APT37 Escalates Cyber-Espionage on South Korea: New RoKRAT Backdoor Uses Stealthy LNK Files & Steganography
Do Son 
Attack Scenario | Image: Genians Security Center
The North Korea-linked threat actor APT37, known for its persistent cyberespionage campaigns in South Korea and beyond, has unveiled a new level of stealth in its latest attack chain. In a recent report, the Genians Security Center (GSC) revealed the discovery of a novel variant of RoKRAT, a backdoor malware long associated with APT37. This iteration integrates deceptive shortcut (LNK) files and sophisticated steganographic payload delivery to stay ahead of traditional detection methods.
“This type of attack continues to be observed in South Korea, indicating a high level of threat activity. Its persistence suggests that it remains an effective method of compromise,” GSC states.
The attack begins with a compressed archive titled “National Intelligence and Counterintelligence Manuscript.zip”, which contains a malicious LNK file of the same name. Large at 54MB, this LNK file disguises multiple payloads, including:
- A decoy HWP document
- A PowerShell command (ttf02.dat)
- A shellcode file (ttf01.dat)
- A batch script (ttf03.bat)
These components are chained for execution, with the batch script invoking the PowerShell loader, which in turn decodes the shellcode embedded in ttf01.dat using a simple XOR routine:
This operation transforms the obfuscated data into a 32-bit executable, identified as a RoKRAT variant. According to Genians, the embedded Program Database (PDB) path offers rare insight into the malware’s origin:
A second RoKRAT variant, observed on July 20, 2025, shifts tactics by targeting notepad.exe instead of the now-deprecated mspaint.exe, aligning with recent changes in Windows 11’s application structure. This variant includes a revised path:
The recurring use of the folder name “Weapon” links this campaign to earlier cases documented in Genians’ K Messenger and ToyBox Story reports.
RoKRAT maintains its reliance on free cloud storage APIs for Command-and-Control (C2), continuing its stealthy communications via legitimate domains such as:
- api.pcloud.com
- cloud-api.yandex.net
- api.dropboxapi.com
In the most recent samples, two Dropbox tokens were found embedded in the shellcode. Upon analysis, Genians uncovered corresponding email accounts:
“The fact that email addresses used by APT37’s operators for cloud service registration continue to surface on LinkedIn is a noteworthy observation.”
GSC further highlighted a more covert delivery mechanism via DLL side-loading and steganography. A disguised DLL (mpr.dll) loaded a temporary image file (version1.0.tmp) containing a RoKRAT payload embedded within a JPEG image.
The image file, appearing benign at first glance, contained shellcode hidden behind layers of XOR encoding using keys 0xAA and 0x29. This image was downloaded from Dropbox upon document execution — another indication of RoKRAT’s adaptive approach.
Related Posts:
- North Korean APT37’s “ToyBox Story”: Stealthy Attacks Unveiled
- North Korean APT-C-28 Expands Cyber Espionage Campaign
- North Korea hacker group APT37 is using zero-day vulnerability to attack Japan, Vietnam and the Middle East countries
- Critical Kubernetes Image Builder Flaw: Default Credentials Grant Root Access to Windows Nodes
- SHROUDED#SLEEP: APT37’s Advanced Evasion and Persistence Tactics in Southeast Asia
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
