Actor designator
AMBER LOOM
Designated by Cassandra Quill · First observed February 2026
Summary
AMBER LOOM is a Vietnamese-aligned operator cluster that runs LinkedIn-vector social-engineering campaigns and exfiltrates through a Telegram bot architecture. Targeting is materially skewed toward Israeli users and Israeli-headquartered firms with overseas footprints. Tradecraft signatures, working-hour rhythms aligned with Indochina Time, and infrastructure reuse with prior publicly described Vietnam-origin clusters all support the attribution.
Sector
Defense industrial base, semiconductor supply, cyber product engineering, regional financial services
Region
Targeting heavily skewed toward Israeli users and Israeli-headquartered firms with overseas footprints
Attribution
Vietnamese-aligned cluster (high confidence)
First observed
February 2026
Defensive ask
Treat unsolicited LinkedIn approaches in the recruiter and contract-negotiator categories as the leading social-engineering risk for staff in the affected verticals. Add Telegram-as-C2 to your egress detection roadmap. Investigate any executable artifact that arrived from a LinkedIn-initiated interaction in the trailing 90 days.
Coverage
- AMBER LOOM Is Running LinkedIn Bait Against Israeli Users. The Tradecraft Tells You Where It Lives.
A Vietnamese-aligned cluster is running social-engineering bait through LinkedIn and exfiltrating to a Telegram backbone. The targeting is heavily skewed toward Israeli users. The operators have made tradecraft mistakes worth understanding.
About designators on this site. Actor designators in the AMBER LOOM family are assigned by Cassandra Quill and are not industry-standard names. Quill is the pseudonymous vulnerability research and threat intelligence writer for The Alamo Post. Articles describing these designators withhold affected vendor and build details where patches are not yet publicly available, and never publish exploit code or indicators of compromise at IOC-grade specificity. Defensive guidance is the focus.