Operation GriefLure APT Targets Vietnam MilitaryTelecom

Seqrite Labs uncovered Operation GriefLure a China-linked APT spear-phishing campaign targeting Viettel Group Vietnam military telecom and St Lukes Medical Center Philippines using LotL ftp.exe abuse DLL sideloading sfvc.exe 360.dll and a modular RAT for credential harvesting browser data exfiltration and covert cyber espionage in 2026.

An email arrived. A seemingly ordinary email. Attached was a RAR file. Inside were documents that appeared to be 100 percent genuine. Police reports. Internal memos. A signed admission letter handwritten by Viettel Group Deputy Director Hoàng Thị Tuyết Mai.

Any senior executive who opened that file would not have suspected for a second that something could be wrong. It was all absolutely real. But with that single click and a China linked APT group had taken control of the entire system. 10 seconds. No visible indicator. No alarm.

This was Operation GriefLure. In May 2026 Seqrite Labs APT team uncovered this campaign. This was not just another phishing attack. It was a highly coordinated cyber espionage operation targeting two countries simultaneously. On one side was Vietnam largest military-backed telecom giant Viettel Group which operates under the Ministry of National Defense. On the other side was the Philippines prestigious St. Luke Medical Center SLMC Quezon City. Two different countries. Two different sectors. But the same threat actor. Same infrastructure. Same payload.

if any distinguishes this campaign from all others is that the attackers did not generate fake documents themselves. They used real legal documents. They harvested documents from a real data breach dispute and used them as weapons. Only a state-sponsored group could have accomplished this level of preparation.

Viettel Spear Phishing LNK Attack

You will be shocked to hear what happened in Vietnam. In Campaign 1 the lure was a file named Ho so.rar. It was a double compressed RAR archive. Meaning another archive within an archive. This nested compression technique is used to confuse endpoint tools. Inside was a malicious Windows LNK shortcut file named in Vietnamese i.e. HO SO BANG CHUNG GHI NHAN CHUOI HANH VI VI PHAM PHAP LUAT CO HE THONG VA LEO THANG CUA TAP DOAN VIETTEL.lnk which meant evidence file of Viettel systematic violations. The name was so convincing that it did not take anyone even a second to click it.

Inside were 8 genuine legally sensitive documents. These were the documents being used in an ongoing data breach lawsuit between Viettel Group and Vietnamese authorities. Police reports. Internal emails. Corporate admission letters.

And the document that carried the most weight was a formal escalation letter written to Viettel CEO summarizing the 4-month data breach dispute and warning of legal action. Along with it was a handwritten and signed admission from Viettels Deputy Director.

No executive would look at this and say Maybe its fake. He would open it immediately.

Investigators from the Thanh Hoa Provincial Cyber ​​Crime Police who were actively working on the Viettel case were also targeted. This targeting is some thing to consider. When even those who investigate cybercrime are targeted and the intelligence level of the threat actor can be gauged.

Campaign 2 in the Philippines had a different approach. Here, the attackers replaced the original documents with a perfectly crafted fake document. The Download.zip file contained a document titled Whistleblowing_Report_SLMC_Fraud_and_Misconduct_2026.pdf.

This was a whistleblower complaint accusing St. Luke Medical Center of financial fraud of PHP 1.5 million. The document mentioned PhilHealth violations and JCI accreditation risks. For a healthcare administrator reading this would seem like a genuine emergency. An urgency was created. And that same urgency caused the LNK file to be clicked. This is the true game of social engineering.

LotL ftp.exe DLL Sideloading RAT

Now the technical truth. As soon as that LNK file is clicked a batch script is executed silently in the background. And this script uses Windows own built-in tool ftp.exe as a dropper. This is Living off the Land technique. This means that the attackers did not use any external malicious tool. Windows own genuine tool became the weapon. Most of the endpoint detection solutions cannot catch this because ftp.exe is a legitimate Windows binary. No suspicious process. No alert.

