The Electronic Frontier Foundation has published details of an attempted malware attack on two of its employees by a group of hackers associated with the Vietnamese government. The hacker group, known as Sinh Tử Lệnh, has targeted Vietnamese dissidents and bloggers in the past; it now appears that the campaign has been extended to attacks on US activists and journalists who publish information seen as critical of the Vietnamese government.

The Vietnamese government has gone after bloggers in its own country before, and as of last year it had jailed 18 independent journalists—bloggers being the only journalists in the country not affiliated with state-run media. And since 2009, the hacker group has taken that campaign beyond Vietnam's borders, targeting members of the Vietnamese diaspora critical of the Hanoi regime.

In December, two staff members of the EFF received e-mails from someone claiming to be from Oxfam International, inviting them to “Asia Conference.” The e-mail, from a Gmail address for “Andrew Oxfam,” appeared to have been sent to a list and included links to two documents that appeared to be information on the conference shared over Google Drive.

But both links were actually to the same HTML application—one that wrote a Microsoft Word document and a Windows executable onto the users’ local drive. When either file was opened, the dropped package installed some malware and made changes to the Windows registry. One of the installed files is integrated into the Windows user shell (explorer.exe) and starts an outbound Internet connection (using port 443) to start communicating with a command-and-control server.

The same malware was sent to an AP reporter in November, disguised as a Vietnam human rights white paper. Similar malware has also been used against Vietnamese dissident bloggers, including a prominent Vietnamese pro-democracy blogger in California whose blog login and personal information were exposed. “It appears that a single blog post is enough to make you a target for Vietnamese spying,” EFF Global Policy Analyst Eva Galperin and University of Toronto Citizen Lab security researcher Morgan Marquis-Boire wrote in their post on the attack.