GBHackers

Operation Capsule Vault Uses Malicious ISO Files and Process Injection to Deliver RokRAT


Operation Capsule Vault began with spear-phishing emails sent on June 22, 2026, posing as notices distributing materials from a legitimate academic event.

The lures referenced the “Why Wonsan-Kalma Tourism Now?” conference, held at Seoul COEX on June 12, and incorporated publicly available event details, including its subject matter and host organizations.

By reusing real-world conference information rather than inventing a fictional event, the operators made the messages appear routine and relevant to their intended targets.

Recipients were led to believe that a PDF booklet was attached, but the apparent attachment redirected them to a Dropbox-hosted download.

The downloaded file was an ISO disk image named to resemble seminar materials. Inside the image, victims found what appeared to be a PDF document.

Its real extension, however, was .pif.pif.pif, an executable Program Information File format that modern Windows systems can still execute.

The filename used a double-extension pattern, .pdf.pif.pdf.pif.pdf.pif, relying on Windows’ common default behavior of hiding extensions for known file types.

Once launched, the PIF loader displayed a legitimate PDF decoy containing material associated with the real event.

This allowed the victim to view expected content while malicious operations proceeded in the background, reducing the chance that the execution would be recognized as suspicious.


Attack Flow (Source : Genians).
 Attack Flow (Source : Genians).

Technical analysis found that the executable used an embedded payload structure identified by the EMBED_PAYLOAD_v2 marker. The file carried two payloads: the decoy PDF and a shellcode component saved internally as yanfirst64.bin.

Operation Capsule Vault Uses ISO Files

The loader parsed its own payload table, extracted the objects, opened the benign document, and restored the shellcode directly in memory.

The user clicks the item recognized as an attachment, the user is redirected to Dropbox cloud storage, after which an ISO image file is downloaded.

View Inside the ISO Image File (Source : Genians).

Genians Security Center recently identified spear-phishing activity impersonating the distribution of materials for an academic event. This attack is assessed to be a targeted campaign against individuals working in specific research, policy, and academic fields.

The shellcode used a Call-Pop routine to locate encrypted data dynamically, then decrypted its payload with an XOR key of 0x290x290x29. It subsequently enumerated running processes, located explorer.exe, and injected the recovered payload into the legitimate Windows process.

The injection chain used CreateToolhelp32Snapshot, OpenProcess, VirtualAllocEx, WriteProcessMemory, and RtlCreateUserThread, enabling execution without launching an obvious standalone malware process.

Shellcode XOR Decoding Process (Source : Genians).
 Shellcode XOR Decoding Process (Source : Genians).

The injected payload was identified as an x64x64x64 RokRAT variant. RokRAT collected victim profiling data, including the operating system version, hostname, username, executable metadata, and SMBIOS-derived system identifiers.

It also supported screen capture, process enumeration, logical-drive discovery, file collection, and arbitrary command execution.

The malware used cloud services including pCloud, Dropbox, and Yandex Cloud for command-and-control communications. Researchers identified the hardcoded multipart boundary string --wwjaughalvncjwiajs-- and a Googlebot/2.1 User-Agent, both previously associated with RokRAT activity.

It also contained Yandex OAuth tokens connected to infrastructure observed in Genians’ earlier Operation Artemis analysis.

The overlap in cloud C2 design, token use, malware functionality, code structure, and operational infrastructure supports Genians’ assessment that APT37 likely conducted the campaign.

Organizations should prioritize behavioral detection rather than relying solely on static indicators. EDR and threat-hunting teams should correlate ISO mounting, PIF execution, deceptive PDF filenames, remote memory allocation in explorer.exe, and suspicious cloud-storage API traffic.

IoC (Indicator of Compromise) 

Indicator TypeValueDescription
MD5 Hashe5c9bb3938f2a24e755ee39073fc3acaFile hash
C2 Server5.180.208[.]57Command-and-control IP address
C2 Server5.180.208[.]60Command-and-control IP address
C2 Server89.147.101[.]197Command-and-control IP address
C2 Server89.187.161[.]220Command-and-control IP address
C2 Server160.238.37[.]95Command-and-control IP address
C2 Server160.238.37[.]100Command-and-control IP address

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide



Source link