A 2.9 gigabyte archive of Telegram exfiltration traffic recovered from a Vietnamese infostealer operation contains 845 credential-theft packages collected between October 2025 and March 2026. The same archive contains three exfiltration packages submitted from a single FPT Telecom subscriber address in Ho Chi Minh City, each one carrying corporate mailboxes on the domain eggcop.com. The operators infected their own administration workstations and exfiltrated themselves to their own bot. That single operational-security failure converted a one-way collection channel into mutual visibility. This report names the cluster EGGCOP and publishes the attribution.

What is being published, and why

The Alamo Post is publishing attacker infrastructure indicators, operator names tied to a corporate front, and the technical chain that produced 44,165 stolen credential records across 60-plus countries. The Alamo Post is not publishing any victim data, any victim email address, or any victim credential. The 845 victim packages are reduced to one-way SHA-256 digests and exposed only through the k-anonymity victim-check form at the bottom of this article. A user can verify whether their own mailbox appears in the dataset without the server ever seeing their email.

The decision to publish operator attribution while withholding victim data reflects the asymmetry of the situation. Naming the operator burns infrastructure and increases the cost of future operations. Naming the victim does the operator's work for them.

How the channel was obtained

The cluster runs an infostealer with a one-way Telegram exfiltration design. Every infected machine submits a single sendDocument call carrying a zip archive labelled with the victim's country code, IP, and Windows hostname. There is no inbound channel to compromised hosts and no command response path. From a collection standpoint, that means the operators trusted the channel to be invisible on their side as well.

The operators tested their own builds on their own workstations. Three exfiltration packages in the archive carry the hostname ADMIN at IP 118.71.17.157, all submitted from a single Ho Chi Minh City subscriber address on AS18403 FPT Telecom. The archives include 2,490-line credential dumps from those operator workstations, including corporate mailbox sessions, browser autofill records for the operator's own personal Google accounts, and cookies for the corporate Google Workspace tenant.

Researchers who obtained the bot channel did not interact with the operators' command infrastructure. The collection method was passive observation of the exfiltration channel. The attribution was produced by reading the operators' own self-exfiltration packages.

Attribution: the operator company

The corporate front is registered as eggcop.com. NameCheap registration dated 2016-09-04, most recently updated 2025-09-06. WHOIS is protected through Withheld for Privacy ehf, the standard NameCheap privacy reseller based in Iceland. Mail exchange records resolve to Google Workspace (aspmx.l.google.com), indicating the corporate front pays Google for email service.

Eight distinct corporate mailboxes appear across the three operator self-exfiltration packages, each with login session cookies establishing they were active mailboxes at the time of theft:

Operator infrastructure attribution is, on its own, sufficient to brief defenders. The corporate domain, the eight active mailboxes, the Ho Chi Minh City subscriber address, and the FPT Telecom routing are sufficient to populate egress detection lists and to support law-enforcement referral. Individual attribution requires a higher evidentiary bar.

Individual attribution: dai.phan

One mailbox, [email protected], is supported by four corroborating identifiers in the operator's own browser autofill and password store. The combination links a single named individual to the EGGCOP corporate front with high confidence:

The naming pattern resolves to Phan Van Dai, born 1996, information-technology background, located in Ho Chi Minh City. The corroborating data is the operator's own browser-stored credential set, captured by the operator's own malware running on the operator's own administration workstation, exfiltrated by the operator's own infrastructure. The chain of custody for the attribution is, in evidence terms, unusually clean.

Other names appear in the operator's password-history word lists, including Nguyen Phuong (with a recurring date string 14-12-96) and Ha Dung (with a recurring date string 08-11-02). These appear in operator-controlled artifacts but lack the four-identifier corroboration that supports the dai.phan attribution at the same confidence level.

Business model: stealer-to-dropshipping pipeline

The operator workstations are not pure malware-development boxes. The browser autofill records show sustained operational activity against the following service categories: Shopify and ShopBase storefronts, Dropified product-feed integration, Facebook Business Ads accounts, Hydraproxy residential proxy management, Adroll retargeting, Spreadshirt and Criteo advertising, multiple OnShopBase subdomains (amonisa-store, aussiecloth, az-custom-store, azurewhirl-de, baten-store, bears-printed, and more).

