Operation Artemis: North Korean ScarCruft Hijacks HWP Files to Deploy RoKRAT
As part of a large-scale malware campaign dubbed Operation Artemis, the North Korean hacking group APT37—also known as ScarCruft—employed sophisticated attack techniques leveraging South Korea’s HWP word processor and DLL side-loading. The operation targeted South Korean professionals, primarily those working in politics, media, and international affairs. Initial access was achieved through phishing emails masquerading as interview requests or invitations to events.
According to South Korean security firm Genians, the attackers posed as television journalists and academics, sending victims HWP documents disguised as questionnaires or formal invitations. Embedded within these files was an OLE object that triggered a multi-stage execution chain, ultimately loading a malicious library via DLL substitution within the context of a legitimate process. This technique enabled the attackers to evade signature-based defenses and significantly complicated analysis.
The Genians report places particular emphasis on the use of steganography, with malicious data concealed within image files—including previously unseen portrait photographs—providing an additional layer of stealth. Investigators also identified the reuse of attack scripts employed in earlier campaigns, down to identical paths in Program Database (PDB) debug strings, pointing to the systematic activity of the same threat actor.
Malicious modules such as version.dll were executed through Sysinternals utilities, allowing the payload to be loaded under the guise of standard administrative tools. This approach effectively bypassed static checks for suspicious executables. Once loaded, the library decrypted the payload in stages, using XOR operations with multiple keys—including SSE-based routines—to accelerate execution and increase resistance to reverse engineering.
The campaign’s ultimate objective was the deployment and activation of a remote access tool from the RoKRAT family, a well-known component of APT37’s arsenal. This tool enabled covert communication with command-and-control servers, data exfiltration, and remote command execution on compromised systems.
Commercial cloud platforms were used as communication channels. Leveraging such services not only disguised malicious traffic as legitimate but also made network-level blocking more challenging. Analysis revealed that the attackers had pre-registered accounts across multiple cloud services using identical identifiers, underscoring the strategic coherence of their infrastructure.
The report stresses that APT37 operates with discipline and continues to refine its evasion techniques. These methods are designed not merely to avoid detection, but to withstand in-depth analysis and forensic scrutiny. As a result, organizations are urged to reassess their defensive strategies—particularly through the adoption of EDR solutions capable of behavioral analysis and real-time activity monitoring.
Detecting attacks of this nature requires tools that can correlate not isolated events, but the entire attack chain—from document execution to outbound communication with cloud infrastructure. Only through such holistic visibility can hidden activity be identified in time, infections contained, and data exfiltration prevented.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
