Attack Flow | Image: Genians Security Center
At a glance
| Malware family | RokRAT variant (x64) |
| Threat actor | Assessed highly likely APT37 (suspected, not confirmed) |
| Target / victims | People in research, policy, and academic fields |
| Delivery vector | Spear-phishing email, Dropbox link, ISO, PIF disguised as PDF |
| Key capabilities | Recon, screen capture, file theft, command execution, cloud C2 |
| Source | Genians Security Center |
TL;DR
Genians Security Center has detailed a fresh RokRAT malware campaign it calls Operation Capsule Vault. Attackers hid the malware inside a file that looked like a PDF, then spread it through spear-phishing. Genians assesses, with high confidence, that the North Korea-linked group APT37 ran the operation.
Delivery
The attack starts with a spear-phishing email. On June 22, 2026, the threat actor targeted people in research, policy, and academic work. According to Genians, initial access came through “spear-phishing emails disguised as materials for actual academic events.”
The lure reused a real conference on Wonsan-Kalma tourism, held in Seoul that month. That real-world detail lowered suspicion. The email looked like a normal notice sharing event material. The sender even posed as a firm in the unification field to seem official. Instead of a PDF, though, it linked to a file on Dropbox.
Infection chain
The Dropbox link delivered an ISO image, not a document. Inside sat a file that looked like a PDF booklet. Its real extension, however, was PIF, a legacy Windows executable type. Because Windows hides known extensions by default, the file passed as a document.
The capsule structure
Genians named the campaign for how this file works. It stores a real PDF and a hidden payload together, then unpacks them in turn. The team calls the marker inside it EMBED_PAYLOAD_v2. The payload table holds two entries: a decoy PDF and a binary payload. When the victim opens the file, a genuine event booklet appears on screen. In the background, a second payload runs at the same time.
Memory-only execution
The second stage is shellcode that never touches disk. The loader uses a Call-Pop trick to find its data, a common position-independent method. It then decodes an encrypted payload in memory using a simple XOR key. Next, it injects the final payload into explorer.exe, a trusted Windows process. As a result, no new process appears, and behavior-based tools see less.
Command and control
The injected payload is an x64 RokRAT variant. First, it fingerprints the host and builds a victim ID from system and BIOS data. Next, it prepares cloud channels for C2. This RokRAT malware talks to pCloud, Dropbox, and Yandex Cloud rather than a plain server.
The sample carries hardcoded Yandex tokens and falls back to a spare if one fails. During analysis, the first token worked while the second was already revoked. It also fakes a search-engine user agent to blend its traffic in. Genians tied one cloud account to earlier 2025 RokRAT attacks, which strengthens the link.
Data theft
Once connected, the backdoor waits for commands over separate channels. It can capture the screen, list drives, and run shell commands. It also hunts documents by extension, targeting office files, PDFs, and Korean HWP files. The RokRAT malware then uploads what it steals to cloud storage.
Attribution
Genians states the campaign is “assessed as highly likely to have been conducted by the APT37 group.” That judgment rests on code overlap, shared cloud accounts, and matching infrastructure. The same account appeared in Genians’ earlier Operation Artemis report from December 2025. Still, this is an assessment, not a confirmed identity. Some traffic ran through commercial VPN exit nodes, which hid the true origin.
Defense and detection
Teams should treat linked ISO and PIF execution as a red flag. Show file extensions so users can spot fake documents. Watch for injection into explorer.exe from odd parents. Also monitor uploads to consumer cloud services from servers. Keep EDR rules current, since this loader stays mostly in memory.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.