{ "id": "95d7dc21-5802-42f8-8907-b2dd4334f3b6", "created_at": "2026-04-06T00:07:32.108866Z", "updated_at": "2026-04-10T03:38:06.429934Z", "deleted_at": null, "sha1_hash": "3fb8e3cf876ed07ad3f71fe286cd202c1d89dfb9", "title": "Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4079565, "plain_text": "Operation Artemis: Analysis of HWP-Based DLL Side Loading\r\nAttacks\r\nBy Genians\r\nPublished: 2025-12-21 · Archived: 2026-04-05 14:04:39 UTC\r\n◈ Key Findings\r\nThe threat actor poses as a writer for Korean TV programs and reaches out to targets for casting or\r\ninterview arrangements.\r\nA short self-introduction and legitimate-looking instructions are used to build trust.\r\nThe attacker distributes a malicious HWP file disguised as a pre-interview questionnaire or event guide\r\ndocument.\r\nThe attack combines initial HWP execution with DLL side loading to evade signature-based detection.\r\nReal-time monitoring through an EDR solution is essential for identifying abnormal behavior.\r\n1. Overview\r\nGenians Security Center identified the “Artemis” campaign conducted by the APT37 group. The threat actor\r\nembedded a malicious OLE object inside an HWP document in a covert manner. The attack chain is triggered\r\nwhen the user trusts the document content and clicks the hyperlink.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 1 of 21\n\n[Figure 1-1] Overview of the Attack Flow\r\nWhen the OLE object was loaded, the threat actor used a masquerading technique launching a legitimate process\r\nfirst. This multi-stage procedure leverages legitimate execution flow to evade detection by signature-based\r\nsecurity solutions. Subsequently, the payload was executed by calling a malicious DLL within the execution\r\ncontext of the legitimate process.\r\nThis tactic is intended to evade detection by intricately combining initial execution with privilege escalation.\r\nHowever, Endpoint Detection and Response (EDR) solutions can identify such abnormal execution flows\r\nthrough anomaly detection rules.\r\nIn our previous report titled \"RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response\r\nStrategies,\" published on August 4th, we provided a detailed overview of APT37’s LNK shortcut–based and HWP\r\nOLE–based attack cases. That analysis also described the steganography technique used in the image file that was\r\nadditionally downloaded after the DLL side-loading stage.\r\nAs these examples illustrate, the threat actor continues to employ malicious HWP documents alongside its LNK-based strategy, highlighting the need for heightened user awareness.\r\nThis campaign is characterized by a detection-evasion strategy that leverages legitimate processes, a multi-stage execution chain, and sophisticated techniques that blend normal execution flow with malicious\r\nbehavior. In particular, running the malicious payload under the context of a legitimate process\r\nsignificantly increases the difficulty of analysis, making identification and response more challenging.\r\nOverall, this attack demonstrates APT37’s ongoing pattern of highly developed reconnaissance and infiltration\r\nactivities. It also indicates that the group continues to refine its capabilities by leveraging advanced technical\r\nmethods.\r\n2. Background  \r\nOn October 27, 38 North, a U.S.-based media outlet specializing in North Korea, published a report titled “HWP\r\nas an Attack Surface: What Hancom's Hangul Word Processor Means for South Korea's Cyber Posture as a US\r\nAlly.”\r\nAccording to the report, the Hangul Word Processor (HWP) document format, which is widely used as a standard\r\nin South Korea, has effectively become a fixed attack surface. The report notes that North Korean cyber operators\r\nhave repeatedly exploited this format in their attempts to infiltrate government, military, and key industrial\r\nnetworks in South Korea.\r\nIn practice, HWP-based attacks continue to be observed in South Korea. From the threat actor’s perspective, the\r\nbehavior of malware can shift at any time depending on the environment and conditions, and the range of\r\navailable tactics is extremely broad.\r\nIt is therefore critical to identify which techniques are being used and to strengthen response capabilities based on\r\nthat understanding to prepare for similar threats.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 2 of 21\n\nAccordingly, this threat intelligence report aims to provide a detailed analysis of the background and tactical\r\ncharacteristics of an attack scenario that occurred in the field, offering the foundational insight needed to develop\r\nappropriate response measures.\r\n3. Attack Progression     \r\n3-1. Steganography + DLL Side Loading\r\nThe initial intrusion occurred through an HWP document delivered via spear-phishing. When the malicious OLE\r\nobject embedded in the document was executed, it ultimately provided the attacker with initial access to the user\r\nenvironment.\r\nThe delivered threat leveraged a combination of techniques, including steganography and DLL side loading, to\r\nconceal its execution flow. During the side-loading stage, a system utility from Microsoft Sysinternals was\r\nabused. The attacker placed a tampered malicious DLL in the same directory as the executable, causing the\r\nprogram to mistake it for a legitimate DLL and load it.