Yet Another Cyberespionage Operation In Vietnam
This presentation examines a cyber-espionage campaign conducted by a Chinese threat actor targeting Vietnamese organizations in early 2024. The attackers deployed a variant of the FinalDraft (SquidDoor) malware via a layered infection chain leveraging LOLBins and COM-based scheduled tasks to evade detection. C2 communication was stealthily handled through Outlook drafts using the Microsoft Graph API.
The malware was heavily obfuscated with junk instructions and nested garbage function calls. To analyze it effectively, we applied symbolic execution with state tracking, enabling the removal of over 30,000 junk instructions and reconstruction of the real execution flow. The final payload included modules for LSASS credential theft, PowerShell execution without powershell.exe, and screen capture.
This talk provides a technical walkthrough of the infection chain, deobfuscation methodology, and post-exploitation modules, highlighting advanced techniques used to maintain persistence and evade defenses.
Tran Duy Nam – VNPT Cyber Immunity
Tran Duy Nam is a Threat Analyst at VNPT Cyber Immunity, specializing in advanced persistent threat (APT) tracking, malware behavior analysis, and threat intelligence research. With a deep focus on dissecting malware techniques and understanding adversarial tactics, techniques, and procedures (TTPs), he contributes to proactive cyber defense by identifying emerging threats and providing actionable intelligence. His work bridges technical analysis and strategic threat profiling, helping organizations anticipate and mitigate sophisticated cyber attacks. Passionate about cybersecurity, he continuously develops methodologies to enhance threat detection and incident response capabilities.