Particle.news
Download on the App Store
3 ARTICLES
·
2w ago

Seqrite Uncovers APT37’s ‘HanKook Phantom’ Phishing Targeting South Korean Academics With RokRAT

The report describes LNK-based loaders using fileless PowerShell with cloud services for command-and-control.

North Korea’s ScarCruft Targets Academics With RokRAT Malware
Image

Overview

  • Researchers attribute the campaign to North Korea-linked ScarCruft (APT37) and say it targets academics, former officials, and researchers tied to a South Korean intelligence-focused association.
  • Emails spoof a “National Intelligence Research Society Newsletter—Issue 52” and deliver a ZIP containing a Windows LNK that opens a decoy while initiating the infection chain.
  • RokRAT serves as the final payload with host fingerprinting, remote command execution, file enumeration, screenshot capture, and anti-VM checks, using Dropbox, Google Cloud, pCloud, and Yandex for exfiltration and C2.
  • A related variant uses an LNK to run PowerShell, drop a decoy Word document, deploy a dropper, and disguise data theft as Chrome file uploads, leveraging a July 28 statement attributed to Kim Yo Jong as the lure.
  • Seqrite assesses objectives that include data theft, persistence, and long-term espionage and urges monitoring for LNK-based delivery chains and abuse of cloud infrastructure.