Keypoints
- APT37 is a state-sponsored threat actor conducting targeted espionage against South Korean human rights organizations, defectors, journalists, and academic experts on North Korea.
- Attackers frequently use malicious .lnk shortcut files to deliver an XOR-encrypted RoKRAT payload that hides in decoy documents.
- Campaigns include spear-phishing, use of cloud storage APIs (pCloud-style patterns), C2 domains (e.g., navarar[.]com, filedownloadserve[.]com) and VPN-sourced IP addresses.
- RoKRAT supports shellcode-based loading, remote command execution, and exfiltration of document and mobile audio file types (.XLS, .DOC, .PPT, .TXT, .M4A, .AMR, .PDF, .HWP).
- Reconnaissance techniques observed include sending legitimate documents to lower suspicion, web-beacon tracking via img tags, and reuse of similar C2 parameters across campaigns.
- The report recommends active Endpoint Detection and Response (EDR) deployment—highlighting Genian EDR—as it can identify fileless execution flows and anomalous C2 cloud communications missed by signature-based AV.
MITRE Techniques
- [T1071] Command and Control – Used to maintain communications with compromised systems through multiple C2 domains and IPs; (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1566] Phishing – Spear-phishing emails delivered payloads or links that lured victims to download shortcut malware or open legitimate-looking attachments; (‘Uses spear-phishing emails to deliver malicious payloads disguised as legitimate documents.’)
- [T1003] Credential Dumping – Actors collect credentials from compromised hosts as part of their reconnaissance and post-compromise actions; (‘Collects user credentials from compromised systems.’)
- [T1119] Data Collection – The malware searches for and gathers sensitive files and mobile audio recordings from victim devices for exfiltration; (‘Gathers sensitive information from the victim’s device.’)
- [T1190] Exploitation of Public-Facing Applications – Campaigns leveraged vulnerabilities and public-facing hosting to deliver payloads and host malicious content; (‘Targets vulnerabilities in applications accessible from the internet.’)
Indicators of Compromise
- [MD5 hashes] Malware samples – 5f6682ad9da4590cba106e2f1a8cbe26, 7a66738cca9f86f4133415eedcbf8e88, and 6 more hashes
- [Domains/C2] Command and control or hosting – filedownloadserve[.]com, navarar[.]com, and other domains like kakaofilestorage[.]com
- [IP addresses] Observed infrastructure and VPN sources – 108.181.50[.]58, 158.247.219[.]10, and additional IPs such as 158.247.249[.]129 and 61.97.243[.]2
- [Filenames] Delivered or decoy files – North Korea Trends.lnk, North Korea Trends.docx, and other .lnk names like Gate access roster 2024.lnk
- [Email accounts] Cloud/service signups and sender addresses used in campaigns – [email protected], [email protected], and several other Gmail accounts
Genians Security Center examined an extended reconnaissance campaign attributed to APT37 that focuses on South Korean targets connected to North Korean human rights, defectors, media coverage, and national security expertise. The group consistently crafts social-engineered lures that appear legitimate—professors, journalists, or former officials frequently impersonated—to encourage recipients to open attachments or click links. In one April case, an email titled “April North Korea Trends” was sent from a VPN address (61.97.243[.]2) and directed recipients to a portal-like domain (navarar[.]com) where a ‘North Korea Trends.lnk’ shortcut was hosted; the shortcut presented a real ‘North Korea Trends.docx’ to the user while executing embedded PowerShell commands and loading a XOR-encrypted RoKRAT module.
Analysis showed the RoKRAT payload used APT37-typical communication patterns, including a pCloud-like API string marker (‘–wwjaughalvncjwiajs–‘), and incorporated routines to search for and collect document and audio file extensions—such as .XLS, .DOC, .PPT, .TXT, .M4A, .AMR, .PDF, and .HWP—from victim machines. Variants frequently hide the module under innocuous names like ‘panic.dat’ or ‘viewer.dat’ and invoke it through batch files (for example ‘price.bat’ or ‘find.bat’); shellcode routines then decode and run the encrypted module. During execution, RoKRAT can issue commands to the system, run cmd.exe via ShellExecuteW when instructed (for example with a ‘-e’ condition), or gather and exfiltrate targeted files under a ‘-c’ condition.
