APT37’s Stealthy RoKRAT Malware Uses Steganography in JPEGs to Evade Detection
Experts at the Genians Security Center have uncovered a sophisticated new variant of the RoKRAT malware, attributed to the North Korean threat group APT37. This latest iteration employs an unusually covert method of hiding malicious code—embedding it within ordinary JPEG images. By leveraging this technique, RoKRAT evades conventional antivirus solutions, as its payload is never written to disk but is instead extracted directly into memory.
The infection chain begins with the execution of a malicious .LNK shortcut file, embedded within a ZIP archive. One such example is named “National Intelligence and Counterintelligence Manuscript.zip,” which contains an oversized .LNK file (over 50 MB) embedding decoy documents and encoded components: a shellcode file (ttf01.dat), a PowerShell script (ttf02.dat), and a batch file (ttf03.bat).
Upon execution, PowerShell is triggered to decrypt the 32-bit shellcode using a single-byte XOR with the key 0x33. In the next stage, a second layer of encrypted code is deployed, decrypted via offset 0x590 using the key 0xAE, producing an executable that contains debugging artifacts, such as the path:
D:\Work\Util\InjectShellcode\Release\InjectShellcode.pdb.
This decrypted segment is then injected into legitimate Windows processes like mspaint.exe or notepad.exe located within the SysWOW64 directory. As part of the injection process, virtual memory is allocated and populated with data blocks approximately 892,928 bytes in size. These blocks are again decrypted using XOR, now with the key 0xD6, activating the core functionality of RoKRAT.
Because the file never touches the disk, post-infection forensic analysis becomes significantly more difficult. Indicators of APT37 attribution include file timestamps, such as April 21, 2025, 00:39:59 UTC, and unique strings like –wwjaughalvncjwiajs–.
A particularly notable innovation is RoKRAT’s use of steganography. The malware’s loader is embedded into a JPEG image—such as “Father.jpg”—hosted on Dropbox. While the file retains a valid Exif header, it contains encoded shellcode beginning at offset 0x4201. Extraction is performed via a two-stage XOR decryption: first with the key 0xAA, followed by 0x29. This enables RoKRAT to load directly into memory, leaving no footprint on the file system.
To launch its malicious DLLs, RoKRAT employs sideloading techniques via legitimate Windows utilities such as ShellRunas.exe or AccessEnum.exe, embedded within HWP (Hangul Word Processor) documents. Payloads are retrieved from cloud services including Dropbox, pCloud, and Yandex.Disk using APIs and expired access tokens such as:
hFkFeKn8jJIAAAAAAAAAAZr14zutJmQzoOx-g5k9SV9vy7phb9QiNCIEO7SAp1Ch.
Beyond harvesting documents and system information, RoKRAT captures screenshots and exfiltrates them to external servers. The most recent samples, dated July 2025, are disguised as shortcuts like “Academy Operation for Successful Resettlement of North Korean Defectors in South Korea.lnk.” These versions now use notepad.exe as the injection target and reference new paths in their code, such as D:\Work\Weapon, underscoring the malware’s ongoing evolution.
Mitigating such threats requires the deployment of endpoint detection and response (EDR) systems capable of tracing unusual activities—such as code injection and cloud API communications. EDR visualizations can reconstruct the entire attack chain, from .LNK execution to data exfiltration via command-and-control, enabling swift isolation using frameworks like MITRE ATT&CK.
Given the increasingly sophisticated tactics of APT actors—characterized by fileless execution and covert data transfer—it is clear that traditional signature-based defenses are no longer sufficient, particularly as targets expand across Windows systems in South Korea and neighboring regions.
