{"id":14253,"date":"2026-07-13T10:03:37","date_gmt":"2026-07-13T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/13\/hackers-weaponize-real-academic-event-materials-to-infect-researchers-with-rokrat\/"},"modified":"2026-07-13T10:03:37","modified_gmt":"2026-07-13T10:03:37","slug":"hackers-weaponize-real-academic-event-materials-to-infect-researchers-with-rokrat","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/13\/hackers-weaponize-real-academic-event-materials-to-infect-researchers-with-rokrat\/","title":{"rendered":"Hackers Weaponize Real Academic Event Materials to Infect Researchers With RokRAT"},"content":{"rendered":"<p>    Hackers Weaponize Real Academic Event Materials to Infect Researchers With RokRAT<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A targeted phishing campaign is using genuine academic event details to trick researchers into opening malware. <\/p>\n<p class=\"wp-block-paragraph\">The operation delivers a RokRAT variant through a fake document package that appears connected to a real seminar.<\/p>\n<p class=\"wp-block-paragraph\">The attackers used information from an actual academic event to make the email look routine and trustworthy. <\/p>\n<p class=\"wp-block-paragraph\">Recipients were led to a cloud-hosted ISO file that looked like a normal conference-material download, increasing the chance that it would be opened.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.genians.co.kr\/en\/blog\/threatintelligence\/rokratcapsulevault\/\" data-type=\"link\" data-id=\"https:\/\/www.genians.co.kr\/en\/blog\/threatintelligence\/rokratcapsulevault\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Genians\u00a0said in a report<\/a> shared with Cyber Security News (CSN) that it identified the activity as\u00a0Operation Capsule Vault. <\/p>\n<p class=\"wp-block-paragraph\">The name reflects the way attackers hide both a legitimate-looking document and malicious components inside a single executable container.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The campaign shows how threat actors can turn public event information into a convincing lure. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhOUgJ_S0r0ZnAyPMoa9IcTEfPNeEYm9HA7v-7PkBrPfCLkO3PnalwgKyIB7bk4vXPiQZhMKnNYMJou_Y5Ze3JLillxzHjKZPuPvwECw1XZ0oj_7Oe-YFcJyPYmVJ5Jmaamh0dCFbO4wxMr0wYhsJ3zowauCRKdCnizRBdDPzW-Z6Pn8zF8ep2fVu0Dx6o\/s1600\/Attack%2520Flow%2520%28Source%2520-%2520Genians%29.webp?ssl=1\" alt=\"Attack Flow (Source - Genians)\"><figcaption class=\"wp-element-caption\">Attack Flow (Source \u2013 Genians)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Rather than relying on obviously suspicious messages, the operators used familiar professional context, making the attack harder for busy researchers and staff to spot before opening the file.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-hackers-weaponize-real-academic-event-materials\" class=\"wp-block-heading\"><strong>Hackers Weaponize Real Academic Event Materials<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/cybersecuritynews.com\/phishing-email-filter-breakthroughs\/\" data-type=\"post\" data-id=\"76873\" target=\"_blank\" rel=\"noreferrer noopener\">phishing messages claimed to distribute materials<\/a> for the Honsan Kalma Tourism Forum, an event held in Seoul on June 9. <\/p>\n<p class=\"wp-block-paragraph\">Attackers impersonated a separate organization and framed the email as a standard business notice containing conference-related materials.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj7u8uPYlW7zVdDqQ8QwNt8UE93-hVy61XdYZ5Iic4C7jeoBIvQd9VWKIV9KEAGhulgO47v2UkaMn58HL_dazjy9YJCpJ00Dc-IaUbOzBc_YWhyVOz-tLWrXSp_SvZAa-WEDy-cBiTFgKXx-Ov_r1dzlz3_QRDt-k9SC_vh7xZdvmuZrf_RDSb_H7k8JBo\/s1600\/Spear-Phishing%2520Email%2520Screen%2520%28Source%2520-%2520Genians%29.webp?ssl=1\" alt=\"Spear-Phishing Email Screen (Source - Genians)\"><figcaption class=\"wp-element-caption\">Spear-Phishing Email Screen (Source \u2013 Genians)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Instead of attaching a normal document, the email directed recipients to a Dropbox-hosted ISO image. <\/p>\n<p class=\"wp-block-paragraph\">The ISO used a filename resembling a seminar booklet and contained a program disguised as a PDF, exploiting the fact that Windows may hide known file extensions from users.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Once launched, the deceptive file displays the expected academic document while malicious activity continues in the background. <\/p>\n<p class=\"wp-block-paragraph\">This dual approach helps reduce suspicion because the victim sees material that appears relevant to the message they received.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/cybersecuritynews.com\/multistage-info-stealer-snakekeylogger-attacking-individuals\/\" data-type=\"post\" data-id=\"97116\" target=\"_blank\" rel=\"noreferrer noopener\">executable works as a multistage loader<\/a>, extracting additional embedded content before starting the next phase. <\/p>\n<p class=\"wp-block-paragraph\">Analysts found that the lure document had content tied to the real event, while its creation details showed a time mismatch that indicated the file was not an authentic event handout.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-rokrat-hides-behind-legitimate-processes\" class=\"wp-block-heading\"><strong>RokRAT Hides Behind Legitimate Processes<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The loader restores shellcode in memory and injects the RokRAT payload into\u00a0<code>explorer.exe<\/code>, a normal Windows process. <\/p>\n<p class=\"wp-block-paragraph\">Running inside a legitimate process can make malicious behavior less visible and complicate detection based only on newly created programs.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">After execution, the malware gathers system details and prepares cloud-based communications. <\/p>\n<p class=\"wp-block-paragraph\">The report found support for Dropbox, pCloud, and Yandex services, with separate channels for receiving commands and uploading collected information.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgrqGP0gIBcfZ0EI1cYmvrfbhDbTfzKTcrxNQpSdM27o93lVEXmY0bIIj7enHTnzKJY-z6jNbOrRk9ODuBBtmqLIHbhwevSgClFqU1yRgtPhj_jnro6FpCIEIIkWdtOAcNn5dkxOSqjxOB6UHGcY_KcPtDqsU0YBNvEAZgjC52XzASdtAacVxrro1v-NjA\/s1600\/Payload%2520Table%2520%28Source%2520-%2520Genians%29.webp?ssl=1\" alt=\"Payload Table (Source - Genians)\"><figcaption class=\"wp-element-caption\">Payload Table (Source \u2013 Genians)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">RokRAT can take screenshots, collect files, enumerate drives, gather process information, and run commands issued by its operators. <\/p>\n<p class=\"wp-block-paragraph\">It can also remove selected traces, including files created in temporary locations and the Startup folder, after receiving an instruction to clean up.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The researchers linked the campaign to the broader RokRAT family through its cloud-service design, command handling, and code similarities with earlier activity. <\/p>\n<p class=\"wp-block-paragraph\">They assessed the operation as likely connected to the APT37 group, while noting that attribution should consider infrastructure, victim patterns, tactics, and other evidence together.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Organizations should verify unexpected event-material emails through official channels before opening links or files. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/what-security-teams-need-to-know-before-their-organization-deploys-voice-ai\/\" data-type=\"post\" data-id=\"154691\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams should also monitor unusual ISO downloads<\/a>, document-like executables, abnormal process injection, and cloud-service connections that follow suspicious email activity.