Operation HanKook Phantom: APT-37 Targets South Korean Institutions with LNK-Based Espionage Campaign

Researchers at Seqrite Lab have uncovered a new spear-phishing operation attributed to APT-37 (ScarCruft / InkySquid / Reaper), a North Korean state-backed cyber espionage group. The campaign, dubbed Operation HanKook Phantom, weaponizes malicious LNK files embedded in decoy documents to infiltrate South Korean government bodies, universities, and research organizations.

The attack begins with threat actors distributing a PDF titled “국가정보연구회 소식지 (52호)” (National Intelligence Research Society Newsletter – Issue 52), accompanied by a malicious LNK file disguised with the same name. According to Seqrite, “Once the LNK file is executed, it triggers a payload download or command execution, enabling the attacker to compromise the system.”

Targets include academic figures, former government officials, and researchers, particularly those linked to the National Intelligence Research Association. The decoy document itself looks legitimate, containing upcoming seminars, events, and research updates on national security, energy, and AI developments.

The LNK file conceals PowerShell scripts that extract hidden payloads embedded at specific binary offsets. Seqrite notes: “When executed, PowerShell scans for such .lnk files, extracts a decoy PDF and three embedded payloads, and saves them in %TEMP%.”

The infection chain unfolds in several stages:

1. The LNK executes a PowerShell script.
2. Embedded payloads (such as aio1.dat and aio02.dat) are dropped in the temp directory.
3. An XOR-encrypted binary is decrypted in memory.
4. The malware achieves fileless execution via reflective DLL injection, avoiding disk artifacts and complicating detection.

The final payload is a variant of ROKRAT, a well-documented espionage malware used by APT-37.

The analysis revealed ROKRAT functions designed to gather system information, capture screenshots, and exfiltrate files. Seqrite highlights: “The aio02.dat file contains a PowerShell script that performs in-memory execution of a final payload… decrypts it using a single-byte XOR key… and injects the decoded binary into memory.”

ROKRAT accepts multiple command types, including:

• C – File exfiltration (documents, spreadsheets, audio, PDFs, HWP files).
• E – Remote command execution via cmd.exe.
• H – File enumeration across drives.
• 1–4 – Retrieval and execution of shellcode from the C2 server.

For command-and-control, ROKRAT leverages cloud services like Dropbox, Yandex.Disk, and pCloud to mask its traffic under legitimate APIs.

A second wave of the campaign used a statement by Kim Yo-jong (North Korea’s Vice Department Director) as bait, distributed via another malicious LNK file. Seqrite reports: “The LNK file drops a decoy document named file.doc and creates artifacts in the %TEMP% directory. After dropping these files, the LNK file deletes itself… to hinder forensic analysis.”

This stage also featured fileless execution, with a Base64 and XOR-encoded payload (tony31.dat) injected directly into memory. The malware then exfiltrated data using multipart/form-data HTTP POST requests disguised as PDF uploads, further complicating detection.

Seqrite confirms that APT-37 targeted multiple government and research organizations, including:

• National Intelligence Research Association
• Korea University & Kwangwoon University
• Institute for National Security Strategy
• South Korean Ministry of Unification
• Energy Security and Environment Association

The geographic spread of victims includes South Korea, Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and the Middle East.

Seqrite Lab concludes that “Operation HanKook Phantom demonstrates the persistent threat posed by North Korean state-sponsored actors, reinforcing the need for proactive monitoring, advanced detection of LNK-based delivery, and vigilance against misuse of cloud services for command-and-control.”

The campaign’s blend of academic and political decoys, fileless malware execution, and stealthy cloud-based C2 channels underscores the evolving sophistication of North Korean cyber espionage efforts.

Related Posts:

• Phantom Goblin Malware: Stealthy Attacks via VSCode Tunnels
• FBI arrests CEO Phantom who sold customized BlackBerry to Sinaloa drug trafficking group
• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
• Silent Lynx APT Group: A New Espionage Threat Targeting Central Asia