Operation Capsule Vault: RokRAT Attack Chain Analysis Using EMBED_PAYLOAD_v2

2026-07-12 Genians

https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_capsule_vault

Thumbnail for Operation Capsule Vault: RokRAT Attack Chain Analysis Using EMBED_PAYLOAD_v2

APT37 likely used spearphishing emails impersonating a real academic conference to deliver an ISO containing a PDF-disguised PIF loader. The EMBED_PAYLOAD_v2 loader displayed a legitimate decoy document while decoding shellcode and injecting an x64 RokRAT variant into explorer.exe. RokRAT collected host and document data, executed commands, captured screens, and used pCloud, Dropbox, and Yandex for resilient cloud-based command and control. Reused Yandex credentials, infrastructure, implementation details, and strong code similarity to Operation Artemis support the APT37 attribution.

Indicators of Compromise

Type Value First Seen Last Seen
EMAIL [email protected] 2026-07-12 2026-07-12
IPv4 160.238.37.100 2026-07-12 2026-07-12
IPv4 160.238.37.95 2026-07-12 2026-07-12
IPv4 89.147.101.197 2026-07-12 2026-07-12
IPv4 5.180.208.60 2026-07-12 2026-07-12
IPv4 5.180.208.57 2026-07-12 2026-07-12
HASH e5c9bb3938f2a24e755ee39073fc3aca 2026-07-12 2026-07-12
IPv4 89.187.161.220 2025-05-30 2026-07-12

Related Actors

Related Reports

« Back