logo

Operation Capsule Vault Uses Malicious ISO Files and Process Injection to Deliver RokRAT

ID: 162d3a55-0189-5505-b05e-a617f395ea54

STIX ID: report--162d3a55-0189-5505-b05e-a617f395ea54

Feed Name: GBHackers

Threat Score
85/100

Date Published: 2026-07-13

Date Updated: 2026-07-13

Author: Mayura Kathir

...
...

### Executive Summary: Operation Capsule Vault is a targeted spear-phishing campaign attributed to APT37 that used Dropbox-hosted ISO images containing deceptive PDF decoys and double-extension .pif executables to execute shellcode, inject an x64 RokRAT infostealer into explorer.exe, and communicate via cloud services (pCloud, Dropbox, Yandex). The report provides technical analysis of the loader and shellcode, lists IoCs (MD5 hash and multiple C2 IPs), and recommends behavioral detections such as monitoring ISO mounting, PIF execution, remote memory allocation/writes, and suspicious cloud-storage API traffic.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.