Recent OTX pulse data has uncovered a sophisticated spear-phishing campaign attributed to the North Korean threat actor APT37 (Reaper, Group 123). This operation, dubbed "Operation Capsule Vault," specifically targets individuals in research, policy, and academic fields. The adversary leverages emails masquerading as legitimate materials from an actual academic conference to deliver a malicious payload.
The attack chain involves a multi-stage loader using the EMBED_PAYLOAD_v2 structure, specifically designed to hide malicious executables within seemingly benign files. Victims receive a cloud storage link pointing to an ISO file. Inside the ISO is a PIF executable disguised as a PDF document. Upon execution, the system is compromised by RokRAT, a remote access Trojan known for its data exfiltration capabilities. The campaign utilizes compromised infrastructure across various countries (US, JP, HU, PE) for Command and Control (C2) communications, making detection based solely on geolocation difficult.
Threat Actor / Malware Profile
Adversary: APT37 (Reaper, Kimsuky) APT37 is a North Korean state-sponsored group active since at least 2012. They typically target South Korean entities but have expanded globally to focus on intelligence gathering related to nuclear issues, healthcare, and policy research.
Malware Family: ROKRAT (S0240) RokRAT is a customized RAT developed by APT37, known for its use of legitimate cloud services (like Yandex and pCloud) for C2 communications to blend in with normal traffic.
Distribution Method: Spear-phishing emails with malicious attachments or links. In this campaign, specifically via ISO files containing dual-purpose payloads (legitimate doc + malicious DLL).
Payload Behavior:
- Dropper/Loader: Uses
EMBED_PAYLOAD_v2to extract and execute the malicious component. - C2 Communication: Utilizes public cloud services (Yandex, pCloud) as well as direct IP connections for data exfiltration and command receipt.
- Persistence: Established via scheduled tasks or registry modifications (standard RokRAT behavior).
Anti-Analysis Techniques: The use of EMBED_PAYLOAD_v2 allows the malware to present a legitimate decoy document to the user while silently executing malicious code in the background, effectively bypassing user suspicion.
IOC Analysis
The provided indicators of compromise (IOCs) consist primarily of IPv4 addresses associated with C2 infrastructure and a single file hash.
-
IPv4 Addresses (7 total):
- 89.187.161.220 (Japan): Datacamp Limited
- 5.180.208.57 & 5.180.208.60 (US): Clouvider Limited
- 160.238.37.95 & 160.238.37.100 (Peru): Unknown ASN
- 89.147.101.197 (Hungary): On line system kft.
- Operationalization: SOC teams should block these IPs at the perimeter firewall and proxy levels. Historical logs should be queried for any egress connections to these addresses.
-
FileHash-MD5:
e5c9bb3938f2a24e755ee39073fc3aca- Operationalization: This hash likely belongs to the malicious ISO or the embedded PIF executable. EDR systems should be configured to quarantine any file matching this hash.
Tooling: SIEMs (Splunk, Sentinel), EDR (CrowdStrike, SentinelOne), and Threat Intelligence Platforms (TIPs) like MISP or Anomali can ingest these IOCs for automated correlation and alerting.
Detection Engineering
The following detection logic targets the specific behaviors observed in the "Capsule Vault" campaign, including the ISO mounting/execution pattern and specific C2 infrastructure.
---
title: Suspicious ISO Mounting with PIF Execution
id: 8ac2a9c1-8b3c-4d5e-9f6a-1b2c3d4e5f6a
description: Detects the execution of PIF files originating from mounted ISO images, a common pattern in this specific spear-phishing campaign.
author: Security Arsenal
date: 2026/07/13
modified: 2026/07/13
status: experimental
references:
- https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_capsule_vault?hs_amp=true
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\\explorer.exe'
CommandLine|contains: '.iso'
selection_pif:
Image|endswith:
- '\\cmd.exe'
- '\\powershell.exe'
- '\\rundll32.exe'
CommandLine|contains: '.pif'
condition: selection and selection_pif
falsepositives:
- Legitimate administrative use of ISO files (rare for PIF execution)
level: high
---
title: APT37 RokRAT C2 Infrastructure Connection
id: 9bd3b0d2-9c4e-5e6f-0a7b-2c3d4e5f6a7b
description: Detects outbound network connections to known APT37 C2 infrastructure associated with Operation Capsule Vault.
author: Security Arsenal
date: 2026/07/13
modified: 2026/07/13
status: experimental
references:
- https://otx.alienvault.com/pulse/67891012-3456-7890-abcd-ef1234567890
tags:
- attack.command_and_control
- attack.c2
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|contains:
- '89.187.161.220'
- '5.180.208.57'
- '5.180.208.60'
- '160.238.37.95'
- '89.147.101.197'
- '160.238.37.100'
condition: selection
falsepositives:
- None expected (these are specific C2 nodes)
level: critical
---
title: Suspicious Child Process of ISO Image Executable
id: 1ac4e1d3-2d5f-6e7a-8b9c-0d1e2f3a4b5c
description: Identifies suspicious processes spawned by executables located within mounted ISO drive letters (often D:, E:, etc.).