The pattern is the standard Vietnamese-aligned dropshipping fraud operation. The stealer is the supply line for fresh credit cards, Facebook business accounts to run advertising campaigns under stolen identities, and Shopify storefronts. The corporate front operates the stealer and the dropshipping monetisation under one roof. Defenders investigating downstream fraud against their card-issuing or platform-trust functions should expect that the operator's commercial infrastructure is intertwined with the stealer infrastructure rather than separated by the broker hop that is typical in eastern European credstealer markets.

Technical chain

Initial access uses double-extension PDF.EXE lures distributed through LinkedIn and other professional-network channels. Filenames in the recovered samples follow the pattern Document.pdf.exe, with Windows file-association behaviour selectively hiding the .exe suffix and rendering the file with a PDF icon. Recipients see what their operating system has been trained to interpret as a PDF.

The first-stage executable carries a multi-layer encoded blob. The encoding stack, in resolution order:

  1. Base32 ASCII. Hundreds of contiguous characters drawn from the Base32 alphabet, designed to be tolerable to text-based scanners and unattractive to entropy-based detection.
  2. bzip2 compression. The Base32 decode yields a bzip2-compressed stream.
  3. zlib compression. Inside the bzip2 stream is a zlib-compressed payload.
  4. Python compiled bytecode. The zlib decode yields a Python 3 .pyc-format compiled module with magic bytes A7 0D 0D 0A or A6 0D 0D 0A.
  5. Donut shellcode. The Python module loads Donut shellcode in memory and invokes it through the CLR runtime, using CLRCreateInstance, ICLRMetaHost, or CorBindToRuntimeEx. The .NET-in-memory technique avoids on-disk artifacts and is the late-stage detection-evasion mechanism.
  6. Credential theft via DPAPI. The shellcode invokes CryptUnprotectData against Chromium, Edge, Firefox, and the Vietnamese-localised CocCoc browser credential stores, plus the Discord token store, the Telegram tdata directory, FileZilla server lists, and the Windows credential manager.

The encoding stack is excessive against modern endpoint detection. Most layers add no real anti-analysis benefit. The most coherent reading is that the stack reflects iterative addition by a small team, with each layer added in response to a previous detection event rather than designed against a current threat model. Treat the stack as a fingerprint, not as a defensive challenge.

Exfiltration

The stealer packages the collected data into a zip archive and submits it as a single Telegram sendDocument call to a hard-coded bot token and channel ID. There is no second-stage callback. The exfiltration is one-shot. The zip filename embeds the country code, victim IP, and Windows hostname. Internal directory layout, observable in any recovered archive:

All Passwords.txt        (URL/Username/Password triples)
AutoFills/               (browser-by-profile form data)
Cookies Browser/         (per-browser, per-profile cookie jars)
Detected Domain.txt      (visited-domain inventory)
Facebook Cookies.txt     (high-value cookie subset)
Google Restore Token     (account recovery material)
Screenshot.png           (desktop screenshot at theft moment)
Word List.txt            (recurring strings from autofill and stored passwords)
Applications/            (Telegram tdata, Discord, wallet extensions)

Indicators of compromise

The following indicators are derived from the operator's own infrastructure as captured in the recovered archive. They are published for use in egress detection, SIEM correlation, and threat-intel sharing.

  • Telegram bot token: 7755709066:AAExjVy6cxqr-6wprm2w3gqyAXSL7LfmwEE
  • Telegram channel ID: -1002804802878
  • C2 server IP: 144.172.109.16
  • C2 download paths: /huna, /huna1, /huna2
  • Operator residential IP (FPT Telecom HCMC): 118.71.17.157
  • Operator corporate domain: eggcop.com
  • Stolen-data zip directory markers: All Passwords.txt, Cookies Browser, Credit Cards, AutoFills, FileZilla, Facebook Cookies, Google Restore Token, Detected Domain, Discord
  • Vietnamese-localisation tells: CocCoc browser path strings, huna URL path segment, working-hour rhythm aligned with Indochina Time

