The Genians Security Center (GSC) has uncovered the recent “Operation: ToyBox Story” campaign by North Korean-linked APT37, involving sophisticated spear-phishing attacks using trusted cloud services. The campaign primarily delivered the RoKRAT remote access trojan through fileless malware techniques, targeting South Korean and other regional organizations.
Affected: South Korean think tanks, government entities, and organizations using cloud-based email and storage platforms
Affected: South Korean think tanks, government entities, and organizations using cloud-based email and storage platforms
Keypoints
- APT37 launched “Operation: ToyBox Story” in March 2025, using spear-phishing emails disguised as security forum invitations.
- The attackers utilized Dropbox as both a delivery platform and command-and-control (C2) server, abusing trusted cloud services.
- Malicious ZIP archives containing LNK files launched malware through hidden PowerShell commands, leading to RoKRAT malware deployment.
- RoKRAT, a North Korea-linked remote access trojan, gathers system info, takes screenshots, and communicates with C2 servers over Dropbox.
- The exfiltrated data is multi-layer encrypted with XOR, AES-CBC-128, and RSA before transmission, evading detection.
- APT37’s infrastructure overlaps with previous attacks involving malware delivery via K-Messenger and exploiting zero-day vulnerabilities like CVE-2022-41128.
- The group employs elaborate obfuscation techniques, including PowerShell scripting and VPN services like NordVPN to hide their origin.
Read More: https://securityonline.info/north-korean-apt37s-toybox-story-stealthy-attacks-unveiled/