{ "id": "cbbddfe5-0981-49fd-8bdb-afa0a7ebde92", "created_at": "2026-04-06T00:14:43.089833Z", "updated_at": "2026-04-10T03:38:06.687513Z", "deleted_at": null, "sha1_hash": "28ca30af74645877c18b6ca1c60a9c8873987815", "title": "APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 321372, "plain_text": "APT-C-28 Group Launched New Cyber Attack With Fileless\r\nRokRat Malware\r\nBy Balaji N\r\nPublished: 2025-02-20 · Archived: 2026-04-05 15:40:23 UTC\r\nThe 360 Advanced Threat Research Institute has uncovered a sophisticated cyber espionage campaign\r\norchestrated by the North Korean-linked threat actor APT-C-28, also known as ScarCruft or APT37.\r\nThe group, active since 2012, has shifted tactics to employ fileless malware delivery mechanisms for deploying its\r\nsignature RokRat malware, targeting government personnel and corporations across South Korea and Asia.\r\nThis evolution marks a significant escalation in the group’s ability to evade traditional security defenses while\r\nstealing military, economic, and political intelligence.\r\nHistorical Context of APT-C-28’s Operations\r\nAPT-C-28 has long been associated with cyber operations targeting strategic industries, including aerospace,\r\nchemicals, and healthcare.\r\nSince 2016, RokRat has served as the group’s primary remote access tool (RAT), enabling persistent network\r\ninfiltration and data exfiltration.\r\nhttps://cybersecuritynews.com/apt-c-28-group-launched-new-cyber-attack-with-fileless-rokrat-malware/\r\nPage 1 of 4\n\nThe malware’s cloud-based infrastructure allowed operators to dynamically update payloads, but recent\r\ncampaigns show a pivot toward embedding malicious components directly within phishing email attachments.\r\nThe 2024 iteration of RokRat retains core functionalities but introduces refined evasion techniques. Unlike earlier\r\nversions that relied on cloud services for payload delivery, the latest attacks embed encrypted shellcode within\r\nmalicious LNK files, reducing reliance on external servers likely flagged by security systems.\r\nPhishing Campaigns and Initial Compromise\r\nAttackers begin by crafting highly tailored phishing emails, leveraging legitimate content from official websites to\r\nimpersonate credible sources.\r\nAttack flow chart\r\nThese emails contain ZIP attachments housing malicious LNK files disguised as documents related to North\r\nKorean affairs, diplomatic policies, or trade agreements. For example, one decoy document mimicked a South\r\nKorean government memo about inter-Korean economic collaboration.\r\nWhen victims execute the LNK file, a multi-stage payload deployment sequence triggers:\r\n1. PowerShell Script Activation: The LNK file invokes PowerShell to extract embedded files, including\r\ndecoy documents, batch scripts, and encrypted RokRat shellcode.\r\n2. In-Memory Payload Decryption: A malicious batch script executes a secondary PowerShell script,\r\napplying XOR decryption to reveal the RokRat shellcode. This fileless approach avoids writing malicious\r\nfiles to disk, complicating detection1.\r\n3. Thread Execution: The decrypted shellcode spawns a new thread to load the final RokRat payload, which\r\nconnects to command-and-control (C2) servers while masquerading network traffic as Googlebot user\r\nagents.\r\nTechnical Innovations in RokRat’s 2024 Variant\r\nhttps://cybersecuritynews.com/apt-c-28-group-launched-new-cyber-attack-with-fileless-rokrat-malware/\r\nPage 2 of 4\n\nRecent samples reveal updates to RokRat’s operational protocols:\r\nEnhanced Anti-Forensics: Post-execution cleanup scripts now delete startup entries, batch files, and\r\nregistry keys more comprehensively than prior versions (Table 2)1.\r\nModular Payload Retrieval: New C2 commands (e.g., “1,” “2,” “5,” “6”) enable dynamic fetching of\r\nsecondary payloads from attacker-specified URLs, allowing real-time mission adjustments1.