Discovery of New Campaign

Cybersecurity experts have identified a fresh phishing operation conducted by the North Korean state-sponsored threat group ScarCruft (APT37). The attackers are using a well-known malware called RokRAT to infiltrate systems and steal sensitive information.

Researchers at Seqrite Labs named this campaign Operation HanKook Phantom, noting that the attacks are aimed at individuals connected to the National Intelligence Research Association. The victims include academic professionals, former government officials, and researchers.

Security researcher Dixit Panchal explained that the attackers’ primary objectives appear to be espionage, persistence, and the theft of confidential data.

Attack Chain and Infection Method

The operation begins with a spear-phishing email disguised as the “National Intelligence Research Society Newsletter—Issue 52.” The email carries a ZIP archive containing a malicious Windows shortcut (LNK) file masked as a PDF document.

When opened, the file displays the legitimate newsletter as a decoy while silently executing RokRAT in the background.

Capabilities of RokRAT

RokRAT, a tool long associated with APT37, is designed to:

• Gather detailed system information
• Execute remote commands
• Browse and exfiltrate files
• Capture screenshots
• Download additional malware payloads

The stolen information is transferred using cloud services such as Dropbox, Google Cloud, pCloud, and Yandex Cloud.

Secondary Campaign and Decoy Documents

Seqrite also uncovered another wave of attacks where the LNK file triggers a PowerShell script. This script drops a decoy Microsoft Word document while running an obfuscated batch script.

That batch script installs a dropper, which launches the next-stage payload to harvest data while masking traffic as a Chrome upload process.

The decoy in this campaign was a statement by Kim Yo Jong (Deputy Director of the Publicity and Information Department of the Workers’ Party of Korea), dated July 28, rejecting reconciliation attempts by Seoul.

Broader Threat Landscape

“The analysis shows how APT37 continues to refine its phishing strategies, using malicious LNK loaders, fileless PowerShell attacks, and hidden data exfiltration techniques,” Panchal added.

South Korean government bodies, research institutions, and academia remain the main targets, pointing to a long-term intelligence-gathering and espionage campaign.

Related North Korean Operations

This activity surfaces as QiAnXin reported fresh attacks by the Lazarus Group, which tricked job seekers with fake NVIDIA updates. These updates led to the deployment of BeaverTail (a JavaScript stealer) and InvisibleFerret (a Python-based backdoor).

At the same time, the U.S. Treasury Department’s OFAC imposed new sanctions on individuals and entities involved in North Korea’s IT worker scheme, which funds the regime’s missile and WMD programs.

Additionally, the Chollima Group released a report connecting a DPRK-linked IT cluster (BABYLONGROUP) to a blockchain game called DefiTankLand. Their findings suggest that the game was secretly developed by North Korean IT workers, later repurposed for APT activities.

Indicators of Compromise (IOCs)