Hackers nutzen modulares RAT-Tool zur Credential-Diebstahl und Screenshot-Erfassung

In one case, they harvested real legal documents from an ongoing data breach lawsuit, including signed police reports, corporate admission letters, and personal medical records. Victims who opened the archive received a completely authentic document on screen, with no sign that anything had gone wrong behind the scenes.

Researchers at Seqrite Labs identified and named the campaign, noting that the entire system compromise completes in under 10 seconds with zero visible indicators to the victim.

The malware arrives inside a nested compressed archive delivered through a targeted spear phishing email, and its infection chain is engineered to bypass most conventional security tools. The operation targets two groups simultaneously.

Technik und Auswirkungen

The first campaign focuses on senior executives at Viettel Group, Vietnam’s largest telecom operator running under the Ministry of National Defence, as well as cybercrime investigators from Thanh Hoa Provincial Police. The second targets compliance and audit staff at St.

Luke’s Medical Center in the Philippines, using a fabricated whistleblower complaint that invokes alleged financial fraud and accreditation violations worth over PHP 1.5 million.

Both campaigns use the same underlying infrastructure and payload, confirming a single threat actor running a coordinated, modular attack operation across two countries at the same time. Modular RAT With Credential Theft and Screenshot Capture At the technical core of this campaign sits a sophisticated modular RAT acting as a multi-purpose implant.

Technischer Hintergrund

Once loaded into memory through a layered execution chain, it harvests credentials from web browsers including Chrome’s stored login data, cookies, and history. It also targets FTP client configurations, remote access tools like Sunlogin and ToDesk, and SSH session files from Xshell, making it a serious threat to anyone who manages privileged system access.

The screenshot capture module retrieves full screen dimensions, accounts for multi-monitor setups, and dynamically adjusts image resolution based on network conditions before transmitting a reconstructed BMP image to the attacker’s command-and-control server.

The malware also scans all running processes to build a profile of installed security products, then adjusts its behavior accordingly to reduce detection. Infection chain (Source – Seqrite) The payload is never stored as a complete file inside the archive.

Technik und Auswirkungen

Binary chunks disguised as ordinary document files are assembled at runtime using Windows’ native copy command, and a time-based mechanism randomizes the payload hash on every execution to defeat signature-based scanning. The final executable is then injected into a trusted Windows process, making it appear as normal system activity to most forensic tools.

Infrastructure, Attribution, and Defensive Measures The malware communicates with a hardcoded command-and-control domain, whatsappcenter[.]com, hosted on IP address 38[.]54[.]122[.]188. This server sits within KAOPU-HK, a Hong Kong-based network with a documented history of providing abuse-resistant hosting to threat actors across Asia-Pacific.