YARA detection

rule EGGCOP_Payload_Encoding {
    meta:
        cluster = "EGGCOP"
        internal = "EGGCOP/Noodlophile"
        severity = "critical"
    strings:
        $b32_header = /[A-Z2-7]{100,}/
        $pyc_magic1 = { A7 0D 0D 0A }
        $pyc_magic2 = { A6 0D 0D 0A }
        $tg_bot = /\d{10}:AA[A-Za-z0-9_-]{33}/
        $tg_send = "api.telegram.org/bot"
        $dpapi1 = "CryptUnprotectData"
        $chrome_path = "\\Google\\Chrome\\User Data"
        $edge_path = "\\Microsoft\\Edge\\User Data"
        $coccoc_path = "CocCoc" nocase
        $vn_str1 = "Noodlophile" nocase
        $vn_str2 = "Document.pdf.exe"
        $vn_str3 = "huna"
    condition:
        ($b32_header and ($pyc_magic1 or $pyc_magic2)) or
        ($tg_bot and ($tg_send or $dpapi1)) or
        (2 of ($chrome_path, $edge_path, $coccoc_path, $dpapi1, $tg_send)) or
        any of ($vn_str*)
}

rule EGGCOP_Stolen_Data_ZIP {
    meta:
        cluster = "EGGCOP"
        severity = "high"
    strings:
        $zip = { 50 4B 03 04 }
        $pw_file = "All Passwords.txt"
        $cookie_dir = "Cookies Browser"
        $cc_dir = "Credit Cards"
        $af_dir = "AutoFills"
        $fz_dir = "FileZilla"
        $fb_cookie = "Facebook Cookies"
        $google_token = "Google Restore Token"
        $detected = "Detected Domain"
        $discord = "Discord"
    condition:
        $zip at 0 and 3 of ($pw_file, $cookie_dir, $cc_dir, $af_dir, $fz_dir, $fb_cookie, $google_token, $detected, $discord)
}

rule EGGCOP_C2_Communication {
    meta:
        cluster = "EGGCOP"
        severity = "critical"
    strings:
        $bot_token = "7755709066:AAExjVy6cxqr-6wprm2w3gqyAXSL7LfmwEE"
        $channel_id = "-1002804802878"
        $c2_ip = "144.172.109.16"
        $c2_path1 = "/huna"
        $c2_path2 = "/huna1"
        $c2_path3 = "/huna2"
        $send_doc = "sendDocument"
    condition:
        any of them
}

Snort egress rules

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"EGGCOP Telegram C2 Bot Token Detected"; flow:established,to_server; content:"api.telegram.org"; content:"7755709066"; sid:5000001; rev:1; classtype:trojan-activity; priority:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"EGGCOP Telegram File Exfiltration (sendDocument)"; flow:established,to_server; content:"api.telegram.org"; content:"sendDocument"; sid:5000002; rev:1; classtype:trojan-activity; priority:1;)
alert ip $HOME_NET any -> 144.172.109.16 any (msg:"EGGCOP C2 Server Connection"; sid:5000003; rev:1; classtype:trojan-activity; priority:1;)
alert http $HOME_NET any -> 144.172.109.16 any (msg:"EGGCOP C2 Payload Download (/huna)"; flow:established,to_server; content:"/huna"; http_uri; sid:5000004; rev:1; classtype:trojan-activity; priority:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"EGGCOP Victim Data Exfiltration (ZIP with stolen creds)"; flow:established,to_server; content:"api.telegram.org"; content:"sendDocument"; content:"|50 4B 03 04|"; sid:5000005; rev:1; classtype:trojan-activity; priority:1;)

Victim scope

The archive contains 845 distinct exfiltration packages, indexed by Telegram message id. Each package corresponds to a single victim infection. Across the archive there are 44,165 unique credential records, after normalisation to a canonical lower-case email form and removal of operator self-exfiltration packages. Targeting is global, with material concentration in three countries:

  • Korea: 139 packages
  • Taiwan: 94 packages
  • Israel: 87 packages
  • Japan: 60 packages
  • India: 60 packages
  • Portugal: 51 packages
  • Hungary: 50 packages
  • Italy: 47 packages
  • Brazil: 42 packages
  • Spain, Netherlands, Germany, United States, Peru, Colombia, France, Mexico, Hong Kong, Vietnam, Belgium, Burkina Faso, Argentina, Great Britain: 6 to 26 packages each
  • Forty-plus additional countries with 1 to 5 packages each

The Israeli concentration is approximately eighty-five times Israel's share of global internet users. The targeting is not random selection from a generic spam list. The Korean and Taiwanese concentrations are consistent with the Vietnamese commercial cybercrime norm, where regional language and currency proximity create natural targeting affinity.