\r\nProcess Hollowing: The malware injects decrypted PE files into legitimate processes like explorer.exe,\r\nfurther obscuring malicious activity from endpoint detection tools.\r\nA critical forensic artifact is RokRat’s use of hardcoded strings such as --wwjaughalvncjwiajs-- in C2\r\ncommunications and XOR keys derived from PowerShell script patterns. Security teams can hunt for these\r\nindicators in memory dumps or network logs.\r\nThe shift from cloud-dependent payloads to self-contained LNK files reflects APT-C-28’s adaptation to improved\r\ndefensive measures.\r\nSecurity vendors’ rapid takedowns of malicious domains likely forced the group to minimize external\r\ndependencies. Despite these changes, code overlaps with historical RokRat samples such as identical encryption\r\nroutines and C2 response handling strengthen attribution to the ScarCruft ecosystem.\r\nGeopolitical analysis suggests the campaign aligns with North Korea’s intensified intelligence-gathering efforts\r\namid ongoing diplomatic tensions. Targets include entities involved in sanctions enforcement, nuclear\r\nnegotiations, and cross-border trade.\r\nMitigation and Defensive Recommendations\r\nTo counter APT-C-28’s evolving tactics, the 360 Advanced Threat Research Institute advises a layered defense\r\nstrategy:\r\nOrganizations should deploy advanced email filtering solutions capable of detecting weaponized LNK files and\r\nscript-based payloads. Behavioral analysis tools that flag PowerShell spawning from LNK executions can disrupt\r\ninitial compromise attempts.\r\nMemory Scanning: Deploy tools that monitor for reflective DLL loading and unauthorized thread\r\ncreation, hallmarks of fileless malware.\r\nUser Agent Blocking: Block outbound connections masquerading as Googlebot (e.g., User-Agent:\r\nMozilla/5.0 (compatible; Googlebot/2.1) ), a known RokRat signature.\r\nApplication Allowlisting: Restrict execution of PowerShell and LOLBINs (Living-Off-the-Land Binaries)\r\nto authorized directories.\r\nRegular security training should emphasize phishing recognition, particularly document-themed lures targeting\r\ngeopolitical topics. Simulated exercises can improve incident response readiness for multi-stage intrusions.\r\nAPT-C-28’s latest campaign underscores the group’s commitment to refining intrusion techniques against high-value targets. While RokRat’s core functionalities remain consistent, its delivery mechanisms and anti-forensic\r\nmeasures continue to evolve, demanding proactive defense postures.\r\nhttps://cybersecuritynews.com/apt-c-28-group-launched-new-cyber-attack-with-fileless-rokrat-malware/\r\nPage 3 of 4\n\nThe cybersecurity community must prioritize intelligence sharing and adversary-centric hunting to mitigate risks\r\nposed by this persistent threat actor.\r\nIndicators of Compromise (IOCs)\r\nHashes: 936888d84b33f152d39ec539f5ce71aa , 5adfa76b72236bf017f7968fd012e968\r\nNetwork Signatures: HTTP requests containing --wwjaughalvncjwiajs--\r\nDecryption Keys: XOR keys derived from PowerShell scripts with bxor patterns1.\r\nFree Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting –\r\nRegister Here\r\nSource: https://cybersecuritynews.com/apt-c-28-group-launched-new-cyber-attack-with-fileless-rokrat-malware/\r\nhttps://cybersecuritynews.com/apt-c-28-group-launched-new-cyber-attack-with-fileless-rokrat-malware/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cybersecuritynews.com/apt-c-28-group-launched-new-cyber-attack-with-fileless-rokrat-malware/" ], "report_names": [ "apt-c-28-group-launched-new-cyber-attack-with-fileless-rokrat-malware" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434483, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28ca30af74645877c18b6ca1c60a9c8873987815.pdf", "text": "https://archive.orkl.eu/28ca30af74645877c18b6ca1c60a9c8873987815.txt", "img": "https://archive.orkl.eu/28ca30af74645877c18b6ca1c60a9c8873987815.jpg" } }