Ref2754

REF2754 is a cybersecurity threat actor that has been linked with malicious activities targeting primarily Vietnamese entities. This group shares tactical similarities with another threat group referred to as REF4322, which is known for deploying a post-exploitation implant called PHOREAL (also known as Rizzo). The overlap in tactics suggests that these two groups may be coordinating their attacks or even operating under the same umbrella organization. The attacks orchestrated by REF2754 have also shown connections with APT32, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus, all of which are recognized Vietnamese threat groups. This further supports the theory of collaboration or shared operations among these entities. The commonalities between these groups extend beyond just their targets, indicating possible shared resources, strategies, or even leadership. Given the overlapping methodologies and target selection, there is a growing suspicion within the cybersecurity community that both REF4322 and REF2754 represent campaigns planned and executed by a Vietnamese state-affiliated entity. If this is true, it could signal a significant escalation in state-sponsored cyber threats originating from Vietnam. Further investigation is required to confirm these connections and understand the full extent of the threat posed by these actors.