A newly discovered Vietnamese-linked operation has been observed using Google AppSheets as a “phishing relay” to distribute phishing emails aimed at compromising Facebook accounts.
The activity is codenamed Khata Dumplings Guardio, with a plan to sell back the stolen accounts through an illegal storefront run by threat actors. In total, it is estimated that around 30,000 Facebook accounts have been hacked as part of the campaign.
“What we found was not a single phishing kit,” security researcher Shaked Chen wrote in a report shared with The Hacker News. “It was a vibrant operation with real-time operator panels, advanced theft, constant development, and a criminal-commercial loop that quietly feeds on the very accounts it helps steal back.”
These findings are the latest example of how Vietnamese threat actors continue to employ various tactics to gain unauthorized access to victims’ Facebook accounts, which are then sold on the underground ecosystem for monetary gain.
The starting point of the latest attacks is a phishing email targeting Facebook business account owners, claiming to be from Meta Support and urging them to submit an appeal, or risk having their account permanently deleted. Emails are sent from a Google AppSheet address (“noreply@appSheet.com”), allowing them to bypass spam filters.
This false sense of urgency is used to direct users to a fake web page designed to capture their credentials. It is worth noting that a similar campaign was reported by KnowBe4 in May 2025.
Over the past few weeks, these campaigns have adopted a variety of baits designed to create “meta-related panic.” These range from account disablement and copyright complaints to verification reviews, executive recruiting, and Facebook login alerts. The four main clusters identified by Guardio are listed below –
- Facebook Help Center pages hosted by Netlify, which enable account takeover attacks, in addition to collecting dates of birth, phone numbers, and government-issued ID photos. The data is ultimately sent to an attacker-controlled Telegram channel.
- Blue Badge evaluations lure victims to “Security Checkup” or “Meta|Privacy Center” pages hosted by Vercel, which are gated by a fake CAPTCHA check before directing users to a phishing landing page to collect contact details, business information, credentials (after a forced retry), and two-factor authentication (2FA) code and transfer them to a Telegram channel.
- The PDF, hosted by Google Drive, directs users to collect passwords, 2FA codes, government ID photos, and browser screenshots via html2canvas as instructions for completing account verification. PDF documents are created using a free Canva account.
- The fake job offers impersonate companies such as WhatsApp, Meta, Adobe, Pinterest, Apple and Coca-Cola to build relationships with recipients and ask them to join calls or continue discussions on attacker-controlled sites.
Cumulatively, records of about 30,000 victims have been found in Telegram channels associated with the first three groups, the majority of whom are located in the US, Italy, Canada, Philippines, India, Spain, Australia, UK, Brazil, and Mexico, and have been locked out of their accounts.
As far as who is behind the operation is concerned, the smoking gun evidence comes from PDFs generated as part of the third cluster using a free Canva account, with a Vietnamese name “PHẠM TàI TÂN” listed as the author of the files in the metadata. Additionally, open-source intelligence led to the discovery of a website (“Famtatan[.]vn”), where they provide digital marketing services.
In a post shared on
“Taken together, they create a coherent picture of a large, Vietnamese-based, mega operation,” Chen said. “This campaign is bigger than a single AppSheet abuse. It’s a window into the dark market surrounding stolen Facebook assets, where reach, business identity, advertising reputation, and even account recovery have all become tradable commodities. Another entry in the pattern we keep coming across: trusted platforms being reused as delivery, hosting, and monetization layers.”
