North Korean APT37’s “ToyBox Story”: Stealthy Attacks Unveiled

In a recent expose by Genians Security Center (GSC), North Korean-linked APT group APT37 has once again demonstrated its sophisticated cyber operations. Dubbed “Operation: ToyBox Story,” the campaign launched in March 2025 used spear phishing tactics disguised as invitations to a national security forum hosted by a South Korean think tank.

“APT37 lured targets by referencing an actual event titled ‘Trump 2.0 Era: Prospects and South Korea’s Response,’” GSC revealed in its executive summary.

The attackers used Dropbox as both a delivery and command-and-control (C2) channel, following their known pattern of abusing trusted cloud platforms like pCloud, Yandex, and OneDrive—a technique GSC terms “Living off Trusted Sites (LoTS).”

Case A impersonated a security expert and sent an attachment named “To North Korean Soldiers Deployed to the Russian Battlefield.hwp.” The ZIP archive hosted on Dropbox contained a malicious .lnk file that launched malware under the guise of a Hangul Word Processor document.

Case B involved a fake invitation to a national security conference. The attacker embedded a .lnk file alongside a harmless image in a ZIP archive named “Related Poster.zip”.

“The LNK file executes a hidden PowerShell command… triggering a fileless attack chain that leads to RoKRAT malware execution,” GSC warns.

The final payload in both cases was RoKRAT, a well-documented remote access trojan linked to North Korea. RoKRAT is delivered via an obfuscated, memory-resident PowerShell script that decrypts shellcode in memory using XOR logic, avoiding disk-based detection.

Once executed, RoKRAT:

• Collects system information (e.g., device name, OS version, BIOS)
• Takes screenshots
• Communicates with C2 servers over Dropbox using hardcoded access tokens
• Stores and executes payloads like KB400928_doc.exe from infected hosts

“RoKRAT captures real-time screenshots… saved in the temp folder as .tmp files with hexadecimal filenames,” GSC states.

The exfiltrated data is multi-layer encrypted: XOR-obfuscated, AES-CBC-128 encrypted, and finally RSA-wrapped—before transmission to a Dropbox-based C2.

APT37’s infrastructure overlaps with previous attacks involving K-Messenger-delivered HWP malware and zero-day exploits like CVE-2022-41128. GSC identified reused email addresses tied to Yandex and Gmail accounts, some of which matched names on LinkedIn.

“Username searches based on the Yandex email addresses returned LinkedIn profiles with matching names. However, it is unclear whether these are mere coincidences, cases of identity theft, or impersonation,” GSC continues.

APT37 also uses NordVPN and AstrillVPN to obscure origin IPs, as noted in Google’s advisory on DPRK IT workers.

The operation showcases APT37’s ongoing reliance on fileless malware, PowerShell obfuscation, and cloud-based C2. “Detection and response via EDR solutions are more effective,” GSC recommends, urging anomaly-based threat hunting techniques.

Related Posts:

• North Korean APT-C-28 Expands Cyber Espionage Campaign
• North Korea hacker group APT37 is using zero-day vulnerability to attack Japan, Vietnam and the Middle East countries
• SHROUDED#SLEEP: APT37’s Advanced Evasion and Persistence Tactics in Southeast Asia
• Semrush Impersonation Scam Targets Google Ads

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy