Operation Capsule Vault: EMBED_PAYLOAD_v2 기반 RokRAT 공격 체인 분석
2026-07-12 • Genians • Operation Capsule Vault: Analysis of a RokRAT Attack Chain Based on EMBED_PAYLOAD_v2 •
https://www.genians.co.kr/blog/threat_intelligence/rokrat_capsule_vault
APT37 likely used spearphishing emails impersonating a real academic conference to deliver an ISO containing a PDF-disguised PIF loader. The EMBED_PAYLOAD_v2 loader displayed a legitimate decoy document while decoding shellcode and injecting an x64 RokRAT variant into explorer.exe. RokRAT collected host and document data, executed commands, captured screens, and used pCloud, Dropbox, and Yandex for resilient cloud-based command and control. Reused Yandex credentials, infrastructure, implementation details, and strong code similarity to Operation Artemis support the APT37 attribution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| [email protected] | 2026-07-12 | 2026-07-12 | |
| IPv4 | 160.238.37.100 | 2026-07-12 | 2026-07-12 |
| IPv4 | 160.238.37.95 | 2026-07-12 | 2026-07-12 |
| IPv4 | 89.147.101.197 | 2026-07-12 | 2026-07-12 |
| IPv4 | 5.180.208.60 | 2026-07-12 | 2026-07-12 |
| IPv4 | 5.180.208.57 | 2026-07-12 | 2026-07-12 |
| HASH | e5c9bb3938f2a24e755ee39073fc3aca | 2026-07-12 | 2026-07-12 |
| IPv4 | 89.187.161.220 | 2025-05-30 | 2026-07-12 |