Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical WordPress Plugin Bug Lets Attackers Control Websites
July 13, 2026
Armored Likho APT deploys BusySnake stealer with AI-generated loaders
July 13, 2026
VEXAIoT Multi-Agent System Automates IoT Reconnaissance and Exploit Execution
July 13, 2026
Home/Threats/RokRAT Malware Targets Researchers With Fake Academic Event Materials
Threats

RokRAT Malware Targets Researchers With Fake Academic Event Materials

Key Takeaways A sophisticated phishing campaign, dubbed “Operation Capsule Vault,” is targeting researchers with fake academic event materials. The campaign delivers a variant of the...

Marcus Rodriguez
Marcus Rodriguez
July 13, 2026 4 Min Read
5 0

Key Takeaways

  • A sophisticated phishing campaign, dubbed “Operation Capsule Vault,” is targeting researchers with fake academic event materials.
  • The campaign delivers a variant of the RokRAT remote access trojan (RAT) through seemingly legitimate ISO files hosted on cloud services like Dropbox.
  • Attackers exploit trust by weaponizing details from real academic conferences, making their lures highly convincing.
  • RokRAT is injected into the explorer.exe process, allowing it to evade detection and exfiltrate sensitive data, including screenshots and files.

Hackers Leverage Real Academic Event Materials to Distribute RokRAT

Cybersecurity researchers have uncovered a cunning phishing operation specifically targeting academics and researchers. This campaign, named “Operation Capsule Vault” by Genians, employs genuine details from academic events to distribute a variant of the RokRAT malware. The attackers craft highly convincing lures by embedding a malicious payload within what appears to be a legitimate document package related to a real seminar.

Table Of Content

  • Key Takeaways
  • Hackers Leverage Real Academic Event Materials to Distribute RokRAT
  • The Deceptive Lure: Honsan Kalma Tourism Forum
  • RokRAT Employs Process Injection and Cloud C2 for Evasion
  • What You Should Do

The attackers meticulously gather information from actual academic conferences to construct spear-phishing emails that mimic routine professional correspondence. These emails then direct unsuspecting recipients to cloud-hosted ISO files, masquerading as standard conference material downloads. This tactic significantly increases the likelihood that recipients will open the malicious file, believing it to be a harmless resource.

The Deceptive Lure: Honsan Kalma Tourism Forum

One notable example of this tactic involved emails claiming to distribute materials for the Honsan Kalma Tourism Forum, an event that took place in Seoul on June 9. The attackers impersonated a separate organization, framing the emails as typical business notices containing relevant conference information. This strategic impersonation adds a layer of authenticity, making the phishing attempt difficult to discern from legitimate communications.

Spear-Phishing Email Screen (Source - Genians)
Spear-Phishing Email Screen (Source – Genians)

Instead of attaching a conventional document directly, the phishing emails linked to an ISO image hosted on Dropbox. This ISO file bore a filename consistent with a seminar booklet and contained an executable disguised as a PDF document. This exploit leverages the common Windows setting that hides known file extensions, leading users to believe they are opening a PDF when, in fact, they are launching a malicious program. Upon execution, the deceptive file displays the expected academic content, while the RokRAT malware covertly initiates its malicious operations in the background. This dual-pronged approach aims to minimize suspicion by providing the victim with seemingly relevant material.

Analysis revealed that while the lure document contained content genuinely related to the Honsan Kalma Tourism Forum, its creation metadata showed a significant time discrepancy, indicating that the file was not an authentic handout from the event. This detail served as a critical red flag for security analysts.

RokRAT Employs Process Injection and Cloud C2 for Evasion

The RokRAT loader operates in multiple stages. It first restores shellcode in memory, then injects the primary RokRAT payload into explorer.exe, a legitimate Windows process. Executing within a trusted system process helps the malware evade detection by security solutions that primarily monitor for newly created or suspicious processes.

Once active, RokRAT commences gathering system intelligence and establishing communication channels with its command-and-control (C2) infrastructure. The Genians report highlights that the malware supports popular cloud services such as Dropbox, pCloud, and Yandex for its C2 operations, utilizing distinct channels for receiving commands and exfiltrating stolen data. This reliance on legitimate cloud platforms further complicates detection and blocking efforts.

Payload Table (Source - Genians)
Payload Table (Source – Genians)

The capabilities of RokRAT are extensive, allowing it to capture screenshots, collect arbitrary files, enumerate local and network drives, gather process information, and execute arbitrary commands issued by its operators. Furthermore, the malware possesses a cleanup function, enabling it to remove its traces, including temporary files and entries in the Startup folder, upon receiving specific instructions.

Researchers linked this campaign to the broader RokRAT malware family due to observed similarities in its cloud-service integration, command handling mechanisms, and code structure with previous RokRAT activities. While acknowledging the complexities of attribution, analysts suggest a likely connection to the advanced persistent threat (APT) group known as APT37, emphasizing the need to consider infrastructure, victim profiles, tactics, and other evidence for conclusive identification. The full Genians report provides a detailed analysis of the attack flow and indicators of compromise.

Organizations and individuals in the research and academic sectors must exercise extreme caution when encountering unexpected emails containing event materials. Thorough verification through official channels is paramount before interacting with any links or attachments.

What You Should Do

  • Verify Email Authenticity: Always confirm the legitimacy of emails, especially those containing links or attachments, by contacting the sender through official, known channels (e.g., phone, official website) rather than replying to the email itself.
  • Exercise Caution with Cloud Links: Be suspicious of unsolicited links to cloud storage services (Dropbox, pCloud, Yandex, etc.), even if they appear to come from a known sender.
  • Enable File Extension Display: Configure Windows to display full file extensions to prevent executables from masquerading as benign document types (e.g., .pdf.exe).
  • Implement Advanced Endpoint Detection: Utilize Endpoint Detection and Response (EDR) solutions to monitor for unusual process injection, suspicious executable behavior, and abnormal network connections to cloud services.
  • User Awareness Training: Conduct regular cybersecurity awareness training for all staff, particularly researchers and academics, on identifying sophisticated phishing attempts and the risks associated with opening untrusted files.
  • Monitor Network Traffic: Implement network monitoring to detect unusual outbound connections to cloud storage services or unexpected C2 traffic patterns.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwarephishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Motorola MR2600 flaw lets attackers run code via firmware update

Next Post

Misconfigured Python HTTP Server CVE-2024-XXXX Exposes Three Active Attack Campaigns

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical jscrambler Supply Chain Attack Targets Developers
July 13, 2026
Misconfigured Python HTTP Server CVE-2024-XXXX Exposes Three Active Attack Campaigns
July 13, 2026
RokRAT Malware Targets Researchers With Fake Academic Event Materials
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us