Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Exploit Academic Events to Deploy RokRAT

Hackers Exploit Academic Events to Deploy RokRAT

Posted on July 13, 2026 By CWS

A recent cyber threat campaign has been identified where hackers are leveraging genuine academic event details to distribute malware. The operation involves sending fake documents that appear to be related to actual seminars, thereby deceiving recipients into downloading malicious software.

Phishing Campaign Targets Researchers

This campaign involves the delivery of a variant of RokRAT via a deceptive document package. The attackers have utilized information from a real academic event to make the phishing email appear legitimate, increasing the likelihood of its opening.

The emails direct recipients to an ISO file hosted in the cloud, which mimics a standard conference document download. Once opened, this file releases malware onto the user’s system. Genians, a cybersecurity firm, has reported this activity as Operation Capsule Vault, highlighting the tactic of concealing malware within what appears to be a credible document.

Detailed Analysis of the Attack Methodology

The phishing emails falsely claimed to distribute materials for the Honsan Kalma Tourism Forum, a legitimate event held in Seoul. By impersonating another organization, the hackers successfully framed the email as a customary business notification containing conference information.

Instead of a typical document, the email contained a link to a Dropbox-hosted ISO image. This image, named to resemble a seminar booklet, included a program disguised as a PDF file. When executed, it displayed an expected academic document while surreptitiously performing malicious activities in the background.

RokRAT’s Stealthy Operation

Upon execution, the malware injects the RokRAT payload into explorer.exe, a standard Windows process. This technique helps the malware remain undetected by leveraging legitimate system processes to conceal its operations.

RokRAT gathers system information and establishes cloud-based communications. It supports platforms like Dropbox, pCloud, and Yandex for command reception and data exfiltration. Capabilities of RokRAT include taking screenshots, collecting files, and executing commands from its operators.

Researchers have linked this campaign to the broader RokRAT malware family through its use of cloud services and similarities in code and tactics, suggesting a connection to the APT37 group. Organizations are advised to verify unexpected emails through official channels and monitor for unusual activities associated with ISO files and process injections.

To mitigate such threats, cybersecurity teams should focus on proactive detection and response strategies, ensuring robust email security protocols are in place to prevent potential breaches.

Cyber Security News Tags:academic events, APT37, cloud services, cyber threats, Cybersecurity, email security, ISO file, malware attack, Operation Capsule Vault, phishing campaign, RokRAT malware, threat detection

Post navigation

Previous Post: Progress Urges ShareFile Shutdown Due to Security Risks
Next Post: Zimbra Addresses Critical Code Execution Flaw

Related Posts

Vulnerabilities in Preinstalled Android Apps Expose PIN Codes and Allow Command Injection Vulnerabilities in Preinstalled Android Apps Expose PIN Codes and Allow Command Injection Cyber Security News
Beware of Typosquatted Malicious PyPI Packages That Delivers SilentSync RAT Beware of Typosquatted Malicious PyPI Packages That Delivers SilentSync RAT Cyber Security News
Trivy Supply Chain Attack Expands to Docker Hub Trivy Supply Chain Attack Expands to Docker Hub Cyber Security News
Dual Malware Campaign Deploys Gh0st RAT and Adware Dual Malware Campaign Deploys Gh0st RAT and Adware Cyber Security News
Critical WatchGuard Firebox Vulnerabilities Let Attackers Bypass Integrity Checks and Inject Malicious Codes Critical WatchGuard Firebox Vulnerabilities Let Attackers Bypass Integrity Checks and Inject Malicious Codes Cyber Security News
The Gentlemen Ransomware: A Growing Cyber Threat The Gentlemen Ransomware: A Growing Cyber Threat Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Hackers Exploit jscrambler in Supply Chain Attack
  • Zimbra Addresses Critical Code Execution Flaw
  • Hackers Exploit Academic Events to Deploy RokRAT
  • Progress Urges ShareFile Shutdown Due to Security Risks
  • Major Microsoft 365 Phishing Operations Exposed by Server Error

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Hackers Exploit jscrambler in Supply Chain Attack
  • Zimbra Addresses Critical Code Execution Flaw
  • Hackers Exploit Academic Events to Deploy RokRAT
  • Progress Urges ShareFile Shutdown Due to Security Risks
  • Major Microsoft 365 Phishing Operations Exposed by Server Error

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark