A global malware distribution network has been dismantled by authorities in Thanh Hoa, with the ringleader identified as a 12th-grade student. The group is accused of infecting more than 94,000 computers across multiple countries and earning illicit profits worth tens of billions of VND (approximately US$1-2 million).

From a passion for programming

2(466).jpg
The suspect X. at the police station. Photo: CACC

According to Thanh Hoa Police, in early 2026, through cyber monitoring efforts, the Ministry of Public Security’s cybersecurity forces, in coordination with local police, detected signs of a large-scale malware distribution operation targeting internet users worldwide.

What surprised investigators was that the individual identified as the mastermind - directly responsible for programming and developing the malware - was N.V.X (name changed), a high school senior in Thanh Hoa.

Investigation records show that since 2023, X. had been self-learning programming languages such as Python and C++. Initially driven by curiosity and experimentation, X. gradually delved deeper into operating system structures and data storage, eventually developing code capable of accessing and extracting information from users’ computers.

By 2024, X. had successfully built programs capable of stealing data stored in browsers, including cookies, passwords, and autofill information.

Through the messaging platform Telegram, X. connected with several other individuals, including Le Thanh Cong (Ha Tinh) and Phan Xuan Anh (Nghe An). The collaboration soon evolved into a coordinated effort to develop malware “on demand” for illegal data collection.

Notably, X. directly created malware strains such as “PXA Stealers” and “Adonis”, which could not only harvest sensitive data but also take control of victims’ computers. To enhance effectiveness, the group integrated remote access tools, allowing them to operate infected devices directly.

A global malware distribution scheme

3(391).jpg
Evidence seized by authorities. Photo: CACC
 
 
 

Within the network, X. took charge of technical development, continuously updating and refining the code to bypass security layers. Other members handled distribution and exploitation of the stolen data. Profits were shared based on agreement, with X. receiving a percentage or payment per product.

The group employed sophisticated methods to spread malware. They sent mass emails containing malicious attachments disguised as PDF files or ordinary documents. Once downloaded and opened, the malware would activate and silently install itself on the victim’s system.

In addition, the group collected and traded email lists on underground forums to expand their reach. Most victims were located in Europe, the Americas, and parts of Asia.

Investigators determined that more than 94,000 computers had been infected through the operation. The stolen data primarily involved social media accounts, especially Facebook accounts with advertising capabilities. After gaining control, the group used these accounts to run ads for commercial gain or resold them to third parties.

The total illegal profit generated by the network is estimated at tens of billions of VND (US$1-2 million), making it one of the most significant high-tech crime cases with cross-border impact.

The Security Investigation Agency of Thanh Hoa Police has initiated legal proceedings against 12 suspects on charges related to producing and distributing software for illegal purposes and unauthorized access to computer systems.

The case is continuing to expand as authorities work to clarify the role of each individual involved.

 
Le Duong