\r\nSince July, the threat actor has covertly deployed the RoKRAT module using steganography-based methods. In\r\nparticular, it was confirmed that in August the actor used a previously unreported portrait image as part of\r\nthe attack. For reference, the two grayscale images shown for comparison correspond to samples identified in\r\nJuly.\r\n[Figure 3-1] Photo Used in the Steganography Attack\r\n3-2. Attack Scenario\r\nThis report presents a comprehensive analysis of the APT campaign that was conducted continuously from August\r\nto November, beginning with the newly identified steganography-based technique discovered in August. Through\r\nan investigation of spear-phishing activity sustained over roughly 4 months, we identified how the malicious HWP\r\ndocuments used by the attacker evolved and became increasingly sophisticated over each iteration.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 3 of 21\n\n[Figure 3-2] Spear-Phishing Email Disguised as a Discussion Invitation\r\nAt the end of August, the attacker sent an email disguised as an official invitation to participate in a National\r\nAssembly international conference and impersonated a university professor with a high level of public credibility.\r\nThe email included an attachment titled “북한의민간인납치문제해결을위한국제협력방안(국제세미나)\r\n(International Cooperation Strategies for Resolving North Korea’s Civilian Abduction Issue (International\r\nSeminar).hwpx,” and a targeted deception tactic was used that aligned with the recipient’s area of interest.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 4 of 21\n\nA similar case was identified in which the attacker impersonated a writer for a major Korean broadcasting\r\nprogram and requested an interview related to the North Korean regime and human rights. After\r\nconducting multiple trust-building conversations, the attacker ultimately delivered a malicious HWP\r\ndocument. The investigation confirmed that the names of two writers from separate broadcasting programs had\r\nbeen used without authorization, indicating that the attacker used this impersonation to establish social credibility\r\nwith the victim.\r\n[Figure 3-3] Spear-Phishing Message Disguised as an Interview Request\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 5 of 21\n\nIn addition to cases in which the attacker impersonated university professors or TV writers, multiple incidents\r\nwere identified where the actor forged documents related to specific commentaries or events. In these HWP-based attacks, the actor disguised the embedded OLE object as a hyperlink to prompt users to execute it.\r\n[Figure 3-4] OLE Hyperlink and Target File\r\nThese cases are assessed as social-engineering-based threat activities that increase contact credibility by misusing\r\nthe identities of reputable institutions or  experts.\r\n3-3. Tactic Reuse\r\nIn the case of impersonating a TV writer, the actor did not use malicious links or attachments during the initial\r\ncontact phase, instead establishing trust through natural conversations. It was confirmed that the actor then\r\ndelivered a malicious file disguised as an interview request only to individuals who responded to the\r\ncommunication.\r\nFor reference, an attack scenario using the same broadcasting company writer’s identity had already been\r\nobserved in early June 2023. At that time, a malicious archive named \"북한이탈주민 초빙강의(North Korean\r\nDefector Invited Lecture).zip\" was distributed, and the malware installed through it revealed the following PDB\r\n(Program Database) information.\r\nD:\\Sources\\MainWork\\Group2017\\Sample\\Release\\DogCall.pdb\r\n[Table 3-1] PDB Strings Embedded in the Malware\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 6 of 21\n\nThis PDB artifact string had previously been introduced in the report titled “APT37 Attack Case Impersonating a\r\nNorth Korean Human Rights Organization,” published on May 23, 2023. Although PDB strings are now rarely\r\nobserved, past samples from the same malware family repeatedly revealed various types of PDB paths.\r\nD:\\HighSchool\\version 13\\First-Dragon(VS2015)\\Sample\\Release\\DogCall.pdb\r\nd:\\HighSchool\\version 13\\2ndBD\\T+M\\T+M\\Result\\DocPrint.pdb\r\nD:\\HighSchool\\version 13\\VC2008(Version15)\\T+M\\T+M\\TMProject\\Release\\ErasePartition.pdb\r\nE:\\Happy\\Work\\Source\\version 12\\First-Dragon\\Sample\\Release\\DogCall.pdb\r\ne:\\Happy\\Work\\Source\\version 12\\T+M\\Result\\DocPrint.pdb\r\n[Table 3-2] PDB Strings Identified in Malware from Related Families\r\nThere are cases in which previously used attack tactics were modified or reused in the same form. Accordingly,\r\nsystematically understanding past TTPs that exhibit similar characteristics plays an important role in improving\r\nthe effectiveness of responding to already known threats by providing insight into the threat landscape.\r\n4. Detailed Analysis    \r\n4-1. HWP Structure Analysis\r\nA comparison of the Root Entry structures across four representative HWP malicious documents used in real\r\nattacks showed that all samples contained a stream with an OLE object inside the BinData storage. This OLE\r\nembedding method is a typical pattern used for loading malicious payloads.