Seqrite Lab reveals Operation HanKook Phantom, a sophisticated spear-phishing campaign by North Korean threat actor APT-37 targeting South Korean government and research institutions. The campaign employs malicious LNK files, fileless malware, and cloud services for covert command-and-control operations. #APT37 #ROKRAT
Keypoints
- The campaign is attributed to North Korean APT-37, also known as ScarCruft or Reaper.
- It uses malicious LNK files hidden in decoy PDFs to infect targets.
- The malware executes fileless PowerShell scripts and employs reflective DLL injection for stealth.
- Final payloads include a variant of the espionage tool ROKRAT for data exfiltration and system control.
- Targets include South Korean government entities, universities, and various international organizations.