Operation GriefLure uses real documents to deliver modular RAT malware

Operation GriefLure is a targeted spear phishing campaign that uses malicious Windows LNK files to infect victims with a modular remote access trojan. The campaign targets Vietnam’s military-linked telecom sector and healthcare staff in the Philippines.

The malware can steal credentials, capture screenshots, profile security tools, and communicate with attacker-controlled infrastructure. Its infection chain also relies on native Windows tools, which helps it avoid some traditional detection methods.

Seqrite Labs said the campaign targeted senior executives at Viettel Group, Vietnam’s largest telecom operator under the Ministry of National Defence, active investigators from Thanh Hoa Provincial Cyber Crime Police, and staff linked to St. Luke’s Medical Center Quezon in the Philippines.

Why Operation GriefLure stands out

The campaign stands out because the attackers used highly believable lure documents. In one case, they used real legal and investigative documents connected to a data breach dispute involving Viettel and Vietnamese authorities.

These documents included police investigation reports, signed corporate letters, email chains, and personal medical records. That made the lure harder to dismiss because the recipients had a real professional reason to open the files.

In the Philippine campaign, the attackers used a whistleblower-style complaint that referenced alleged fraud and misconduct. The theme targeted compliance and audit-related staff, which shows a clear focus on business roles that handle sensitive internal matters.

At a glance

Category	Details
Campaign name	Operation GriefLure
Main targets	Vietnam telecom, law enforcement investigators, and Philippine healthcare
Initial delivery	Spear phishing emails with nested compressed archives
Main file type	Malicious Windows LNK files
Abused Windows tool	ftp.exe
Payload	Modular RAT with credential theft and screenshot capture
Known C2 domain	www[.]whatsappcenter[.]com
Known IP address	38[.]54[.]122[.]188

How the infection chain works

The attack starts with a compressed archive that hides a malicious LNK file. When the victim opens it, the LNK file launches Windows’ native ftp.exe utility as part of the loader chain.

The payload does not arrive as one obvious executable. Instead, the malware reconstructs files from smaller chunks disguised as document files. This technique can reduce the chance that basic scanners will detect the payload before execution.

The final payload uses files such as sfsvc.exe and 360.dll. Seqrite’s analysis says the malware uses DLL loading, shellcode execution, and process injection to run while the victim sees a legitimate-looking decoy document.

The RAT steals credentials and captures screenshots

Once active, the malware can collect sensitive data from browsers, including stored logins, cookies, and browsing history. It can also target tools used by administrators and remote workers.

The malware’s credential theft module reportedly checks FTP client data, remote access tools, SSH-related files, and WeChat data. That makes the campaign especially risky for staff with privileged access to internal systems.

Its screenshot module can capture the victim’s screen, handle multi-monitor setups, and adjust image data before sending it to the command-and-control server. This gives attackers visibility into documents, applications, internal portals, and active workflows.

Why defenders may miss it

Operation GriefLure uses living-off-the-land behavior, which means it abuses legitimate system tools rather than relying only on obvious malware binaries. In this case, ftp.exe plays a key role in the execution chain.

The malware also profiles running processes and installed security products. This can help the attacker adjust behavior based on the victim’s environment and reduce the chance of early detection.

SOC Prime’s analysis also highlights the use of double-compressed archives, malicious LNK files, suspicious execution from public user directories, and C2 communication linked to the campaign.

Signs security teams should monitor

• Unexpected LNK files delivered through email attachments or compressed archives.
• ftp.exe execution with unusual command-line arguments.
• Suspicious files created under public user folders.
• Rapid creation or execution of sfsvc.exe.
• Files resembling 360.dll or related DLL loader artifacts.
• Connections to www[.]whatsappcenter[.]com or 38[.]54[.]122[.]188.
• Process injection into explorer.exe.
• Unusual access to browser credential stores, FTP tools, SSH files, or remote access software.

What organizations should do now

Organizations in telecom, healthcare, government, and law enforcement should treat this campaign as a high-risk spear phishing threat. The use of real documents makes standard phishing awareness less reliable on its own.

Security teams should block known indicators, hunt for LNK-based delivery chains, and monitor native Windows binaries used in unusual ways. They should also inspect public user directories for payload fragments, DLL loaders, and files that do not match normal software activity.

Teams should also review access logs for sensitive systems, rotate credentials where exposure is suspected, and isolate any endpoint that shows signs of the malware. Affected organizations should preserve memory and forensic artifacts before rebuilding systems.

Summary

• Operation GriefLure targets Vietnam’s telecom sector and Philippine healthcare organizations.
• The attackers used real and convincing documents to improve the success of spear phishing emails.
• The infection chain abuses Windows LNK files and the native ftp.exe utility.
• The modular RAT can steal browser credentials, capture screenshots, and profile security tools.
• Defenders should monitor LNK execution, suspicious ftp.exe activity, public-folder payloads, and the known C2 infrastructure.

FAQ