Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare
A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.
AI Analysis
Technical Summary
Operation GriefLure is a sophisticated spear phishing campaign targeting high-level personnel in Vietnam's military telecom sector and Philippine healthcare. It weaponizes authentic and fabricated documents to deliver malicious Windows LNK files within nested RAR archives. The campaign abuses the native Windows ftp.exe binary as a living-off-the-land dropper to deploy polymorphic implants assembled from chunked .doc files directly on disk. These implants establish persistence while showing legitimate decoy PDFs to evade detection. The malware facilitates remote access through process injection, steals credentials from browsers and remote access tools, captures screenshots, and exfiltrates data via HTTPS to command-and-control infrastructure hosted on bulletproof servers in Hong Kong. Indicators include multiple file hashes, domains, and an IP address associated with the campaign. There is no CVE or vendor advisory available, and no known exploits in the wild have been reported.
Potential Impact
The campaign compromises targeted systems by establishing persistent remote access, enabling credential theft, screenshot capture, and data exfiltration. This can lead to unauthorized disclosure of sensitive information and potential operational disruption within critical sectors such as military telecommunications and healthcare. The use of authentic documents and living-off-the-land techniques increases the likelihood of successful infiltration and evasion of traditional security controls.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or vendor advisory is provided, organizations should focus on user awareness training to recognize spear phishing attempts, especially those involving legal or whistleblower-themed documents. Monitoring for the identified indicators of compromise (IOCs) such as the listed file hashes, domains (e.g., whatsappcenter.com), and IP addresses can help detect potential infections. Restricting or monitoring the use of native Windows utilities like ftp.exe for suspicious activity may also reduce risk. Incident response teams should analyze suspicious LNK files and nested archives carefully. No official fix or mitigation from vendors is currently documented.
Indicators of Compromise
- domain: www.whatsappcenter.com
- hash: 6c6cbed6aad96564ed87094785be07a1
- hash: 55d6238b01a177e25eb7d53c943f3abea64ec073
- hash: 197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6
- hash: 35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43
- hash: 61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f
- hash: 7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d
- hash: 91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067
- hash: a49155df50963d2412534090bbd967749268bd013881ddb81d78b87f91cdc15b
- hash: bc090d75f51c293d916c40d4b21094faaec191a42d97448c92d264875bf1f17b
- hash: bc83817c6d2bf8df1d58eac946a12b5e2566b2ffe15cf96f37c711c4b755512b
- hash: ee6330870087f66a237a7f7c115b65beb042299f12eae1e9004e016686d0c387
- hash: f34f550147c2792c1ff2a003d15be89e5573f0896c5aa6126068baa4621ef416
- ip: 38.54.122.188
- domain: whatsappcenter.com
Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare
Description
A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation GriefLure is a sophisticated spear phishing campaign targeting high-level personnel in Vietnam's military telecom sector and Philippine healthcare. It weaponizes authentic and fabricated documents to deliver malicious Windows LNK files within nested RAR archives. The campaign abuses the native Windows ftp.exe binary as a living-off-the-land dropper to deploy polymorphic implants assembled from chunked .doc files directly on disk. These implants establish persistence while showing legitimate decoy PDFs to evade detection. The malware facilitates remote access through process injection, steals credentials from browsers and remote access tools, captures screenshots, and exfiltrates data via HTTPS to command-and-control infrastructure hosted on bulletproof servers in Hong Kong. Indicators include multiple file hashes, domains, and an IP address associated with the campaign. There is no CVE or vendor advisory available, and no known exploits in the wild have been reported.
Potential Impact
The campaign compromises targeted systems by establishing persistent remote access, enabling credential theft, screenshot capture, and data exfiltration. This can lead to unauthorized disclosure of sensitive information and potential operational disruption within critical sectors such as military telecommunications and healthcare. The use of authentic documents and living-off-the-land techniques increases the likelihood of successful infiltration and evasion of traditional security controls.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or vendor advisory is provided, organizations should focus on user awareness training to recognize spear phishing attempts, especially those involving legal or whistleblower-themed documents. Monitoring for the identified indicators of compromise (IOCs) such as the listed file hashes, domains (e.g., whatsappcenter.com), and IP addresses can help detect potential infections. Restricting or monitoring the use of native Windows utilities like ftp.exe for suspicious activity may also reduce risk. Incident response teams should analyze suspicious LNK files and nested archives carefully. No official fix or mitigation from vendors is currently documented.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-grieflure-dissecting-an-apt-campaign-targeting-vietnams-military-telecom-philippine-healthcare/"]
- Adversary
- null
- Pulse Id
- 69fc841d0cbc4c199d708315
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainwww.whatsappcenter.com | — | |
domainwhatsappcenter.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash6c6cbed6aad96564ed87094785be07a1 | — | |
hash55d6238b01a177e25eb7d53c943f3abea64ec073 | — | |
hash197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6 | — | |
hash35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43 | — | |
hash61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f | — | |
hash7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d | — | |
hash91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067 | — | |
hasha49155df50963d2412534090bbd967749268bd013881ddb81d78b87f91cdc15b | — | |
hashbc090d75f51c293d916c40d4b21094faaec191a42d97448c92d264875bf1f17b | — | |
hashbc83817c6d2bf8df1d58eac946a12b5e2566b2ffe15cf96f37c711c4b755512b | — | |
hashee6330870087f66a237a7f7c115b65beb042299f12eae1e9004e016686d0c387 | — | |
hashf34f550147c2792c1ff2a003d15be89e5573f0896c5aa6126068baa4621ef416 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip38.54.122.188 | — |
Threat ID: 69fda78fcbff5d8610b5624f
Added to database: 05/08/2026, 09:06:23 UTC
Last enriched: 05/08/2026, 09:21:21 UTC
Last updated: 06/23/2026, 12:05:49 UTC
Views: 288
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.