Opportunistic threat actors using Ramadan coupon as a lure to target retail store customers in Middle East

‍Executive Summary

This report documents the full technical analysis of a sophisticated multi-stage malware campaign that uses a socially-engineered Ramadan discount lure to compromise Windows endpoints in the Middle East. The malicious document masquerades as a promotional offer from AlCoupon (A well-known Egyptian coupon aggregation website) enticing targets with fake discount codes for major retail chains including Hyper One, Carrefour, Saudi, and Metro, along with the promise of winning a Ramadan basket worth 2,000 EGP.

Upon opening, a hidden VBA macro silently drops, compiles, and executes a C# loader. The loader contacts a delivery C2, fetches a raw MSIL assembly, compiles it on-device, and executes it via rundll32. The resulting payload is a full-featured Remote Access Trojan (RAT) operating under the namespace Ftu4You. The RAT communicates with a dedicated C2 panel over HTTPS and supports persistent remote shell access, full-screen screenshot capture, remote filesystem browsing, bidirectional file transfer, and session management routing all file exfiltration through AWS S3 presigned URLs to evade network-layer detection.

All file exfiltration (screenshots, documents) routes through AWS S3 presigned URLs bypassing C2 traffic inspection, HTTPS interception, and domain-based DLP entirely.

‍