{
	"id": "806e27ed-7930-4172-8d49-31bdc14818f4",
	"created_at": "2026-04-06T00:17:07.992353Z",
	"updated_at": "2026-04-10T13:11:35.986325Z",
	"deleted_at": null,
	"sha1_hash": "8bcee3db2cad1e80e97b6174f744f913b66b72f5",
	"title": "Vietnamese Malware Gets Very Personal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 169997,
	"plain_text": "Vietnamese Malware Gets Very Personal\r\nBy Eva Galperin and Morgan Marquis-Boire\r\nPublished: 2014-01-19 · Archived: 2026-04-05 14:50:08 UTC\r\nAs encryption has become more prevalent in online communications as a countermeasure against surveillance, attackers\r\nhave sought to circumvent these measures by covertly installing malware on targeted computers that can log keystrokes,\r\nremotely spy on users with their own webcams, record Skype calls, and listen in on the computer’s built-in microphone.\r\nSometimes the attacker is a criminal, such as the hacker who used a remote access tool (RAT) to take blackmail photos of\r\nMiss Teen USA. Sometimes the attacker is acting in support of a state, like the pro-Assad hackers whose malware\r\ncampaigns against opposition supporters EFF has been tracking for the last two years. Sometimes the attacker is the\r\ngovernment or a law enforcement agency. For example, the NSA’s Tailored Access Operations unit uses covertly-installed\r\nmalware to spy on targets.\r\nMalware is a tool that most states have their toolbox, and Vietnam is no exception. For the last several years, the communist\r\ngovernment of Vietnam has used malware and RATs to spy on journalists, activists, dissidents, and bloggers, while it cracks\r\ndown on dissent. Vietnam’s Internet spying campaign dates back to at least March 2010, when engineers at Google\r\ndiscovered malware broadly targeting Vietnamese computer users. The infected machines were used to spy on their owners\r\nas well as participating in DDoS attacks against dissident websites. The Vietnamese government has cracked down sharply\r\non anti-government bloggers, who represent the country’s only independent press. It is currently holding 18 bloggers and\r\njournalists, 14 from a year earlier, according to a report issued by the Committee to Protect Journalists in 2013.\r\nEFF has written extensively about the worsening situation for bloggers in Vietnam, supporting campaigns to free high-profile bloggers such as Le Quoc Quan and Dieu Cay, and criticizing Vietnam’s Internet censorship bill. This report will\r\nanalyze malware targeting EFF's own staff, as well as a well-known Vietnamese mathematician, a Vietnamese pro-democracy activist, and a Vietnam-based journalist at the Associated Press.\r\nA Campaign Targeting EFF and Associated Press\r\nWe will begin with the attack targeting EFF staffers. This marks the first time we have detected a targeted malware attack\r\nagainst our organization by what appear to be state-aligned actors.\r\nOn December 20th, 2013, two EFF staffers received an email from “Andrew Oxfam,” inviting them to an “Asia\r\nConference,” and inviting them to click on a pair of links which were supposed to contain information about the conference\r\nand the invitation itself. These links were especially suspicious because they were not hosted on Oxfam’s domain, but\r\ninstead directed the invitee to a page hosted on Google Drive, seen below. In addition, this email contained two attachments\r\npurporting to be invitations to the conference.\r\nThis targeting is especially interesting because it demonstrates some understanding of what motivates activists. Just as\r\njournalists are tempted to open documents promising tales of scandal, and Syrian opposition supporters are tempted to open\r\ndocuments pertaining to abuses by the Assad regime, human rights activists are interested in invitations to conferences. For\r\ngreater verisimilitude, the attacker should have included an offer to pay for flights and hotels.\r\nBoth attachments are the same:\r\n351813270729b78fb2fe33be9c57fcd6f3828576171c7f404ed53af77cd91206 Invitation.hta\r\n351813270729b78fb2fe33be9c57fcd6f3828576171c7f404ed53af77cd91206 Location.hta\r\nThe detection rate for this malware is very low, using VirusTotal, we see only one anti-virus vendor out of a possible 47\r\ndetecting this as of 19 January 2014.\r\nhttps://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal\r\nPage 1 of 4\n\nThe same malware was also sent to an Associated Press reporter, masquerading as a Human Rights Watch paper.\r\nIn this attack, clicking the link in the email takes the user to the malicious HTML application (.hta) file.\r\nThe file meta-data reveals the following information:\r\nInvitation.hta: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page:\r\n1252, Template: Normal, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total\r\nEditing Time: 01:00, Create Time/Date: Mon Nov 19 05:02:00 2012, Last Saved Time/Date: Mon Nov 19\r\n05:02:00 2012, Number of Pages: 3, Number of Words: 395, Number of Characters: 2258, Security: 0\r\nThis HTML application contains an encoded executable and also contains a Microsoft Word document named “baviet.doc”:\r\nWhen the recipient runs the attachment it drops the following files:\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\baiviet.doc\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\xftygv.exe\r\nWhen \"baviet.doc’ is displayed and \"xftygv.exe\" is run, it causes the following files to be installed:\r\nC:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dat\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\1959.tmp\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\19A8.tmp\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\1A65.tmp\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\1D72.tmp\r\nC:\\Users\\admin\\AppData\\Roaming\\HTML Help\\help.dat\r\nC:\\Users\\admin\\AppData\\Roaming\\KuGou7\\status.dat\r\nC:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Media Player\\PLearnL.DAT\r\nC:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Werfault\\WerFault.exe\r\nC:\\Windows\\Performance\\WinSAT\\DataStore\\Formal.Assessment.WinSAT.xml\r\nC:\\Windows\\Performance\\WinSAT\\ShaderCache.vs_3.0\r\nC:\\Windows\\System32\\api-ms-win-core-xstate-l1-1-0.bin\r\nC:\\Windows\\System32\\odbccr64.dll\r\nSeveral registry changes are made to enable the malicious implant to persist after reboot and the file api-ms-win-core-xstate-l1-1-0.bin is written into the process space of explorer.exe which then instantiates an outbound connection on port 443 to\r\nyelp.webhop.org.\r\nAt the time of the report, this domain pointed to 62.75.204.91 which hosted the following domains:\r\ntripadvisor.dyndns.info, neuro.dyndns-at-home.com, foursquare.dyndns.tv, wowwiki.dynalias.net,\r\nyelp.webhop.org\r\nThis has been used as a command and control server for other Vietnamese-affiliated malware:\r\n82f0db740c1a08c9d63c3bb13ddaf72c5183e9a141d3fbd1ffb9446ce5467113 bai viet.hta\r\n9c07d491e4ddcba98c79556c4cf31d9205a5f55445c1c2da563e80940d949356 Unhotien.doc\r\nExamining this malware reveals a relationship to earlier campaigns targeting Vietnamese activists.\r\nTargeting of Vietnamese Bloggers\r\nIn February of 2013, a Vietnamese blogger and mathematics professor, received the following email:\r\nhttps://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal\r\nPage 2 of 4\n\nLike the malware targeting the EFF and the Associated Press, the attachment was an HTML Application. In this case, the\r\nattachment was compressed with 7zip.\r\n2fa7ad4736e2bb1d50cbaec625c776cdb6fce0b8eb66035df32764d5a2a18013 Thu moi.7z\r\nextracted:\r\ndd100552f256426ce116c0b1155bcf45902d260d12ae080782cdc7b8f824f6e1 Thu moi.hta\r\nThe file meta-data reveals the following information:\r\nThu moi.hta: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page:\r\n1252, Author: pluto, Template: Normal, Last Saved By: pluto, Revision Number: 2, Name of Creating\r\nApplication: Microsoft Office Word, Total Editing Time: 07:00, Create Time/Date: Thu Mar 1 05:02:00 2012,\r\nLast Saved Time/Date: Thu Jan 24 09:28:00 2013, Number of Pages: 3, Number of Words: 277, Number of\r\nCharacters: 1584, Security: 0\r\nAs with the EFF and AP attacks, the HTML application contains an encoded executable ( “zzpauvooos.exe”) and a\r\ndocument (“Doc loi.doc”).\r\nRunning “Thu moi.hta” displays “Doc loi.doc” and also drops the following files:\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\Doc loi.doc\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\zzpauvooos.exe\r\nWhen \"‘zzpauvooos.exe\" is run, it drops the following file:\r\nC:\\Users\\admin\\AppData\\Local\\Temp\\C947.tmp\r\nAnd then following command is run:\r\n\"C:\\Users\\admin\\AppData\\Local\\Temp\\C947.tmp\" --helpC:\\Users\\admin\\AppData\\Local\\Temp\\zzpauvooos.exe\r\nD1DF15E4D714BFDB764ECF92AE709D14BCA3E0E6C759CF7C675BE26D0296A63C3B147110AC79543CC31527651D66787152102A66C3371\r\nThen the following files are dropped onto the system and the original executable is deleted:\r\nC:\\Users\\admin\\AppData\\Roaming\\Common Files\\defrag.exe\r\nC:\\Users\\admin\\AppData\\Roaming\\Identities\\{116380ff-9f6a-4a90-9319-89ee4f513542}\\disk1.img\r\nC:\\Windows\\Tasks\\ScheduledDefrag.job\r\nC:\\Windows\\Tasks\\ScheduledDefrag_admin.job\r\nValues are inserted into the Windows registry for persistence and the main implant, disk1.img, contacts the remote command\r\nand control domain, static.jg7.org, on port 443/tcp.\r\nA prominent Vietnamese pro-democracy blogger living in California was successfully targeted by this attack, which led to\r\nthe compromise of her blog and the invasion of her private life.\r\nThe group behind these attacks appears to have been operating since late 2009, and has been very active in the targeting of\r\nVietnamese dissidents, people writing on Vietnam, and the Vietnamese diaspora. The appears to be the work of a group\r\ncommonly known as “Sinh Tử Lệnh” and while it has been anecdotally claimed to be the work of Chinese actors, it seems to\r\nbe more likely the work of Vietnamese targeting Vietnamese.\r\nEFF is greatly disturbed to see targeted malware campaigns hitting so close to home. While it is clear that this group has\r\nbeen targeting members of the Vietnamese diaspora for some time, these campaigns indicate that journalists and US activists\r\nhttps://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal\r\nPage 3 of 4\n\nare also under attack. And while longtime activists and journalists might expect to be targeted by a state they regularly\r\ncriticize, it appears that a single blog post is enough to make you a target for Vietnamese spying.\r\nSource: https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal\r\nhttps://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal"
	],
	"report_names": [
		"vietnamese-malware-gets-personal"
	],
	"threat_actors": [],
	"ts_created_at": 1775434627,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8bcee3db2cad1e80e97b6174f744f913b66b72f5.pdf",
		"text": "https://archive.orkl.eu/8bcee3db2cad1e80e97b6174f744f913b66b72f5.txt",
		"img": "https://archive.orkl.eu/8bcee3db2cad1e80e97b6174f744f913b66b72f5.jpg"
	}
}