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 7 of 21\n\n[Figure 4-1] Comparison of Internal Structures in HWP Malware Samples\r\nThe embedded OLE objects in all samples contained functionality that creates a malicious module named\r\n\"version.dll\" in the temporary directory \"%TEMP%\".\r\nAdditionally, depending on specific execution conditions, files masquerading under various names such as\r\n\"Volumeid1.exe,\" \"vhelp.exe,\" and \"mhelp.exe\" are also generated. All of these files are legitimate\r\nSysinternals VolumeId utilities.\r\nThese executables load the malicious file named \"version.dll\" located in the same directory by performing a\r\nDLL side-loading technique, which allows the malicious library to run stealthily.\r\nBecause of this, pattern-based detection that relies solely on the presence of EXE processes is not effective\r\nfor identifying this threat. Therefore, an EDR-based active response capability is required to monitor the\r\npoint at which the \"version.dll\" file is introduced during the early stages of the attack chain and to detect\r\nabnormal behavior in real time.\r\nThis enables early identification of the initial intrusion and the establishment of a response strategy that blocks the\r\nexecution of subsequent payloads in advance.\r\nSome of the HWP malicious documents used at the time commonly had \"Hazard\" recorded in the Author field and\r\n\"Artemis\" in the Last Saved By field.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 8 of 21\n\n[Figure 4-2] Information View of the Malicious HWP Document\r\nBased on these indicators, the threat actor who created the malicious HWP document is assessed to have used the\r\nusername \"Artemis,\" which is why this report adopts \"Artemis\" as its operation name.\r\nAs described earlier, identifying the threat element in the early phase is difficult because the first executable\r\ninvoked by the HWP document is a legitimate utility.\r\nThe threat actor exploits this detection gap to perform DLL side-loading, using it to stealthily load the malicious\r\nDLL module and progress the attack.\r\n4-2. DLL File Analysis\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 9 of 21\n\nThe \"version.dll\" file used for DLL side-loading was continuously leveraged from October to November 2025.\r\nIn addition, the repeated identification of the same PDB string across multiple samples indicates that these\r\nactivities can be classified as a consistent threat campaign conducted by the same actor.\r\nD:\\Develop\\HwpOLE\\HwpOLE\\x64\\Release\\version.pdb\r\n[Table 4-1] PDB Strings Embedded in the DLL\r\n[Figure 4-3] DLL Logic Analysis\r\nThe \"version.dll\" file hides its internal payload in an encrypted form using a repeated XOR pattern with a single\r\nkey value (0xFA).\r\nDepending on the environment, it then decrypts the payload by selecting either a standard byte-wise XOR method\r\nor a high-speed XOR method that processes 16 bytes (128 bits) at a time using SSE (Streaming SIMD\r\nExtensions).\r\nThis approach serves as an obfuscation and evasion packing technique designed to bypass signature-based\r\ndetection while improving decryption speed. The decrypted payload is loaded into memory as a 64-bit DLL and\r\ncontains its own PDB string.\r\nD:\\Develop\\HwpOLE\\HwpOLE\\x64\\Release\\common.pdb\r\n[Table 4-2] PDB Strings Contained in the Decrypted Payload\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 10 of 21\n\nThe module decrypts the encrypted block in memory using a continuous 16-byte key (0xF9) through XOR and\r\nthen transfers control, clearly exhibiting the characteristics of a typical shellcode loader pattern.\r\n[Figure 4-4] Shellcode Decryption Logic\r\nOnce all encrypted data blocks are successfully decrypted, fully functional shellcode designed for x64\r\nenvironments becomes active.\r\nThis shellcode undergoes an additional XOR decryption process using a single key (0x29). Once activated, the\r\nshellcode serves as the core module that performs the functionality of the final payload, implementing the actual\r\nmalicious behavior at the last stage of the attack chain.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 11 of 21\n\n[Figure 4-5] Final Payload Decryption Logic\r\nThe payload, ultimately activated through this multi-stage decryption process, is a typical malicious tool\r\nbelonging to the RoKRAT family.\r\n5. Threat Attribution     \r\n5-1. Similar Cases Involving the APT37 Group\r\nThe Genians Security Center has previously released multiple cyber threat intelligence (CTI) analysis reports\r\ndetailing major cyber operations carried out by the APT37 group.\r\nCross-referencing these past activities is effective for identifying the characteristics of the tactics, techniques, and\r\nprocedures (TTPs) consistently employed by the group, and it enables a more precise understanding of the\r\ncorrelation between the group’s operational patterns and strategic intent.\r\nRoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies\r\nAnalysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea\r\n(Operation. ToyBox Story)\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 12 of 21\n\nAnalysis of malicious HWP cases of 'APT37' group distributed through K messenger\r\nAnalysis of Cyber Recon Activities Behind APT37 Threat Actor\r\nBeware of RoKRAT fileless attacks by APT37 group\r\nAttacks Masquerading as Documents Such as North Korean Market Price Reports\r\nEmergence of APT37 Attacks Targeting macOS Users in South Korea\r\nAPT37 Attack Case Impersonating a North Korean Human Rights Organization\r\nIn addition, although APT37’s activities are repeatedly identified through various threat intelligence reports, the\r\ncases disclosed externally through media articles or selected publications represent only a portion of the group’s\r\nactual operational scale.