Do not wait for an incident to occur. Contact HPT today to receive expert consultation and build a robust, proactive security shield for your organization!
TECHNICAL ANALYSIS REPORT BY HPT EXPERTS