Three days after the initial April lure, the same infrastructure conducted follow-up reconnaissance using legitimate attachments—delivering a ‘North Korea Cyber Terrorism Lecture Materials.pptx’ file from the same source IP. This demonstrates a layered approach: sometimes sending malware-bearing shortcuts, and other times sending genuine documents to lower suspicion or solicit replies that gather additional context for future intrusion attempts. In late September, a campaign titled “International Symposium on Civilian Abductions by North Korea” used a linked file hosted on filedownloadserve[.]com, with observed hosting IPs including 158.247.219[.]10 and 141.164.60[.]110; the email originated from a VPN IP (108.181.50[.]58) previously associated with other malicious activity and even referenced in external reporting. Across these incidents, attackers reused similar C2 parameter structures—such as endpoints that accept type and created parameters, where created often contains Base64-encoded email values—while changing domain names and hosting locations.
The actors also relied on reconnaissance techniques that avoid attachments entirely. In October, they impersonated a human-rights expert and deployed web beacons—img src tags embedded in email bodies—to capture recipient IP addresses, user-agent and browser/OS details, and other telemetry. This beaconing gathers location and environment data to inform subsequent targeting decisions. At times the adversary registered cloud accounts using Gmail addresses (examples observed include [email protected] and [email protected]) and hosted reconnaissance infrastructure on misconfigured servers that accidentally exposed internal logs and access records, creating valuable operational security failures that reveal their activity chains.
Throughout the campaign, the threat actor adopted varied personas—former government officials, journalists, broadcast writers, North Korea media personnel, program developers, and human-rights specialists—to increase credibility. The investigative team cataloged many attacker-controlled IDs and filenames used during reconnaissance and delivery, illustrating a broad and persistent targeting approach. Passive DNS and historical IP analysis revealed recurring address ranges (including several 108.181.52.x addresses alongside the 108.181.50[.]58 host) that were used at different times for sending beacon-equipped emails or hosting malicious files, although these indicators can be volatile over time.
Genians underscores the limitations of signature-based antivirus alone against these campaigns because the initial execution chain often leverages fileless or script-based flows (PowerShell, shellcode) and uses legitimate-looking documents or cloud-hosted resources to hide malicious activity. Endpoint Detection and Response (EDR) solutions, and specifically Genian EDR in the report, are presented as essential for detecting anomalous behavior such as fileless process chains, unusual child process execution, and cloud-based C2 communications. EDR can reconstruct time-sequenced event flows, reveal the initial entry (for example accessing ‘North Korea Trends.zip’ via archive utilities), and provide contextual filters and search capabilities for administrators to investigate and respond quickly. Additionally, correlating known IoCs with EDR detections and threat intelligence repositories increases detection confidence and supports remediation.
The report provides concrete indicators of compromise—including multiple MD5 hashes associated with observed samples, C2 domains (filedownloadserve[.]com, kakaofilestorage[.]com, navarar[.]com), and several IP addresses (108.181.50[.]58, 158.247.219[.]10, 158.247.249[.]129, 141.164.62[.]19, 141.164.60[.]110, 223.104.236[.]114, 175.214.194[.]61, and 61.97.243[.]2). It also highlights filenames used in delivery and staging and the use of cloud APIs and parameters that reappear across campaigns. Organizations that work on North Korea-related issues or handle sensitive human-rights information should be particularly vigilant and consider deploying behavioral EDR, monitoring for suspicious shortcut files, web-beacon activity, and anomalous cloud communications to reduce risk.
Overall, the documented APT37 activity demonstrates adaptive reconnaissance and delivery methods that blend legitimate-looking content with covert payloads and tracking techniques. The combination of targeted social engineering, fileless execution, cloud-hosted C2, and occasional operational slip-ups creates both a persistent threat and opportunities for defenders who can detect anomalous endpoint behaviors and correlate telemetry with shared IoCs.
Read more: https://www.genians.co.kr/blog/threat_intelligence/apt37_recon