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Cloud service<\/td>\n<td>Dropbox<\/td>\n<td>Used to host and distribute the malicious ISO image through the phishing lure.\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Cloud service<\/td>\n<td>pCloud<\/td>\n<td>Supported by the RokRAT variant for cloud-based communications.\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Cloud service<\/td>\n<td>Yandex<\/td>\n<td>Supported by the RokRAT variant for cloud-based communications.\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Process<\/td>\n<td><code>explorer.exe<\/code><\/td>\n<td>Legitimate Windows process targeted for injection of the RokRAT payload.\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File type<\/td>\n<td>ISO image<\/td>\n<td>Malicious disk-image format delivered through the academic-event phishing campaign.\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File type<\/td>\n<td>PIF executable<\/td>\n<td>Executable format disguised as a PDF document within the ISO image.\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/7770e194-f169-4deb-bbef-09c7be97daba\/Hackers-Weaponize-Real-Academic-Event-Materials-to-Infect-Researchers-With-RokRAT.pdf?AWSAccessKeyId=ASIA2F3EMEYER6XMGA5O&amp;Signature=Pj8bUds7zKpYwjoeh%2FXTFx5LWZQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJIMEYCIQCV%2Fusx0E4khOr4gadlXTN4VN8YkiubLwnLYD%2BNIFvNSwIhAJMj3PamvJKhsF3xDcyU07kYs0YFTGRqPAJ8DxOb2pc9KvwECPj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1Igzz9n%2FAEAmKrLCyeH8q0AQC69RuTfc9toQRQiyyiJLbb80JjrSzqIAYG6UhxRALjW%2BqyvvvG%2FJbi3cV9ViDTN%2B3QtUCS7uVp1a3wUpiBDeh40w3PrJZYB4Z5rLXWMkRWUBDb%2Fii7tCR98Kkwnzti0VTqIQOtnHlyIl0OHhnJIioxMo7QFTxnJP9o0BTdj45IGZq2h7SfgsNswK9qL6cZhGjwC7coK1eEdVsFHvcNjPX3WI7Y8NuzBGeLoSeP02CC0sL1RjwJrdanVHdXB%2BVkYWsjvqXno5AFN1705%2ByEROEt9Rjjlv0Az22jN%2FAGgLfz2aciMi822HUcfKyxhOk1pT7dpmk2PFHMs9LNfUNYaSgENGWt6amek8gqqP6vwOVXGlO9e1VAGOt7MPZYCypXsxFrNq0h6CgyBrOvVXl2Ir8NaVP2bgczSrducGUjMKHrToP%2Bp%2Fb61BpqRZP%2B%2Fx7u%2BcdcrtjCBg%2FfI9Rg8CRQ9xbyTeD9lG9yOwunIeyi5LrUg3S7SkX3sn1BHC1MFSBoWzQS9mYHjZXo%2Fu5I4fuPKczVQ8lTkuC38ZEvE4FU6SjxTpsxpQ7uqtae9sk8WCAByGxmOPVAYfN91rEf0Q9cGylJ3Rq6anLn7TLZrCqXW0%2Bh8N6M6zn3wIKM3yQtH%2Fwi8HGoYcCArt%2Bh4ottwKbOUrteHwRTL%2FBdIlcOAwdwgnPjdszk7cuBI8Lc5MNgW%2Bz%2FyQXe%2B6X4jgRV%2BDGP%2Fz7%2Bjfb9mU7ofnP5K1ZUmyfclaGBmnyePPr%2Fn%2BJz8HAKMKoDbK1Kkzo3Cr0e1wZLMuzMSZjMMSj0tIGOpcBrqg0NWh3mIn2YthWxfzaP%2B9mAHxbdWGrA9wyiPMoPmJAfxZT7m60LyHpztA7Puqzb4VLh5q0ykx7yEnxcfQzD5pWpYbjYe8ex77TjMZ7Tq%2FukgN1%2BD32Wd3T9vNfnc3teUsQ8z5fHBc34FvtJcNqJrQj3NfgUnD9ntcE4GZYe4jOMyUFMk06%2FBp8wV556pHZvuEWLK1s4Q%3D%3D&amp;Expires=1783930775\"><\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong>Prevent critical incidents and financial loss with stronger proactive defense.\u00a0<\/strong><a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=feeds+landing&amp;utm_content=ti+feeds+sales&amp;utm_term=070726#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate a live threat feed from 15K SOC Teams<\/a><\/strong>.<\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-weaponize-real-academic-event-materials\/\">Hackers Weaponize Real Academic Event Materials to Infect Researchers With RokRAT<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-weaponize-real-academic-event-materials\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Weaponize Real Academic Event Materials to Infect Researchers With RokRAT A targeted phishing campaign is using genuine academic event details to trick researchers into opening malware. The operation delivers a RokRAT variant through a fake document package that appears connected to a real seminar. The attackers used information from an actual academic event to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-14253","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14253"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14253"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14253\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}