LOTUSHARVEST
LOTUSHARVEST is an information-stealing malware family observed in Operation Hanoi Thief, a spear-phishing campaign targeting Vietnamese IT departments and HR/recruitment professionals. The malware is delivered through phishing emails carrying ZIP attachments that contain a malicious LNK shortcut and a pseudo-polyglot file disguised as a resume. The LNK abuses the LOLBIN ftp.exe to execute the pseudo-polyglot payload, which displays a decoy document, extracts a base64-encoded DLL, and ultimately deploys LOTUSHARVEST as a C++ DLL implant via DLL sideloading using ctfmon.exe. The DLL has been reported as being placed in C:\ProgramData and loaded through sideloading.
LOTUSHARVEST steals browser data from Chrome and Edge, including stored credentials and browsing history; reporting states it can collect up to 5 stored credentials and up to 20 recent URLs. It uses anti-analysis checks for virtual environments and debuggers, and exfiltrates stolen data via HTTPS POST requests using the WinINet API. Reported attacker-controlled infrastructure used for exfiltration includes eol4hkm8mfoeevs.m.pipedream.net and uuhlswlx.requestrepo.com, with the campaign also using randomly generated subdomains.
The campaign was first observed on November 3, 2025. Attribution in the reporting suggests a Chinese-origin threat actor based on TTP overlaps with earlier Vietnam-focused activity, but state sponsorship was not confirmed. SEQRITE detections cited for this malware/campaign include Trojan.50086.SL and Trojan.A18678918. Observed ATT&CK behaviors include spearphishing attachment delivery, DLL side-loading, credential theft from password stores, masquerading, signed binary proxy execution, and deobfuscation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
LOTUSHARVEST is a stealer malware that harvests data from web browsers such as Google Chrome and Microsoft Edge, delivered via phishing emails with malicious ZIP attachments.
LOTUSHARVEST is a stealer malware that harvests data from web browsers such as Google Chrome and Microsoft Edge. It is delivered via phishing emails containing ZIP files with malicious LNK files.
A stealer malware referred to as LOTUSHARVEST, deployed via DLL sideloading in the described campaign.
LOTUSHARVEST is a C++ DLL implant functioning as an information stealer. It is delivered via a spear-phishing campaign using fake resumes and shortcut files, abuses Windows LOLBINs and DLL sideloading for execution, and focuses on harvesting browser credentials and history from Google Chrome and Microsoft Edge. The stolen data is exfiltrated to attacker-controlled infrastructure over HTTPS.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.