Cybersecurity researchers have uncovered a new phishing operation conducted by the North Korea-linked hacking group ScarCruft (also known as APT37). The campaign delivers a malware variant called RokRAT, targeting individuals connected with South Korea’s National Intelligence Research Association, including academics, former government officials, and researchers.

Seqrite Labs has dubbed the operation HanKook Phantom, noting that the attackers likely aim to steal sensitive information, maintain long-term access, or conduct espionage.

How the Attack Works

The campaign begins with spear-phishing emails disguised as a newsletter titled “National Intelligence Research Society Newsletter—Issue 52”. The email contains a ZIP attachment with a Windows shortcut (LNK) disguised as a PDF. When opened, the PDF acts as a decoy while RokRAT is silently installed on the victim’s system.

RokRAT, a malware linked to APT37, can:

• Collect system information
• Execute arbitrary commands
• Enumerate files
• Take screenshots
• Download additional payloads

Exfiltration of stolen data occurs via cloud services such as Dropbox, Google Cloud, pCloud, and Yandex Cloud.

In a second variant, the LNK file delivers a PowerShell script, which drops a decoy Microsoft Word document and executes an obfuscated Windows batch script to deploy a dropper. The secondary payload then steals sensitive information while disguising network traffic as Chrome file uploads.

The lure document in this case referenced a statement by Kim Yo Jong, Deputy Director of the Publicity and Information Department of North Korea’s Workers’ Party, rejecting Seoul’s reconciliation efforts.

Targeting and Objectives

The analysis demonstrates that APT37 continues to leverage highly tailored spear-phishing attacks, malicious LNK loaders, fileless PowerShell execution, and stealth exfiltration techniques. The attackers specifically focus on South Korean government sectors, research institutions, and academics for intelligence gathering and long-term espionage.

Context and Related Activity

This campaign coincides with other North Korea-linked operations. For instance, Lazarus Group has used ClickFix-style attacks to trick job seekers into installing malware disguised as NVIDIA software updates. These attacks deploy Visual Basic Scripts that lead to malware like BeaverTail, a JavaScript stealer, and InvisibleFerret, a Python-based backdoor.

Recent U.S. sanctions target North Korean IT workers and organizations generating revenue for the regime’s weapons programs. Investigations, such as those by the Chollima Group, reveal that some blockchain and gaming projects allegedly operated by private companies are, in fact, developed by DPRK IT workers and later co-opted by North Korean APT groups.

Conclusion

Operation HanKook Phantom illustrates the ongoing sophistication of APT37, combining social engineering, tailored malware delivery, and stealth data exfiltration to target high-value individuals in South Korea. Organizations and researchers should remain vigilant and implement robust cybersecurity measures to mitigate these advanced threats.

Source: https://thehackernews.com/2025/09/scarcruft-uses-rokrat-malware-in.html