Modular RAT Campaign Steals Credentials and Captures Screenshots

Operation GriefLure illustrates the next evolution of spear‑phishing, where threat actors blend authentic legal and regulatory documents with malicious shortcuts to gain executive trust. By embedding genuine case files from a real Viettel data‑breach dispute, the attackers created a convincing lure that bypassed typical email filters. This social‑engineering precision underscores a broader trend: adversaries are investing heavily in regional intelligence to tailor their bait, making campaigns harder to detect with generic rule‑sets.

Technically, the campaign relies on a modular, fileless RAT architecture. The initial LNK file triggers Windows ftp.exe, a legitimate utility, to download fragmented components that reassemble into sfsvc.exe and the 360.dll loader. This approach avoids writing obvious executable files to disk, instead leveraging DLL sideloading, XOR obfuscation, and NTFS Alternate Data Streams to hide malicious code. Once active, the RAT enumerates processes, injects into trusted binaries, and exfiltrates browser credentials and screenshots via obfuscated HTTP requests. Such capabilities enable rapid, covert data theft while maintaining persistence through controlled Explorer restarts.

For defenders, the key takeaway is the necessity of behavior‑based detection. Monitoring for unusual use of native tools like ftp.exe, especially when launched from LNK shortcuts, can surface early indicators. Deploying endpoint detection that flags rapid fileless payload assembly and anomalous network traffic to suspicious domains (e.g., whatsappcenter.com) is essential. As China‑linked actors continue to refine modular malware, organizations in high‑risk sectors must adopt layered security strategies that combine threat‑intel sharing, user education, and advanced EDR analytics to mitigate these sophisticated intrusion attempts.