Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AnyDesk Critical 0-Day Vulnerability Lets Attackers Trigger DoS
July 16, 2026
Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities
July 16, 2026
SonicWall SMA 1000 Zero-Day Actively Exploited
July 16, 2026
Home/Threats/New Modular RAT Steals Credentials and Captures Screenshots
Threats

New Modular RAT Steals Credentials and Captures Screenshots

Key Takeaways A sophisticated, modular Remote Access Trojan (RAT) is actively targeting high-profile individuals in Southeast Asia. The campaign, dubbed “Operation GriefLure,” is...

David kimber
David kimber
May 8, 2026 4 Min Read
51 0

Key Takeaways

  • A sophisticated, modular Remote Access Trojan (RAT) is actively targeting high-profile individuals in Southeast Asia.
  • The campaign, dubbed “Operation GriefLure,” is simultaneously attacking Vietnam’s military-linked telecom sector and the Philippine healthcare industry.
  • The threat actors employ highly convincing spear-phishing tactics, using legitimate legal and financial documents as lures.
  • The RAT is designed for deep system persistence, extensive credential theft, and stealthy screenshot capture, bypassing conventional security measures.
  • Security researchers attribute the campaign with moderate-to-high confidence to a China-nexus threat cluster.

Operation GriefLure: Advanced Modular RAT Targets Southeast Asian Executives

A recent and alarming malware campaign, designated “Operation GriefLure” by researchers, is actively compromising senior executives and government investigators across Southeast Asia. This advanced operation leverages a modular Remote Access Trojan (RAT) to exfiltrate credentials, capture sensitive screenshots, and establish robust persistence on victim systems. For a comprehensive technical deep dive into this evolving threat, a detailed analysis is available from Seqrite Labs.

Table Of Content

  • Key Takeaways
  • Operation GriefLure: Advanced Modular RAT Targets Southeast Asian Executives
  • Dual Campaign Targets
  • Modular RAT Capabilities: Credential Theft and Stealthy Screenshot Capture
  • Infrastructure, Attribution, and Defensive Measures
  • What You Should Do

A particularly concerning aspect of this campaign is the attackers’ method of initial compromise. Rather than relying on generic phishing attempts, the threat actors are leveraging highly authentic, legally binding documents. In one instance, they utilized actual legal records from an ongoing data breach lawsuit, including signed police reports, official corporate admissions, and personal medical information. Victims who opened these archives saw what appeared to be perfectly legitimate documents, completely unaware of the malicious activity unfolding in the background.

Researchers at Seqrite Labs, who identified and named the campaign, highlighted that the entire system compromise typically concludes in under ten seconds, leaving no visible indicators for the victim. The malware is delivered via targeted spear-phishing emails containing nested compressed archives. Its meticulously crafted infection chain is designed to circumvent most conventional security solutions. Operation GriefLure encompasses two parallel campaigns.

Dual Campaign Targets

The first campaign primarily targets senior executives within Viettel Group, Vietnam’s largest telecommunications provider, which operates under the Ministry of National Defence. It also targets cybercrime investigators from the Thanh Hoa Provincial Police. The second campaign focuses on compliance and audit personnel at St. Luke’s Medical Center in the Philippines, utilizing a fabricated whistleblower complaint alleging financial fraud and accreditation violations exceeding PHP 1.5 million.

Crucially, both campaigns share the same underlying infrastructure and malicious payload, indicating a single threat actor orchestrating a coordinated, multi-country attack operation. A detailed technical analysis of the threat is available from Seqrite Labs.

Modular RAT Capabilities: Credential Theft and Stealthy Screenshot Capture

At the heart of this sophisticated campaign lies a modular RAT, functioning as a versatile implant. Once it successfully loads into memory through a multi-layered execution chain, the RAT initiates extensive data harvesting. It targets credentials stored in web browsers, including Chrome’s saved login data, cookies, and browsing history. Beyond browsers, it also extracts configurations from FTP clients, remote access tools such as Sunlogin and ToDesk, and SSH session files from Xshell, posing a significant risk to individuals managing privileged system access.

The RAT’s screenshot capture module is equally advanced. It can determine full screen dimensions, accurately account for multi-monitor setups, and dynamically adjust image resolution based on prevailing network conditions. These reconstructed BMP images are then covertly transmitted to the attacker’s command-and-control (C2) server. Furthermore, the malware actively scans for and profiles installed security products, allowing it to adapt its behavior to minimize detection.

The payload itself is never stored as a complete file on the disk. Instead, it is broken into binary chunks disguised as ordinary document files, which are then reassembled at runtime using native Windows copy commands. A time-based mechanism randomizes the payload hash with each execution, effectively thwarting signature-based detection. The final executable is subsequently injected into a trusted Windows process, making its activity indistinguishable from legitimate system operations to many forensic tools.

Infection chain (Source - Seqrite)
Infection chain (Source – Seqrite)

Infrastructure, Attribution, and Defensive Measures

The malware establishes communication with a hardcoded command-and-control domain, whatsappcenter[.]com, hosted on the IP address 38[.]54[.]122[.]188. This server is located within KAOPU-HK, a Hong Kong-based network known for providing abuse-resistant hosting services to various threat actors across the Asia-Pacific region. Passive intelligence classifies this host as “bulletproof infrastructure,” strongly indicating deliberate operational security measures by the attackers.

Based on multiple converging indicators, Seqrite researchers assess with moderate-to-high confidence that this campaign is linked to a China-nexus threat cluster. Supporting evidence includes the use of bulletproof Chinese hosting, an embedded security detection list that specifically enumerates vendors such as 360Safe, Qianxin, and Sangfor, direct targeting of WeChat data within the credential harvesting module, and the broader geographical footprint targeting military-linked telecom and healthcare sectors in Southeast Asia.

What You Should Do

  • Block Known Indicators: Immediately block the C2 domain whatsappcenter[.]com and IP address 38[.]54[.]122[.]188 at network perimeter defenses (firewalls, proxies, DNS filters).
  • Monitor for Anomalous Activity: Implement robust monitoring for LNK file executions that invoke ftp.exe, and any processes dropping chunked document files into the Public directory.
  • Audit Process Behavior: Regularly audit systems for instances of explorer.exe being respawned under a restricted security context, as this is a known evasion technique.
  • Enhance Endpoint Detection: Ensure Endpoint Detection and Response (EDR) solutions are configured for behavioral analysis and anomaly detection, as signature-based methods may be insufficient due to payload randomization.
  • Review Privileged Access: Conduct an urgent review of all privileged access credentials, especially those for remote access tools (Sunlogin, ToDesk) and SSH clients (Xshell), and enforce multi-factor authentication (MFA) rigorously.
  • Advanced User Training: While standard user awareness is crucial, recognize that this attack weaponizes genuine documents. Augment training with simulations that expose users to highly convincing, context-specific phishing lures.
  • Threat Intelligence Integration: Integrate the provided Indicators of Compromise (IoCs) into your Security Information and Event Management (SIEM) and threat intelligence platforms for proactive detection.

Indicators of Compromise (IoCs):-

Type Indicator Description
File Hash (SHA256) 35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43 LNK dropper — Viettel-themed lure (Campaign 1)
File Hash (SHA256) bc090d75f51c293d916c40d4b21094faaec191a42d97448c92d264875

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachHackerMalwarephishingSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

New PamDOORa Linux Backdoor Steals SSH Credentials From Infected Systems

Next Post

Let’s Encrypt Halts Issuance Over Expired Root Certificate Bug

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dutch Police Dismantle €100M Investment Fraud Network, 20 Call Centers Shut Down
July 16, 2026
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us