Operation GriefLure: Precision Social Engineering Meets Modular Malware
Cybersecurity researchers have identified a highly sophisticated spear-phishing campaign, designated as Operation GriefLure, which targets high-ranking executives in Vietnam and the Philippines.
Unlike broad-spectrum phishing attacks, this campaign is a surgical strike, utilizing a custom-built, modular Remote Access Trojan (RAT) designed to bypass modern endpoint defenses through advanced Living-off-the-Land (LotL) techniques.
The campaign demonstrates a calculated approach to regional cyber-espionage, specifically targeting high-value organizations. Key targets include Viettel Group, Vietnam’s largest military-backed telecommunications provider, and St. Luke’s Medical Center (SLMC) in the Philippines. This selection suggests an adversary focused on critical infrastructure and sensitive personal/corporate data.
The Art of the Lure: Hyper-Realistic Decoys
What distinguishes Operation GriefLure from standard phishing is the depth of its psychological manipulation. The attackers do not rely on generic “urgent” emails; instead, they weaponize context-specific, authentic documentation to manufacture credibility.
- Vietnam Campaign: Attackers leveraged actual legal and investigative documentation related to a real-world data breach dispute involving Viettel. By embedding police reports, internal corporate emails, and signed admissions, the lure became virtually indistinguishable from legitimate legal correspondence.
- Philippines Campaign: The campaign utilized a sophisticated whistleblower fabrication. The documents accused St. Luke’s Medical Center of financial fraud and compliance failures, specifically referencing high-stakes regulatory risks involving PhilHealth and JCI accreditation. This was precision-engineered to trigger immediate panic among healthcare administrators.
Technical Analysis: The Infection Chain
As detailed in a recent technical breakdown by Seqrite Labs, the infection lifecycle is optimized for speed and stealth.
The attack vector begins with a spear-phishing email containing a compressed archive. Inside this archive, the victim encounters decoy PDFs alongside a malicious Windows shortcut (.LNK) file. Upon execution, the LNK file abuses the legitimate ftp.exe Windows utility. This is a classic Living-off-the-Land maneuver, intended to evade detection by standard antivirus solutions that may not flag a native Windows binary.

The malware then executes a “fragmented reconstruction” process. It pulls together various files disguised as innocuous .doc documents to assemble a malicious executable named sfsvc.exe. This entire sequence—from execution to the launch of the payload—occurs in under 10 seconds. To mask this activity, a decoy PDF is opened simultaneously, providing a visual distraction for the user while the background process completes.
The Modular Framework: Post-Exploitation Capabilities
Once the sfsvc.exe loader is active, it deploys a secondary DLL payload (360.dll) which acts as a multi-stage shellcode loader. This architecture is particularly dangerous because it facilitates fileless execution and process injection, making it difficult for traditional forensics to pin down the malicious code in memory.

The RAT maintains communication with its Command-and-Control (C2) server via obfuscated HTTP requests. Once a foothold is established, the attackers possess a versatile toolkit for espionage:
- Credential Harvesting: Extraction of sensitive data from web browsers, FTP clients, and remote access tools.
- Surveillance: Dynamic screenshot capture that adjusts to the user’s current screen resolution.
- System Profiling: Comprehensive process enumeration and system metadata collection.
- Exfiltration: Directory listing and file theft, often disguised as legitimate traffic.
- Persistence: The malware can terminate and relaunch the
explorer.exeprocess to manipulate the user environment and maintain a low profile.
To further evade detection, the malware employs DLL sideloading, XOR-based obfuscation, and utilizes NTFS Alternate Data Streams (ADS) to hide its components within the file system. It also features anti-analysis capabilities, specifically designed to detect and react to the presence of security software.

Attribution and Infrastructure
Analysis of the command-and-control infrastructure reveals the use of whatsappcenter[.]com, a domain hosted on a provider in Hong Kong known for “bulletproof” hosting services. Furthermore, the malware’s specific interest in WeChat data and its references to Chinese-language security software provide moderate-to-high confidence indicators suggesting a China-linked threat actor.
Defensive Recommendations
Operation GriefLure serves as a stark reminder that technical sophistication must be met with behavioral intelligence. Organizations should:
- Monitor LotL Activity: Implement strict logging for the unusual use of native binaries like
ftp.exe,certutil.exe, orpowershell.exe. - Enhance EDR Capabilities: Deploy Endpoint Detection and Response (EDR) tools capable of identifying fileless execution and process injection patterns.
- User Awareness: Train executives on the risks of “contextual” phishing, emphasizing that even highly specific legal or regulatory documents require verification through out-of-band channels.
Indicators of Compromise (IOCs)
| File Name | SHA256 |
|---|---|
| HỒ SƠ BẰNG CHỨNG GHI NHẬN CHUỖI HÀNH VI VI PHẠM PHÁP LUẬT… .lnk | 35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43 |
| Whistleblowing_Report_SLMC_Fraud_and_Misconduct_2026.pdf.lnk | bc090d75f51c293d916c40d4b21094faaec191a42d97448c92d264875bf1f17b |
| Valid_Government_Identification_Card_of_Dela_Cruz_Juan_… .png.lnk | 197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6 |
| iPad_Pro_Display_Spec_Final_CONFIDENTIAL.docx.lnk | f34f550147c2792c1ff2a003d15be89e5573f0896c5aa6126068baa4621ef416 |
| 360.8.dll | bc83817c6d2bf8df1d58eac946a12b5e2566b2ffe15cf96f37c711c4b755512b |
| th5znehec.exe | 61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f |
| a.dll | ee6330870087f66a237a7f7c115b65beb042299f12eae1e9004e016686d0c387 |
| SlULIRDJOiq | 91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067 |
| Batch | a49155df50963d2412534090bbd967749268bd013881ddb81d78b87f91cdc15b |
| Batch | 7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d |
Security Advisory: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution. Please re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your organization’s SIEM.