Researchers Targeted by Operation Capsule Vault Using Real Academic Event Materials for RokRAT Deployment
A sophisticated phishing campaign, dubbed Operation Capsule Vault, is weaponizing genuine academic event materials to lure researchers into downloading a variant of the RokRAT malware.

A new phishing campaign, identified as Operation Capsule Vault, is employing a clever social engineering tactic by leveraging authentic materials from academic events to distribute malware. Threat actors are impersonating organizations and sending emails containing links to ISO files hosted on cloud services like Dropbox. These ISO files are disguised as conference materials, aiming to exploit the trust researchers place in professional academic exchanges.
The campaign's sophistication lies in its use of real event details, specifically referencing the Honsan Kalma Tourism Forum held in Seoul on June 9. By framing the phishing emails as standard business notices containing conference-related materials, attackers create a veneer of legitimacy, making it harder for busy researchers and staff to detect the malicious intent. This approach bypasses the typical red flags associated with more overtly suspicious messages.
Instead of direct attachments, recipients are directed to download an ISO image. This image is crafted with a filename that mimics a seminar booklet. Crucially, the ISO contains an executable file that, when launched, presents a seemingly innocuous document related to the academic event. This dual-functionality—displaying a legitimate-looking document while executing malicious code in the background—is designed to minimize suspicion and increase the likelihood of the payload being deployed.
Upon execution, the deceptive file acts as a multistage loader. It extracts embedded content and proceeds to inject the RokRAT payload into explorer.exe, a legitimate Windows process. Running within a trusted process helps the malware evade detection by security software that might flag newly spawned processes. This technique allows RokRAT to operate stealthily, gathering system information and preparing for command-and-control communications.
Analysis of the campaign revealed that the RokRAT variant supports cloud-based communication channels, including Dropbox, pCloud, and Yandex. These services are used for both receiving commands from operators and exfiltrating collected data. The malware's capabilities include taking screenshots, collecting files, enumerating drives, gathering process information, and executing remote commands. It also possesses the ability to erase its tracks by deleting temporary files and removing itself from startup locations upon instruction.
Security researchers have linked Operation Capsule Vault to the broader RokRAT family due to its characteristic cloud service integration, command handling mechanisms, and code similarities with previous RokRAT activity. While attribution is tentative, the campaign's infrastructure, victimology, and tactics suggest a potential connection to the APT37 threat group. However, definitive attribution requires further analysis of broader evidence.
To mitigate such threats, organizations are advised to verify unexpected emails containing links or files, especially those related to professional events, through official channels. Security teams should also implement monitoring for unusual ISO downloads, executables disguised as documents, suspicious process injection activities, and unexpected cloud service connections that correlate with suspicious email traffic.