Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare
Operation GriefLure is a medium-severity advanced persistent threat (APT) campaign that targeted senior executives at Viettel Group, Vietnam's largest military-owned telecom provider, and St. Luke's Medical Center in the Philippines. The attackers used spear phishing with malicious Windows LNK files hidden in nested RAR archives, leveraging native Windows ftp. exe as a living-off-the-land dropper. The malware assembled polymorphic implants from chunked . doc files on disk, maintained persistence, and displayed legitimate decoy PDFs. It enabled remote access via process injection, harvested credentials from browsers and remote access tools, captured screenshots, and exfiltrated data over HTTPS to bulletproof servers in Hong Kong. No known exploits or patches are indicated, and the campaign is notable for its use of authentic legal documents and fabricated whistleblower complaints to increase credibility.
AI Analysis
Technical Summary
Operation GriefLure is a sophisticated spear phishing campaign targeting high-level personnel in Vietnam's military telecom sector and Philippine healthcare. It weaponizes authentic and fabricated documents to deliver malicious Windows LNK files within nested RAR archives. The campaign abuses the native Windows ftp.exe binary as a living-off-the-land dropper to deploy polymorphic implants assembled from chunked .doc files directly on disk. These implants establish persistence while showing legitimate decoy PDFs to evade detection. The malware facilitates remote access through process injection, steals credentials from browsers and remote access tools, captures screenshots, and exfiltrates data via HTTPS to command-and-control infrastructure hosted on bulletproof servers in Hong Kong. Indicators include multiple file hashes, domains, and an IP address associated with the campaign. There is no CVE or vendor advisory available, and no known exploits in the wild have been reported.
Potential Impact
The campaign compromises targeted systems by establishing persistent remote access, enabling credential theft, screenshot capture, and data exfiltration. This can lead to unauthorized disclosure of sensitive information and potential operational disruption within critical sectors such as military telecommunications and healthcare. The use of authentic documents and living-off-the-land techniques increases the likelihood of successful infiltration and evasion of traditional security controls.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or vendor advisory is provided, organizations should focus on user awareness training to recognize spear phishing attempts, especially those involving legal or whistleblower-themed documents. Monitoring for the identified indicators of compromise (IOCs) such as the listed file hashes, domains (e.g., whatsappcenter.com), and IP addresses can help detect potential infections. Restricting or monitoring the use of native Windows utilities like ftp.exe for suspicious activity may also reduce risk. Incident response teams should analyze suspicious LNK files and nested archives carefully. No official fix or mitigation from vendors is currently documented.
Indicators of Compromise
- domain: www.whatsappcenter.com
- hash: 6c6cbed6aad96564ed87094785be07a1
- hash: 55d6238b01a177e25eb7d53c943f3abea64ec073
- hash: 197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6
- hash: 35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43
- hash: 61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f
- hash: 7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d
- hash: 91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067
- hash: a49155df50963d2412534090bbd967749268bd013881ddb81d78b87f91cdc15b
- hash: bc090d75f51c293d916c40d4b21094faaec191a42d97448c92d264875bf1f17b
- hash: bc83817c6d2bf8df1d58eac946a12b5e2566b2ffe15cf96f37c711c4b755512b
- hash: ee6330870087f66a237a7f7c115b65beb042299f12eae1e9004e016686d0c387
- hash: f34f550147c2792c1ff2a003d15be89e5573f0896c5aa6126068baa4621ef416
- ip: 38.54.122.188
- domain: whatsappcenter.com
Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare
Description
Operation GriefLure is a medium-severity advanced persistent threat (APT) campaign that targeted senior executives at Viettel Group, Vietnam's largest military-owned telecom provider, and St. Luke's Medical Center in the Philippines. The attackers used spear phishing with malicious Windows LNK files hidden in nested RAR archives, leveraging native Windows ftp. exe as a living-off-the-land dropper. The malware assembled polymorphic implants from chunked . doc files on disk, maintained persistence, and displayed legitimate decoy PDFs. It enabled remote access via process injection, harvested credentials from browsers and remote access tools, captured screenshots, and exfiltrated data over HTTPS to bulletproof servers in Hong Kong. No known exploits or patches are indicated, and the campaign is notable for its use of authentic legal documents and fabricated whistleblower complaints to increase credibility.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation GriefLure is a sophisticated spear phishing campaign targeting high-level personnel in Vietnam's military telecom sector and Philippine healthcare. It weaponizes authentic and fabricated documents to deliver malicious Windows LNK files within nested RAR archives. The campaign abuses the native Windows ftp.exe binary as a living-off-the-land dropper to deploy polymorphic implants assembled from chunked .doc files directly on disk. These implants establish persistence while showing legitimate decoy PDFs to evade detection. The malware facilitates remote access through process injection, steals credentials from browsers and remote access tools, captures screenshots, and exfiltrates data via HTTPS to command-and-control infrastructure hosted on bulletproof servers in Hong Kong. Indicators include multiple file hashes, domains, and an IP address associated with the campaign. There is no CVE or vendor advisory available, and no known exploits in the wild have been reported.
Potential Impact
The campaign compromises targeted systems by establishing persistent remote access, enabling credential theft, screenshot capture, and data exfiltration. This can lead to unauthorized disclosure of sensitive information and potential operational disruption within critical sectors such as military telecommunications and healthcare. The use of authentic documents and living-off-the-land techniques increases the likelihood of successful infiltration and evasion of traditional security controls.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or vendor advisory is provided, organizations should focus on user awareness training to recognize spear phishing attempts, especially those involving legal or whistleblower-themed documents. Monitoring for the identified indicators of compromise (IOCs) such as the listed file hashes, domains (e.g., whatsappcenter.com), and IP addresses can help detect potential infections. Restricting or monitoring the use of native Windows utilities like ftp.exe for suspicious activity may also reduce risk. Incident response teams should analyze suspicious LNK files and nested archives carefully. No official fix or mitigation from vendors is currently documented.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-grieflure-dissecting-an-apt-campaign-targeting-vietnams-military-telecom-philippine-healthcare/"]
- Adversary
- null
- Pulse Id
- 69fc841d0cbc4c199d708315
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainwww.whatsappcenter.com | — | |
domainwhatsappcenter.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash6c6cbed6aad96564ed87094785be07a1 | — | |
hash55d6238b01a177e25eb7d53c943f3abea64ec073 | — | |
hash197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6 | — | |
hash35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43 | — | |
hash61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f | — | |
hash7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d | — | |
hash91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067 | — | |
hasha49155df50963d2412534090bbd967749268bd013881ddb81d78b87f91cdc15b | — | |
hashbc090d75f51c293d916c40d4b21094faaec191a42d97448c92d264875bf1f17b | — | |
hashbc83817c6d2bf8df1d58eac946a12b5e2566b2ffe15cf96f37c711c4b755512b | — | |
hashee6330870087f66a237a7f7c115b65beb042299f12eae1e9004e016686d0c387 | — | |
hashf34f550147c2792c1ff2a003d15be89e5573f0896c5aa6126068baa4621ef416 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip38.54.122.188 | — |
Threat ID: 69fda78fcbff5d8610b5624f
Added to database: 5/8/2026, 9:06:23 AM
Last enriched: 5/8/2026, 9:21:21 AM
Last updated: 5/8/2026, 1:52:04 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.