Operation Capsule Vault Uses Malicious ISO Files and Process Injection to Deliver RokRAT
ID: 162d3a55-0189-5505-b05e-a617f395ea54
STIX ID: report--162d3a55-0189-5505-b05e-a617f395ea54
Feed Name: GBHackers
### Executive Summary: Operation Capsule Vault is a targeted spear-phishing campaign attributed to APT37 that used Dropbox-hosted ISO images containing deceptive PDF decoys and double-extension .pif executables to execute shellcode, inject an x64 RokRAT infostealer into explorer.exe, and communicate via cloud services (pCloud, Dropbox, Yandex). The report provides technical analysis of the loader and shellcode, lists IoCs (MD5 hash and multiple C2 IPs), and recommends behavioral detections such as monitoring ISO mounting, PIF execution, remote memory allocation/writes, and suspicious cloud-storage API traffic.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
