Ethical Hacking News
North Korea’s spear-phishing campaign, dubbed Operation HanKook Phantom, marks a significant escalation in the country’s efforts to gather intelligence through cyber means. APT37's targeted attack on academics, ex-officials, and researchers is designed to steal sensitive data, maintain persistence, and conduct espionage. This operation highlights the ongoing threat posed by North Korean state-sponsored actors in the cyber domain and underscores the need for increased vigilance against misuse of cloud services for command-and-control activities.
North Korea's Operation HanKook Phantom is a significant escalation in cyber espionage efforts, targeting academics, ex-officials, and researchers. The operation uses a fake newsletter and malicious LNK file to compromise systems, followed by the RokRAT malware. The malware captures screenshots, supports commands for remote execution, data theft, and malware control, and communicates with C2 servers through cloud services. APT37 has been active since at least 2012 and has targeted government, defense, military, and media organizations in South Korea. The campaign highlights the ongoing threat posed by North Korean state-sponsored actors and the need for increased vigilance against misuse of cloud services for C2 activities.
North Korea’s spear-phishing campaign, dubbed Operation HanKook Phantom, marks a significant escalation in the country’s efforts to gather intelligence through cyber means. The latest operation, attributed to North Korean state-sponsored actor APT37 (also known as ScarCruft), is designed to target academics, ex-officials, and researchers tied to the Association of Seoul, a South Korean government-linked organization.
The campaign, which began in recent weeks, utilizes a fake "National Intelligence Research Society Newsletter – Issue 52" PDF and a disguised malicious LNK file. When executed, the LNK file downloads a payload or executes commands, compromising the system. The last stage malware employed in this campaign is the RokRAT malware, which is believed to be the handiwork of APT37.
According to Seqrite Labs, a cybersecurity firm that uncovered the phishing campaign, "The malicious LNK file disguised as a newsletter triggers a multi-stage RokRAT infection. Embedded PowerShell extracts payloads, drops decoy PDFs, and executes batch scripts leading to fileless in-memory execution via XOR-decoded binaries. RokRAT fingerprints hosts and implements anti VMs features to avoid detection and analysis." The malware captures screenshots and supports commands for remote execution, data theft, and malware control. It also communicates with C2 servers through Dropbox, pCloud, and Yandex to exfiltrate data and deploy further payloads.
This operation is part of a broader pattern of North Korea's aggressive cyber activities. APT37 has been active since at least 2012 and made headlines in early February 2018 when researchers revealed that the group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users. Kaspersky first documented the operations of the group in 2016, highlighting its main targets as government, defense, military, and media organizations in South Korea.
The latest campaign is particularly noteworthy due to its sophistication and targeted nature. Seqrite Lab's analysis reveals that the attackers specifically target South Korean government sectors, research institutions, and academics with the objective of intelligence gathering and long-term espionage. The use of a fake newsletter and malicious LNK file serves as a prime example of the tactics, techniques, and procedures (TTPs) employed by APT37 in its spear-phishing campaigns.
The campaign also highlights the ongoing threat posed by North Korean state-sponsored actors in the cyber domain. In recent years, these actors have demonstrated an increasing ability to conduct complex cyber operations, often using tailored spear-phishing attacks to gather intelligence and disrupt critical infrastructure.
In light of this latest operation, cybersecurity experts and organizations are urging increased vigilance against misuse of cloud services for command-and-control (C2) activities. The use of cloud-based C2 channels by APT37's RokRAT malware allows the group to maintain a level of operational stealth, making it increasingly difficult to detect and disrupt its activities.
The HanKook Phantom operation serves as a reminder of the evolving cyber threat landscape and the need for proactive monitoring, advanced detection of LNK-based delivery, and vigilance against misuse of cloud services for C2 activities. As cybersecurity experts continue to monitor and analyze APT37's tactics, it is essential to recognize the significance of this latest spear-phishing campaign and its implications for national security.
Related Information:
https://www.ethicalhackingnews.com/articles/North-Koreas-Spear-Phishing-Campaign-APT37s-Latest-Operation---HanKook-Phantom-ehn.shtml
https://securityaffairs.com/181782/apt/north-koreas-apt37-deploys-rokrat-in-new-phishing-campaign-against-academics.html
Published: Mon Sep 1 08:23:29 2025 by llama3.2 3B Q4_K_M
