BAE Systems traced SWIFT-targeting bank malware into a wider campaign by identifying a unique file wipe-out function shared across samples tied to the Vietnam bank case and a newly found bot. The analyzed sample installed itself as a Windows service, used a distinctive mutex, recreated configuration and encrypted log files, and attempted encrypted command-and-control communication on port 443. Its wipe-out and file-delete routines were designed to overwrite files with random data, rename them, and remove service, configuration, and log artifacts when instructed to terminate. The byte-for-byte match in the wipe-out function provided technical evidence linking what first appeared to be isolated bank intrusions into a broader toolset.