Operation Capsule Vault: RokRAT Attack Chain Analysis Using EMBED_PAYLOAD_v2
2026-07-12 • Genians •
https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_capsule_vault
APT37 likely used spearphishing emails impersonating a real academic conference to deliver an ISO containing a PDF-disguised PIF loader. The EMBED_PAYLOAD_v2 loader displayed a legitimate decoy document while decoding shellcode and injecting an x64 RokRAT variant into explorer.exe. RokRAT collected host and document data, executed commands, captured screens, and used pCloud, Dropbox, and Yandex for resilient cloud-based command and control. Reused Yandex credentials, infrastructure, implementation details, and strong code similarity to Operation Artemis support the APT37 attribution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| [email protected] | 2026-07-12 | 2026-07-12 | |
| IPv4 | 160.238.37.100 | 2026-07-12 | 2026-07-12 |
| IPv4 | 160.238.37.95 | 2026-07-12 | 2026-07-12 |
| IPv4 | 89.147.101.197 | 2026-07-12 | 2026-07-12 |
| IPv4 | 5.180.208.60 | 2026-07-12 | 2026-07-12 |
| IPv4 | 5.180.208.57 | 2026-07-12 | 2026-07-12 |
| HASH | e5c9bb3938f2a24e755ee39073fc3aca | 2026-07-12 | 2026-07-12 |
| IPv4 | 89.187.161.220 | 2025-05-30 | 2026-07-12 |