author: Security Arsenal
date: 2026/07/13
modified: 2026/07/13
status: experimental
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|re: '^[A-Z]:\\.*\\[a-zA-Z0-9]{8}\\' # Pattern matching mounted ISO folders often have short 8-char names or just root
ParentImage|contains: '.iso'
selection_child:
Image|endswith:
- '\\powershell.exe'
- '\\cmd.exe'
- '\\wscript.exe'
- '\\cscript.exe'
condition: selection_parent and selection_child
falsepositives:
- Software installers mounted from ISO
level: medium
kql
// KQL for Microsoft Sentinel - Hunt for APT37 RokRAT Activity
// 1. Network connections to known C2 IPs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("89.187.161.220", "5.180.208.57", "5.180.208.60", "160.238.37.95", "89.147.101.197", "160.238.37.100")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl
// 2. Process execution involving PIF files
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains ".pif" or FileName contains ".pif"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, InitiatingProcessFileName
// 3. File creation events for the specific MD5 hash
DeviceFileEvents
| where Timestamp > ago(30d)
| where MD5 == "e5c9bb3938f2a24e755ee39073fc3aca"
| project Timestamp, DeviceName, FileName, FolderPath, MD5, SHA1, SHA256
powershell
# PowerShell Hunt Script for RokRAT Indicators
# Requires Administrative Privileges
$IOC_Hash = "e5c9bb3938f2a24e755ee39073fc3aca"
$IOC_IPs = @("89.187.161.220", "5.180.208.57", "5.180.208.60", "160.238.37.95", "89.147.101.197", "160.238.37.100")
Write-Host "[*] Starting hunt for APT37 RokRAT Indicators..." -ForegroundColor Cyan
# 1. Check for file presence by hash (User profiles and Temp folders)
Write-Host "[*] Scanning for malicious file hash..." -ForegroundColor Yellow
$DrivesToScan = @("C:")
foreach ($Drive in $DrivesToScan) {
try {
Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 } |
ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($hash -eq $IOC_Hash) {
Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
}
}
} catch {
# Ignore access errors
}
}
# 2. Check for active network connections to C2 IPs
Write-Host "[*] Checking active network connections to C2 IPs..." -ForegroundColor Yellow
$netstat = netstat -ano | Select-String -Pattern $IOC_IPs -AllMatches
if ($netstat) {
Write-Host "[!] SUSPICIOUS CONNECTIONS FOUND:" -ForegroundColor Red
$netstat | ForEach-Object { Write-Host $_.Line }
} else {
Write-Host "[-] No active connections to C2 IPs found." -ForegroundColor Green
}
# 3. Check for recent files with .pif or .iso extensions in User Downloads
Write-Host "[*] Scanning User Downloads for .pif or .iso files created in the last 7 days..." -ForegroundColor Yellow
$Users = Get-ChildItem -Path "C:\Users" -Directory
foreach ($User in $Users) {
$DownloadPath = Join-Path -Path $User.FullName -ChildPath "Downloads"
if (Test-Path $DownloadPath) {
Get-ChildItem -Path $DownloadPath -Include *.pif, *.iso -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } |
ForEach-Object { Write-Host "[!] Suspicious file found: $($_.FullName)" -ForegroundColor Red }
}
}
Write-Host "[*] Hunt complete." -ForegroundColor Cyan
# Response Priorities
Immediate (0-4 hours)
- Block IOCs: Immediately block all listed IPv4 addresses at the network perimeter (Firewall, Proxy) and on endpoints (EDR/Hosts file).
- Scan for File Hash: Initiate a full disk scan across the enterprise for the MD5 hash
e5c9bb3938f2a24e755ee39073fc3aca. Quarantine any hits. - Email Sweep: Search mail gateways for emails containing the subject lines or attachments associated with the "academic conference" lure and suspend any active campaigns.
24 Hours
- Hunt for Compromise: Execute the provided PowerShell script and KQL queries to identify any systems that have communicated with the C2 infrastructure or executed PIF/ISO files in the last 30 days.
- Credential Reset: While RokRAT is primarily an espionage tool (RAT), credential resets for accounts on potentially compromised systems are a standard precaution to prevent lateral movement.
- Memory Forensics: For systems with confirmed hits, perform memory analysis to identify the running RokRAT process and extract any C2 configurations or stolen data.
1 Week
- Policy Review: Review and restrict the execution of files from ISO and IMG images for non-administrative users.
- User Awareness: Conduct targeted security awareness training for the Education, Government, and Research departments regarding the specific tactics used in this spear-phishing campaign (masquerading as conference materials).
- Architecture Hardening: Implement application controls (AppLocker) to block the execution of PIF files and scripts originating from temporary or user download directories.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.