The Return of the USB Trap: DarkHotel’s New 2026 Stealth Campaign

The South Korean threat collective APT-C-06, more infamously recognized as DarkHotel, has reasserted its presence through a sequence of incursions identified in the latter half of 2025. Following their operational surge in June—which favored the deployment of the DarkSeal loader—the adversaries have recalibrated their methodology. This nascent campaign employs a divergent array of malevolent components reminiscent of early-year assaults, primarily disseminated via removable storage media.

According to findings from the 360 Threat Intelligence Center, the compromise is initiated upon the connection of USB devices harboring fraudulent installation binaries masquerading as reputable software. Among these subverted executables are installers for TrueCrypt, SanDisk, WinRAR, Adobe Reader, and FlashFXP. These binaries perform a dual function: they facilitate the installation of legitimate software while simultaneously invoking clandestine code embedded within RC Data resources. Typically, one resource contains the authentic application, while another conceals an encrypted shellcode.

During the installation process, a concealed file is generated, though the malicious payload remains dormant unless the environment is devoid of professional or enterprise-grade signatures. Specifically, the detection of remote access services or system directories associated with Azure AD inhibits activation. This selective execution suggests a calculated effort to evade scrutiny on workstations fortified with heightened security protocols.

The shellcode mirrors the architecture of DarkSeal components and orchestrates the retrieval of a second-stage dynamic-link library (DLL), analogous to the previously documented k1nqa.dll. This implant meticulously audits the system for antivirus software to derive a specific URL for command-and-control communication. This telemetry enables the dynamic generation of a PowerShell script, whose content and file path are bespoke to the identified security solution.

To ensure enduring persistence, the malware constructs tasks within the Windows Task Scheduler. The mechanism for task creation is adaptive; depending on the extant security software, the malware may utilize COM interfaces or resort to privileged PowerShell execution.

This multi-tiered and adaptive evolutionary path complicates traditional detection. Nevertheless, investigators observe that despite the tactical shift, the campaign relies upon established components and legacy techniques rather than novel innovations. This underscores a strategic continuity and a persistent reliance on verified methodologies. A notable characteristic of the campaign is that infected files on USB drives typically appear in clusters, with every installer on a single medium being compromised. While current samples lack self-propagating capabilities, experts hypothesize that multiple installers are systematically infected during the preparation phase.

The resurgence of these incursions serves as a potent reminder that DarkHotel continues to refine its venerable tactics, meticulously selecting its targets and circumventing sophisticated environments to maximize operational efficacy.