استخبارات الخصم

Opportunistic threat actors using Ramadan coupon as a lure to target retail store customers in Middle East

A new malware campaign is exploiting Ramadan shopping sentiment, luring Middle East users with fake discount coupons from trusted brands. Behind the offer lies a multi-stage attack that deploys a powerful RAT, enabling full system control and stealthy data exfiltration via AWS. The campaign highlights how seasonal themes and trusted brands are being weaponized at scale.

March 18, 2026

دقيقة

جدول المحتوى

مثال H2

‍Executive Summary

This report documents the full technical analysis of a sophisticated multi-stage malware campaign that uses a socially-engineered Ramadan discount lure to compromise Windows endpoints in the Middle East. The malicious document masquerades as a promotional offer from AlCoupon (A well-known Egyptian coupon aggregation website) enticing targets with fake discount codes for major retail chains including Hyper One, Carrefour, Saudi, and Metro, along with the promise of winning a Ramadan basket worth 2,000 EGP.

Upon opening, a hidden VBA macro silently drops, compiles, and executes a C# loader. The loader contacts a delivery C2, fetches a raw MSIL assembly, compiles it on-device, and executes it via rundll32. The resulting payload is a full-featured Remote Access Trojan (RAT) operating under the namespace Ftu4You. The RAT communicates with a dedicated C2 panel over HTTPS and supports persistent remote shell access, full-screen screenshot capture, remote filesystem browsing, bidirectional file transfer, and session management routing all file exfiltration through AWS S3 presigned URLs to evade network-layer detection.

All file exfiltration (screenshots, documents) routes through AWS S3 presigned URLs bypassing C2 traffic inspection, HTTPS interception, and domain-based DLP entirely.

Download the full report

‍