In recent years, Vietnamese cybercrime groups have significantly advanced their capabilities, acquiring sophisticated tools and tactics that have enhanced their operational success. The pandemic era marked a turning point, as these groups expanded their credential theft operations to a global scale, discovering innovative methods to breach corporate firewalls worldwide, thereby facilitating further criminal activities such as ransomware and information-stealing attacks.

Since the close of 2023, our research has unveiled at least three hacking groups, originating from Vietnam, that are targeting a majority of Asian countries and select European nations. Driven by financial motivations, these groups are primarily focused on stealing credentials, financial data, and social media accounts, including those related to business and advertising. This presentation will expose the vast criminal enterprise these groups have constructed, detailing their comprehensive software stacks, networks, and their sophisticated techniques, tactics, and procedures (TTP). Through multiple case studies, we will illustrate the execution of information stealer attacks by Vietnamese cybercriminals, including the deployment of infostealers, the use of rare living-off-the-land binaries (LoLBins), data exfiltration strategies, and the exploitation of legitimate services for hosting command and control (C2) configuration files.

Additionally, we will reveal several newly discovered malware families, such as RotBot (a modified version of QuasarRAT), the XClient stealer, and the PXA_BOT stealer. The presentation will conclude with strategic approaches to mitigating info stealer attacks, equipping attendees with actionable insights to fortify defenses against these emerging threats. This compelling exploration not only highlights the evolving landscape of Vietnamese cyber threats but also underscores the critical need for proactive cybersecurity measures.