Opportunistic threat actors using Ramadan coupon as a lure to target retail store customers in Middle East

This report provides a technical breakdown of a sophisticated multi-stage Windows malware campaign targeting the Middle East using a fake Ramadan discount document. A hidden VBA macro drops and compiles a C# loader that fetches and compiles a raw MSIL payload executed via rundll32, resulting in a Remote Access Trojan named Ftu4You that communicates with HTTPS C2 and exfiltrates files and screenshots via AWS S3 presigned URLs to bypass network and DLP detection.