Hackers Weaponize Real Academic Event Materials to Infect Researchers With RokRAT
A targeted phishing campaign is using genuine academic event details to trick researchers into opening malware.
The operation delivers a RokRAT variant through a fake document package that appears connected to a real seminar.
The attackers used information from an actual academic event to make the email look routine and trustworthy.
Recipients were led to a cloud-hosted ISO file that looked like a normal conference-material download, increasing the chance that it would be opened.
Genians said in a report shared with Cyber Security News (CSN) that it identified the activity as Operation Capsule Vault.
The name reflects the way attackers hide both a legitimate-looking document and malicious components inside a single executable container.
The campaign shows how threat actors can turn public event information into a convincing lure.

Rather than relying on obviously suspicious messages, the operators used familiar professional context, making the attack harder for busy researchers and staff to spot before opening the file.
Hackers Weaponize Real Academic Event Materials
The phishing messages claimed to distribute materials for the Honsan Kalma Tourism Forum, an event held in Seoul on June 9.
Attackers impersonated a separate organization and framed the email as a standard business notice containing conference-related materials.

Instead of attaching a normal document, the email directed recipients to a Dropbox-hosted ISO image.
The ISO used a filename resembling a seminar booklet and contained a program disguised as a PDF, exploiting the fact that Windows may hide known file extensions from users.
Once launched, the deceptive file displays the expected academic document while malicious activity continues in the background.
This dual approach helps reduce suspicion because the victim sees material that appears relevant to the message they received.
The executable works as a multistage loader, extracting additional embedded content before starting the next phase.
Analysts found that the lure document had content tied to the real event, while its creation details showed a time mismatch that indicated the file was not an authentic event handout.
RokRAT Hides Behind Legitimate Processes
The loader restores shellcode in memory and injects the RokRAT payload into explorer.exe, a normal Windows process.
Running inside a legitimate process can make malicious behavior less visible and complicate detection based only on newly created programs.
After execution, the malware gathers system details and prepares cloud-based communications.
The report found support for Dropbox, pCloud, and Yandex services, with separate channels for receiving commands and uploading collected information.

RokRAT can take screenshots, collect files, enumerate drives, gather process information, and run commands issued by its operators.
It can also remove selected traces, including files created in temporary locations and the Startup folder, after receiving an instruction to clean up.
The researchers linked the campaign to the broader RokRAT family through its cloud-service design, command handling, and code similarities with earlier activity.
They assessed the operation as likely connected to the APT37 group, while noting that attribution should consider infrastructure, victim patterns, tactics, and other evidence together.
Organizations should verify unexpected event-material emails through official channels before opening links or files.
Security teams should also monitor unusual ISO downloads, document-like executables, abnormal process injection, and cloud-service connections that follow suspicious email activity.
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post Hackers Weaponize Real Academic Event Materials to Infect Researchers With RokRAT appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news