Actor designator
EGGCOP
Designated by Cassandra Quill · First observed October 2025
Summary
EGGCOP is a Vietnamese commercial cybercrime cluster operating an infostealer monetisation pipeline. The cluster takes its name from the operator company, eggcop.com, identified through self-exfiltration of the operators' own administration workstations. Initial access uses double-extension PDF.EXE lures distributed through LinkedIn and other social channels. Payload encoding stacks Base32, bzip2, zlib, and Python bytecode before resolving to a Donut shellcode loader that performs DPAPI credential theft from Chromium, Edge, Firefox, and the Vietnamese-localised CocCoc browser. Exfiltration is one-way Telegram sendDocument traffic. Stolen credentials, cookies, autofill data, and Facebook business-account sessions feed a parallel dropshipping fraud operation run by the same corporate front.
Sector
Consumer browsers, dropshipping merchant accounts, regional banking, social ad-account operators, cryptocurrency wallets
Region
Global, with material targeting skew toward Korean, Taiwanese, and Israeli users. 845 victim packages catalogued across 60-plus countries.
Attribution
Vietnamese commercial cybercrime operator (high confidence). Operators self-identified through self-infection of their own administration workstations on an FPT Telecom subscriber range in Ho Chi Minh City. Operator company is eggcop.com, registered 2016, eight named staff mailboxes confirmed.
First observed
October 2025
Defensive ask
Treat unsolicited LinkedIn approaches that arrive with executable attachments as the leading consumer-side initial-access risk. Block double-extension file delivery at email and chat gateways. Add Telegram sendDocument egress monitoring with the published bot token and channel ID as named indicators. For consumer hygiene: never store passwords in the browser, use a hardware-backed password manager, and treat any saved-in-browser credential on a once-infected device as already compromised.
EGGCOP — frequently asked
Defender-facing questions answered from the public record on this designator. Operationally sensitive details — vendor + build of affected products with unshipped patches, proof-of-concept code, IOC-grade indicators on active operator infrastructure — are withheld by editorial policy. See editorial standards.
- Who is EGGCOP?
- EGGCOP is a Vietnamese commercial cybercrime cluster operating an infostealer monetisation pipeline. The cluster takes its name from the operator company, eggcop.com, identified through self-exfiltration of the operators' own administration workstations. Initial access uses double-extension PDF.EXE lures distributed through LinkedIn and other social channels. Payload encoding stacks Base32, bzip2, zlib, and Python bytecode before resolving to a Donut shellcode loader that performs DPAPI credential theft from Chromium, Edge, Firefox, and the Vietnamese-localised CocCoc browser. Exfiltration is one-way Telegram sendDocument traffic. Stolen credentials, cookies, autofill data, and Facebook business-account sessions feed a parallel dropshipping fraud operation run by the same corporate front.
- When was EGGCOP first observed?
- October 2025. The Alamo Post tracks EGGCOP as a distinct actor cluster from that point forward.
- What sectors does EGGCOP target?
- Consumer browsers, dropshipping merchant accounts, regional banking, social ad-account operators, cryptocurrency wallets
- Where does EGGCOP operate or target?
- Global, with material targeting skew toward Korean, Taiwanese, and Israeli users. 845 victim packages catalogued across 60-plus countries.
- What is the attribution for EGGCOP?
- Vietnamese commercial cybercrime operator (high confidence). Operators self-identified through self-infection of their own administration workstations on an FPT Telecom subscriber range in Ho Chi Minh City. Operator company is eggcop.com, registered 2016, eight named staff mailboxes confirmed.
- What is the defensive ask for EGGCOP?
- Treat unsolicited LinkedIn approaches that arrive with executable attachments as the leading consumer-side initial-access risk. Block double-extension file delivery at email and chat gateways. Add Telegram sendDocument egress monitoring with the published bot token and channel ID as named indicators. For consumer hygiene: never store passwords in the browser, use a hardware-backed password manager, and treat any saved-in-browser credential on a once-infected device as already compromised.
- Is EGGCOP an industry-standard name?
- No. EGGCOP is a designator assigned by Cassandra Quill, The Alamo Post's pseudonymous vulnerability research and threat intelligence writer. It is not interchangeable with vendor tracking IDs and is not registered in MITRE ATT&CK or commercial vendor catalogs. Profiles published under this designator describe activity at the sector level and withhold vendor + build information where patches are not yet shipped.
About designators on this site. Actor designators in the EGGCOP family are assigned by Cassandra Quill and are not industry-standard names. Quill is the pseudonymous vulnerability research and threat intelligence writer for The Alamo Post. Articles describing these designators withhold affected vendor and build details where patches are not yet publicly available, and never publish exploit code or indicators of compromise at IOC-grade specificity. Defensive guidance is the focus.