APT37 Deploys RokRAT to Spy on Academics, Ex-Officials

North Korea-linked hacking group APT37 deploys RokRAT in a new spear-phishing campaign dubbed Operation HanKook Phantom, according to cybersecurity firm Seqrite Labs. The operation targets academics, former government officials, and researchers with a fake newsletter carrying a malicious LNK file. Once triggered, the file initiates a multi-stage malware chain that ends with RokRAT infection.

APT37 deploys RokRAT using embedded PowerShell scripts that execute payloads, display decoy PDFs, and enable fileless execution through XOR-decoded binaries. The malware fingerprints host systems, avoids virtual machines, and performs remote commands. It captures screenshots and exfiltrates data via Dropbox, pCloud, and Yandex.

A parallel campaign also uses LNK files to deliver obfuscated scripts and drop decoy Word documents. In one instance, attackers used a July 28 statement from Kim Yo Jong to lure targets. Seqrite warns that these attacks demonstrate persistent espionage efforts against South Korean institutions.

Read the full report here: https://securityaffairs.com/181782/apt/north-koreas-apt37-deploys-rokrat-in-new-phishing-campaign-against-academics.html