Unmasked by a Blunder: Chinese Hackers Exposed in Massive Vietnam Espionage Campaign
Researchers from Ctrl-Alt-Int3l have published a detailed analysis of a large-scale operation targeting Vietnamese universities. Their investigation was made possible thanks to open directories where attackers, through a critical oversight, had left behind a trove of data — including command-and-control server configurations, operator logs, and even source code from compromised systems. This blunder allowed analysts to reconstruct the attack chain in remarkable detail and to observe the adversaries’ methods step by step.
According to the collected evidence, the campaign was carried out by a China-linked threat group that established persistent access in at least 25 universities. Initial compromise was achieved through the exploitation of web application vulnerabilities, SQL injections, and deserialization flaws in Telerik UI (CVE-2019-18935). Persistence was maintained using Godzilla and ByPassGodzilla web shells deployed on IIS servers, alongside the creation of service accounts with weak passwords. On infected hosts, attackers installed Cobalt Strike and VShell, ensuring redundant command channels and enabling multiple modes of remote control.
Particularly revealing were the .bash_history logs, which preserved operator commands: installing Chinese language packs, generating certificates, launching Cobalt Strike and Fast Reverse Proxy servers, and deploying Metasploit. Investigators were able to reconstruct a Cobalt Strike server in a controlled environment, gaining access to complete victim lists, IP addresses, and activity logs. A total of 63 workstations with active beacons were identified, with the very first test beacon registered from a Chinese IP address — further corroborating the campaign’s origin.
For lateral movement, the attackers combined standard Windows utilities (net, nltest, schtasks) with custom Chinese red-team tools like fscan. Logs revealed the use of local privilege escalation exploits, including CVE-2024-30088, CVE-2023-28252, and CVE-2020-0796, alongside tools such as AppxPotato, GodPotato, and JuicyPotato. They also tampered with system settings to evade defenses: disabling login audits, altering RDP ports, adding Defender exclusions, terminating processes of the local antivirus Bkav, and wiping event logs.
Tunneling techniques played a central role in maintaining access. The group employed FRP and third-party clients to forward RDP connections through external servers on non-standard ports. Custom PowerShell scripts were discovered redirecting TCP sessions. Their command-and-control infrastructure was disguised behind domains crafted to mimic legitimate ones — such as micrcs.microsoft-defend[.]club and microsoft-symantec[.]art — shielded by Cloudflare.
Notably, VShell was leveraged to deploy the SNOWLIGHT loader across both Windows and Linux environments. Previously documented by Google and Eclecticiq, SNOWLIGHT enables multi-stage payload delivery and communicates through XOR-encrypted traffic. When combined with web shells and plug-ins such as mimikatz, fscan, and gost, it provided deep entrenchment within university infrastructures.
Attribution was based on several indicators: the use of Chinese Red Team tools like Tas9er, distinctive commenting styles and configurations, references to Chinese-language forums for tool distribution, and infrastructure linking back to Chinese providers. The tactics and victimology align with those of Earth Lamia, a group previously described by Trend Micro. Unlike smash-and-grab operations, this campaign prioritized long-term persistence and intelligence gathering on Vietnam’s scientific and engineering research.
The overall picture reveals an operation meticulously engineered for resilience: multiple C2 channels, web shells, scheduled tasks, tunneling mechanisms, and shadow user accounts. This layered persistence strategy enabled attackers to maintain control even when partial traces of the intrusion were removed, significantly complicating defenders’ efforts to eradicate them.
