CloudSEK has uncovered a stealthy malware campaign targeting shoppers in the Middle East during Ramadan. The attack uses fake coupon offers and festive discount lures to deliver a multi-stage Remote Access Trojan (RAT) that can steal files, capture screenshots, run remote commands, and quietly exfiltrate data.
The campaign takes advantage of one of the region’s busiest shopping periods. It impersonates a Ramadan offer linked to AlCoupon and names popular retail brands such as Hyper One, Carrefour, Saudi, and Metro. The malicious document promises discounts and a Ramadan basket worth 2,000 EGP. But once opened and macros are enabled, it launches a hidden infection chain designed to avoid detection.
What makes this campaign stand out is how it combines a convincing lure with stealthy execution. Instead of delivering a typical malware file, the attackers write obfuscated C# code directly onto the victim’s machine and use legitimate Microsoft tools such as csc.exe, MsBuild.exe, ilasm.exe, and rundll32.exe to compile and run it. By abusing trusted system tools, the malware blends into normal activity and becomes harder to detect.
CloudSEK said the final payload is a full-featured Remote Access Trojan (RAT) that allows attackers to control infected systems, steal files, capture screenshots, execute shell commands, and maintain ongoing access. In another evasive step, stolen files and screenshots are uploaded through AWS S3 presigned URLs instead of being sent directly to attacker-controlled servers, making the data theft harder to spot through standard command-and-control monitoring. (For more details, read the full report)
The campaign appears to be tailored for the Middle East. The lure is written in Arabic, uses Ramadan-themed messaging, and references familiar retail brands. It also uses the promo code RAMADAN25 to appear legitimate. CloudSEK said the campaign combines local context, seasonal urgency and technical stealth to improve its chances of success.
“This campaign shows how threat actors are adapting their tactics to local behaviour, seasonal trust and consumer habits. The risk lies not just in the lure, but in the way the malware abuses legitimate tools and trusted cloud infrastructure to avoid detection,” said Ayush Panwar, Threat Intelligence researcher, CloudSEK.
CloudSEK said the infection begins when a victim opens a weaponized Word document and enables macros. A hidden VBA macro then creates a staging folder, writes more than 180 KB of obfuscated C# code line by line, compiles it into an executable using the system’s native .NET tools, and runs it silently. A second-stage loader then decrypts configuration strings, contacts a delivery server, retrieves a raw MSIL payload, converts it into a DLL, and executes it through rundll32.exe.
The malware, identified under the namespace Ftu4You, is built to maintain long-term access. It collects system details including username, hostname, CPU, RAM, operating system, uptime and privilege level. It can also run multiple command sessions at once. To reduce the forensic trail, it deletes temporary source code, intermediate files and staging artifacts after execution.
CloudSEK also identified several detection signals tied to the campaign. These include suspicious process chains such as WINWORD.exe spawning csc.exe, the creation of files such as quanta.exe and msid.txt, unusual use of rundll32.exe from user directories, and network indicators linked to article-learning[.]com and article-learning[.]xyz. The company also advised security teams to watch for unusual S3 PUT requests from non-browser or non-backup processes, as well as suspicious downloads using an outdated Chrome/93 user agent.
CloudSEK said the campaign reflects a broader trend in cybercrime, where attackers combine targeted social engineering, living-off-the-land techniques and trusted cloud services to improve stealth. For retailers, businesses and public-facing organizations in the Middle East, it is a reminder that festive and seasonal messaging can quickly be turned into an effective malware delivery channel.
The company advised users to be cautious of unsolicited promotional documents, especially files that ask them to enable editing or macros. It also urged enterprises to monitor Office applications invoking compilers or LOLBins, block the identified malicious infrastructure at the DNS and firewall layers, and review endpoint telemetry for suspicious document-led execution chains.
“Threat actors do not need highly advanced exploits to cause serious damage. A trusted retail theme, a seasonal offer and a stealthy execution chain can be enough. Defenders need to look more closely at how legitimate tools, familiar brands and cloud services are being misused together,” said Panwar.