Then Stage 3 begins. This is where the entry point of sfvc.exe and 360.dll comes in. sfvc.exe is a custom loader which looks like a perfectly legitimate binary from outside. But when it executes, it loads 360.dll. 360.dll is a polymorphic multi stage shellcode loader. This is a DLL sideloading technique. Means loads a malicious library silently through a legitimate looking executable. Endpoint tools often miss this technique because the parent process looks absolutely genuine.

And the evasion does not end there. The payload was hidden with XOR based obfuscation. NTFS Alternate Data Streams were used, which hide files in a strange, hidden stream of the file system thats invisible to normal scans. And whats more this entire compromise is completed in just 10 seconds. The user sees a real document on the screen with no idea whats happening behind it.

RAT Credential Harvest Screenshot

When this RAT gets activated in the memory then whatever it doe it opens the eyes of the Sun. The first thing it does is scan the stored login data of Chrome. Cookies. Browser history. Credentials of FTP clients like FileZilla. Passwords of remote access tools like Sunlogin.

In communication apps it specifically targets the data of WeChat. It does not stop at just credentials. It also takes screenshots. With dynamic resolution adjustment. Means itself decides in which resolution to capture the screenshots as per the network conditions so that the data upload is fast and the quality is also maintained.

Performs process enumeration. Performs system profiling. Exfiltrates directory listings and file metadata. Data is extracted in chunks to avoid bulk transfer detection. And it forcibly terminates the Windows Explorer process and relaunches it in a controlled security context.

This is done for persistence and to reduce visibility. The user cannot see what is happening in the background. Everything is silent. And when explorer.exe restarts the user thinks the system just refreshed something. No doubt.

Communication with the C2 server occurs via obfuscated HTTP requests. The domain used was whatsappcenter[.]com. This domain was located at a bulletproof hosting provider in Hong Kong. Bulletproof hosting providers are those that intentionally ignore any takedown requests and law enforcement complaints. Attackers choose these hosting services because it is almost impossible to shut them down through regular channels.

China Linked APT Attribution 2026

Seqrite Labs has linked Operation GriefLure to a China nexus threat cluster with moderate to high confidence. This attribution is not just a guess there are multiple technical indicators. The malware specifically targeted WeChat data. The credential harvesting module embedded a detailed list of China based security software tools including 360Safe Qianxin and Sangfor.

The malware was already aware of the China-based AV tools on those machines and how to protect against them. The C2 infrastructure was on bulletproof hosting in Hong Kong. And most importantly specifically targeting Viettel Group made perfect sense geopolitically.

Viettel Group operates under Vietnam Ministry of National Defense. It is Vietnam largest telecom provider. There are active territorial disputes and tensions between Vietnam and China in the South China Sea. Data from a military telecom company including executive communications and internal memos is priceless intelligence for any nation-state.

And the targeting of St. Luke Medical Center in the Philippines was not random. Healthcare institutions store medical data of senior government officials and military personnel. A hospitals records could contain the health information of a general or minister. This data is very valuable in intelligence operations.

What makes Operation GriefLure most alarming is that the threat actor harvested documents from an actual ongoing legal dispute. These documents were lifted from social media or from a previous breach. This level of intelligence gathering shows that months of planning went into this campaign. This was not an overnight attack. They had been tracking Vietnams legal landscape for a long time. They had been following Viettels case. And when they saw the perfect window and they struck.

This campaign is a warning the entire Asia Pacific cybersecurity community should heed. Operation GriefLure has proven that state-sponsored threat actors no longer rely solely on zero-day vulnerabilities. They exploit targets psychology use real documents and weaponize their own Windows tools. And yet they leave no footprint.

This discovery by Seqrite Labs indicates that cyber espionage in Southeast Asia has reached a qualitatively new level. Any organization in the government, defense, or healthcare sectors could be on the radar of actors like this campaign.

Simply monitoring ftp.exe for unusual activity carefully inspecting compressed attachments and deploying behavioral detection are basic steps. But the biggest lesson is that even a genuine looking document can be a weapon. Its time to teach about authentic-looking content in security awareness training. Operation GriefLure has begun this investigation.