During March and early April 2025, two major cyberattack campaigns were recorded:

The Lotus Blossom group launched attacks aimed at stealing browser data, using Chrome Cookie Stealer malware to target government units, telecommunications, and media organizations in Vietnam and neighboring countries. In addition, the group used Sagerunex malware configuration to maintain long-term access, take control of victim computers, and steal browser cookies.

Illustrative image

The Mora_001 group exploited new vulnerabilities (CVE-2024-55591, CVE-2025-24472) in Fortinet products to distribute SuperBlack malware. It aimed to gain administrative rights and target high-value systems such as file servers, domain controllers, and databases. By collecting information about the network system and stealing user accounts, the group then launched lateral movement attacks to other systems, encrypted data, and erased traces of their activities using the WipeBlack tool.

As soon as the warnings were received, the Information Technology and Digital Transformation Center of VSS checked, reviewed, and identified devices, servers, and workstations that were likely to be affected by the above attacks to enhance monitoring; collect attack indicators, and identify malware control servers to block harmful connections and behaviors. In addition, the Center strengthened monitoring and prepared response plans upon detecting signs of exploitation and cyberattacks, and regularly monitored the warnings from competent authorities and major cybersecurity organizations to promptly detect emerging threats of network attacks.