The North Korean threat group APT37 (also known as ScarCruft, InkySquid, Reaper, and Ricochet Chollima) has launched a sweeping espionage campaign under the codename Operation HanKook Phantom, targeting government and research organizations in South Korea and across the wider region.
Researchers at Seqrite uncovered that the attackers distribute counterfeit documents disguised as bulletins from the research community National Intelligence Society. One such file is a malicious .LNK shortcut, which triggers a multi-stage chain to download and execute embedded payloads.
The victims of this campaign include academics, former officials, staff at specialized research institutes, and others named in the targeted distribution lists. The operation’s goals are data theft, persistence, and cyberespionage. APT37’s reach extends far beyond South Korea, with confirmed victims in Japan, Vietnam, Nepal, China, India, Romania, Kuwait, Russia, and several Middle Eastern countries.
Upon execution, the LNK file’s PowerShell script extracts embedded components: a decoy PDF, an executable loader (.dat), and the final payload. These elements are stored in a temporary directory, where the script launches a BAT file and injects code directly into memory. An encrypted DLL is decrypted using XOR with the key 0x35 and injected via WinAPI calls such as GlobalAlloc, VirtualProtect, and CreateThread.
The final binary exhibits hallmarks of the ROKRAT malware family, performing system reconnaissance, screen capture, disk structure analysis, command execution, and the retrieval of additional malicious modules from C2 servers via cloud platforms including Dropbox, pCloud, and Yandex Disk.
A second wave of the operation weaponized a document masquerading as an official statement by Kim Yo-jong, Deputy Department Director of North Korea’s Workers’ Party, dated July 28 and published by KCNA. The statement expressed vehement opposition to South Korean government initiatives, declaring the era of national unity over and framing future relations in terms of confrontation.
Targets of this phase included entities tied to President Lee Jae-myung’s administration, the Ministry of Unification, KCNA, the ROK–US alliance, and APEC.
The infection chain began with a malicious LNK launching PowerShell through the tony33.bat script. This script decoded base64 content from tony32.dat, executed it in memory, and then loaded an additional encrypted binary (tony31.dat) using XOR with the key 0x37. The decrypted payload was executed entirely through WinAPI calls, bypassing the file system.
Functions sub_401360 and sub_4021F0 implement the algorithm for covert data collection and exfiltration. Files from temporary directories are archived, disguised as PDFs, and transmitted to attacker-controlled servers. Exfiltrated data includes computer names and timestamps, packed in multipart/form-data structures to mimic uploads via Chrome. Once transmission is complete, the original files are deleted, complicating forensic recovery.
Subsequent stages involve downloading fresh payloads from C2 servers, spawning new PowerShell processes, invoking Sleep, and removing temporary artifacts such as abs.tmp with DeleteFileW.
Operation HanKook Phantom represents a continuation of APT37’s aggressive cyberespionage efforts, marked by defense evasion, in-memory execution of malicious code, and sophisticated data exfiltration techniques. The group skillfully leverages trusted documents, cloud infrastructure, and native Windows utilities to avoid reliance on conventional malware files.
Experts recommend strengthening defenses against malicious LNK files, monitoring for anomalous PowerShell activity, and scrutinizing traffic to cloud APIs and HTTP requests containing suspicious MIME parameters.