Defender guidance

For enterprises with workstation exposure to consumer browser activity (BYOD, contractor laptops, executive personal devices):

  • Block double-extension file delivery (PDF.EXE, DOC.EXE, XLSX.EXE) at email, chat, and web gateways.
  • Add the Telegram bot token, channel id, and C2 IP to egress detection. The bot token is the most reliable single indicator: it appears verbatim in any sendDocument call to this operator.
  • Audit Telegram-as-egress traffic generally. The Bot API is a documented exfiltration channel, and any sendDocument call from a workstation context deserves a second look.
  • Treat any LinkedIn-recruited interaction that resulted in an executable attachment in the trailing six months as a candidate for forensic review.
  • For investigations: the YARA rules above match recovered stolen-data archives, so any zip file on the network matching the EGGCOP_Stolen_Data_ZIP signature is, with very high probability, a victim package from this cluster.

For platform trust and safety teams at advertising networks and e-commerce platforms: stolen Facebook business-account sessions and Shopify or ShopBase merchant accounts are the highest-value monetisation channel for this operator. Account takeover indicators that correlate to Vietnamese routing (FPT Telecom, VNPT, Viettel) should be flagged for review against the IOC set above.

User education: how not to fall victim

The initial-access vector is social, not technical. The user does the work the malware needs:

  1. The double-extension trick. Windows hides known file extensions by default. Document.pdf.exe shows up as Document.pdf with a PDF icon. If you open it, the operating system executes the .exe, not Adobe Reader. Turn off the hide-extensions setting. Treat any file received from a LinkedIn contact you have not previously met as untrusted, regardless of how the file presents itself.
  2. The LinkedIn recruiter pattern. Unsolicited recruiter approaches that pivot quickly to a file attachment, especially a PDF described as a job spec or contract, are the leading social-engineering vector for this cluster. Real recruiters at real firms do not need you to open a PDF in the first five messages.
  3. Browser-stored passwords. The infostealer's first action is to dump every password Chrome, Edge, Firefox, and CocCoc have stored. Move credentials out of the browser and into a dedicated password manager. A password manager requires unlocking before it discloses anything. A browser store discloses everything to anything with code execution on the device.
  4. Autofill data. Browser autofill stores name, address, phone, and credit-card data in the same accessible store as passwords. Disable autofill for payment data at minimum. Better, disable autofill entirely.
  5. Hardware-backed multifactor authentication. A YubiKey or equivalent FIDO2 device does not surrender to a credential-theft event the way an SMS code or an authenticator-app code does. The stolen cookies in this archive include session tokens for accounts the operators could not access only because hardware MFA blocked their use.
  6. After infection: assume everything saved on the device is compromised. Rotate every credential the affected user has typed into the device, not just the obvious ones. Revoke OAuth applications. Sign out all sessions. Watch billing email and recovery numbers for follow-on fraud.

On the cluster name

The Alamo Post designator for this operator is EGGCOP. Vendor-internal trackers have used EGGCOP and Noodlophile for related activity. Where this report cites EGGCOP, the reference is to the operator's own corporate domain, which they registered under that name in 2016 and continue to operate. Where this report cites Noodlophile, the reference is to the publicly documented stealer family that overlaps in tradecraft and code lineage. Treat EGGCOP as the cluster, EGGCOP as the corporate front, and Noodlophile as the malware family. The mapping is not novel attribution, it is naming clarification.

What changed since the original AMBER LOOM brief

An earlier brief on this activity, published under the working designator AMBER LOOM, framed the operator as a Vietnamese-aligned cluster running LinkedIn-vector campaigns against Israeli targets. The current report supersedes that earlier framing on three points. First, the targeting concentration is broader: Korean and Taiwanese victim counts both exceed the Israeli count, even as the Israeli concentration remains disproportionate on a per-capita basis. Second, the operator company is named: eggcop.com, with the corporate roster above. Third, the framing of how the channel was obtained is corrected: the operators were not pursued, they were observed through their own operational-security failures. The corrected designator for the cluster is EGGCOP. The AMBER LOOM designator is retired and should be treated as superseded.

Check your own exposure

The form immediately below this paragraph performs a privacy-preserving check of a single email address against the recovered exfiltration dataset. Your email is hashed with SHA-256 in your browser before any network call. Only the first five hexadecimal characters of the hash leave your device. The server returns the full set of suffixes for that five-character bucket, and your browser performs the final comparison locally. The server never learns which email you checked, and the database contains only one-way digests with no path back to the original address.