A new large-scale spear-phishing campaign has been uncovered, targeting South Korean government officials and intelligence staff by weaponizing sensitive documents.

According to cybersecurity firm Seqrite, the nation-state group APT37—widely believed to be backed by North Korea—was responsible for the coordinated effort, named Operation HanKook Phantom.

Operation HanKook Phantom: Two Coordinated Campaigns

APT37 deployed two separate phishing waves, each using carefully crafted lures designed to appeal to South Korean institutions and government personnel.

Campaign 1: Seoul Intelligence Newsletter as a Decoy

The first campaign leveraged a legitimate-looking PDF titled “National Intelligence Research Society Newsletter – Issue 52” as bait.

• The newsletter typically shares insights on national security, labor policies, geopolitics, and North-South Korea relations.
• Attackers attached a malicious LNK file disguised under the same name.
• Once executed, the shortcut downloaded and ran a hidden payload, ultimately installing RokRAT, a well-known remote access trojan previously linked to APT37.

Researchers noted the attackers used multiple evasion techniques, including in-memory execution, decoy documents, and hidden exfiltration processes to avoid detection.

Targets included members of prominent South Korean institutions such as:

• National Intelligence Research Association
• Korea University
• Institute for National Security Strategy
• Kwangwoon University
• Energy Security and Environment Association

Campaign 2: North Korean Official Statement as Lure

The second campaign weaponized a July 28 public statement by Kim Yo-jong, sister of North Korean leader Kim Jong-un. The document, distributed through the Korean Central News Agency (KCNA), rejected reconciliation efforts with South Korea.

The malicious chain mirrored the first campaign, starting with a booby-trapped LNK file. Once executed, it triggered a fileless attack, downloaded further payloads via PowerShell, and exfiltrated stolen data disguised as PDF uploads.

Targets for this phase included:

• South Korean government ministries
• The Ministry of Unification
• The South Korea–U.S. Military Alliance
• Asia-Pacific Economic Cooperation (APEC) representatives

APT37’s Growing Threat

APT37—also tracked as ScarCruft, Reaper, RedEyes, InkySquid, and Ricochet Chollima—has been active since at least 2012 and is tied to North Korean state interests.

While historically focused on South Korea, the group has expanded operations globally since 2017, targeting industries such as aerospace, automotive, manufacturing, healthcare, and electronics across Japan, Vietnam, and the Middle East.

Key Takeaways

Seqrite’s analysis of Operation HanKook Phantom demonstrates how APT37 continues to refine its espionage tactics through:

• Highly tailored spear-phishing campaigns
• Malicious LNK loaders
• Fileless PowerShell attacks
• Covert exfiltration techniques

As North Korean-linked cyber operations evolve, organizations—particularly those in government, defense, and research sectors—must remain vigilant against social engineering tactics and weaponized documents.

Source: https://www.infosecurity-magazine.com/news/north-korea-apt37-spear-phishing