APT37’s New “Python-in-a-Cat” Malware Uses Environment Variable Obfuscation

In the world of cyberespionage, familiarity can be a fatal mistake for defenders. Just as security teams grow comfortable identifying a threat actor’s typical footprint, the most disciplined adversaries shift their shape. Genians Security Center has recently deconstructed a sophisticated new campaign suspected of being associated with APT37, a notorious North Korean-linked threat group.

The campaign represents a high-velocity evolution in social engineering, combining “an obfuscated batch file command invocation technique with Compiled Python-based malware” to maintain a persistent, silent foothold in target networks.

The attack lifecycle begins with precision spear-phishing. Rather than generic lures, the threat actor utilized highly specific themes designed to “arouse curiosity” among its targets. These included:

• Fake airline e-tickets.
• Invitations to exclusive North Korea research events.
• Impersonation of high-ranking defense and police officials.

The initial access is carried out through “ZIP-compressed malicious LNK files attached” to these emails. Once a user is induced to execute the LNK shortcut, the silent assembly of the malware begins.

The technical brilliance of this campaign lies in its use of environment variables to hide from automated detection. When the LNK file is run, it calls a batch (.BAT) file using “environment variable-based obfuscated commands to download additional payloads”.

By utilizing a “substring expansion technique,” the actual malicious command is only reconstructed at the moment of execution, effectively bypassing static analysis. The researchers observed a sequence of these batch files maintaining constant communication with the Command-and-Control (C2) server.

The final stage of the infection involves the delivery of a Compiled Python Script malware file, disguised with a peculiar .cat extension. This “cat” file is responsible for performing follow-up activities, likely ranging from data exfiltration to further system compromise.

Despite the threat actor’s efforts to rotate their infrastructure—constantly changing domains, IP addresses, and file names to “conceal traces of past activity”—the internal architecture of the attack remains consistent.

The Genians report highlights a recurring blueprint in the attacker’s methods:

“Meaningful commonalities are repeatedly observed in specific batch script execution methods, configuration file structures, the use of intermediate loading files, and the staged structure of the infection chain.”

This consistency suggests that while the external “skin” of the campaign changes, the attacks are “likely being operated continuously based on the same or similar attack framework or development resources”.

The APT37-linked campaign serves as a reminder that traditional, signature-based defenses are insufficient against modern spear-phishing. Because the malicious logic is reconstructed dynamically in memory and hidden within native system environment variables, it remains invisible to many standard filters.

To counter this threat, the Genians Security Center advises that “a behavior-based EDR response framework should be strengthened to identify obfuscation and multi-stage download abuse behavior”. In an era where a simple .LNK file can reconstruct a multi-stage Python implant in seconds, defending the network requires looking past the file extension and monitoring the behavior of the system itself.