A recent cyberattack campaign linked to Vietnamese-speaking hackers has expanded its reach across 62 countries, according to new research. Investigators from SentinelLABS of SentinelOne and Beazley Security have identified a surge in highly evasive information-stealing activities, affecting thousands of personal and corporate users. The attacks employ advanced techniques to bypass standard security defenses and harvest sensitive data. The incident highlights both the scale and adaptability of these threat actors, presenting new challenges for cybersecurity teams worldwide.
When comparing recent findings to earlier reports such as those by Cisco Talos, the current wave demonstrates more sophisticated tradecraft and wider victim targeting. While previous incidents linked Vietnamese-speaking hackers mainly to attacks on governmental and educational institutions, the present campaign shows indiscriminate targeting that encompasses private individuals and businesses internationally. The utilization of platforms like Telegram for automating the resale and use of stolen credentials indicates an evolution from earlier, less organized operations.
How Have the Attackers Increased Their Effectiveness?
The hackers have incorporated novel anti-detection methods that help their campaigns evade antivirus and security operations monitoring. Recent activities include developing tailored approaches that confuse analysts and make detection more difficult. SentinelLABS and Beazley Security observed the attackers adapting their methods and refining deployment chains to maximize effectiveness and minimize risk of exposure, resulting in widespread credential theft.
What Type of Data Has Been Compromised?
Analysis of the breaches revealed the theft of over 200,000 unique passwords, numerous credit card records, and more than four million browser cookies. This extensive dataset offers cybercriminals access to both personal accounts and sensitive financial information across a wide range of victims. One statement clarified,
“The stolen data includes over 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies, giving actors ample access to victims’ accounts and financial lives.”
How Are Stolen Credentials Monetized?
Stolen credentials and data are monetized via subscription-based ecosystems run through the Telegram messaging platform. These platforms allow other cybercriminals to purchase access for cryptocurrency theft or further attacks. SentinelLABS noted,
“The evolving tradecraft in these recent campaigns demonstrates that these adversaries have meticulously refined their deployment chains, making them increasingly more challenging to detect and analyze.”
The growing prevalence and sophistication of infostealers like PaxStealer underscore the need for proactive, multi-layered defenses among individuals and organizations alike. Threat actors continue to exploit automation channels and anonymized platforms, facilitating the mass distribution and resale of sensitive data. Regularly updating security tools, monitoring for suspicious activity, and educating users on cyber risks remain crucial tactics against these attacks. The report illustrates a shift from targeted assaults to broader, more opportunistic campaigns, signifying persistent risk to global digital assets in both public and private sectors.