\r\nThis information asymmetry can lead security teams within organizations or enterprises to underestimate the\r\nthreat level posed by APT37, which may result in serious security complacency. Relying solely on publicly\r\ndisclosed information makes it difficult to accurately assess the group’s real operational scope, persistence, and\r\ninfiltration capabilities.\r\nThreat actors such as APT37, which operate strategically over long periods and in an organized manner, are likely\r\nto have conducted a considerable number of undiscovered intrusion attempts, persistent APT operations, and\r\nearly-stage reconnaissance activities carried out in a covert manner.\r\nTherefore, interpreting the threat level as low based solely on currently identified information can distort how\r\nsecurity operations teams establish response priorities and define their defensive strategies.\r\nThis can result in poor attack surface management, weakened monitoring capabilities, and insufficient threat\r\nhunting efforts, ultimately providing highly sophisticated threat groups with opportunities for long-term\r\ninfiltration and data exfiltration.\r\nFor these reasons, continuous monitoring of major state-backed threat organizations that conduct APT attacks,\r\nalong with raised threat awareness, is essential. Above all, an organizational posture that guards against security\r\ncomplacency is critical.\r\n5-2. Assessment of Attack Tactics\r\nIn this attack case, a sophisticated pattern was identified in which the infection vector abusing the HWP OLE\r\nstructure was combined with DLL side-loading and multi-stage payload encryption and concealment techniques.\r\nThis combination of tactics is assessed as an intentional design aimed not only at evading detection but also at\r\nstrategically increasing the difficulty of analysis.\r\nIn particular, the fact that the attack framework is structured to carefully obscure the execution path of RoKRAT\r\nsuggests that the threat actor has continuously engaged in research and development activities to enhance the\r\ntool’s stealth and persistence over a long period.\r\nThe analysis showed that the actor evades behavior-based detection by inducing legitimate processes to load the\r\nmalicious DLL, while encrypting the payload across multiple layers to minimize entry points for static analysis.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 13 of 21\n\nThis represents not a simple list of techniques but a systematically designed approach that considers the entire\r\nattack lifecycle, demonstrating clear intent and technical maturity in bypassing existing detection mechanisms.\r\nThe increasing sophistication of these techniques indicates that, separate from functional enhancements to\r\nRoKRAT itself, an ecosystem-level evolution to improve distribution, concealment, and persistence is also taking\r\nplace.\r\nThis supports the assessment that the threat actor affiliated with APT37 is accumulating capabilities on the basis\r\nof long-term strategic objectives rather than operating solely within isolated campaign units.\r\nConsequently, this attack case serves as a strong indicator that state-backed threat actors continue to evolve their\r\ntactics to evade detection, and similar multi-layered concealment strategies are highly likely to be applied more\r\nextensively in future variants and follow-on attacks.\r\n5-3. RoKRAT Infrastructure Investigation\r\nAnalysis showed that the C2 infrastructure identified in Operation Artemis relied on Russia-based Yandex Cloud\r\nas a core node.\r\nThis aligns with the long-standing tactical patterns demonstrated by APT37, as the group has continually\r\nadvanced its strategy of abusing legitimate commercial cloud services such as Dropbox, OneDrive, pCloud, and\r\nYandex Cloud to disguise C2 traffic as normal communication.\r\nThese services provide stable availability through global CDN infrastructure and offer encrypted communication\r\nchannels, making them highly suitable for threat actors to use as infrastructure for detection evasion, anonymity,\r\nand hindering geographic tracking.\r\nIn particular, APT37 was observed to employ a sophisticated operational approach in which cloud storage services\r\nare repurposed not merely for uploading or downloading data, but as multi-purpose C2 channels used for\r\ncommand delivery, result collection, encrypted payload hosting, and time-delayed covert operations.\r\nSuch abuse of legitimate services is a representative threat behavior that weakens traditional IP-based blocking or\r\nsimple traffic filtering and complicates efforts to distinguish malicious activity from normal user traffic.\r\nAnalysis of the RoKRAT sample used in the attack identified two Yandex Cloud infrastructure account tokens.\r\nOne was created in October 2023 and the other in February 2025, indicating that the actor maintained C2\r\naccessibility by renewing and managing these account tokens over a long period.\r\nYandex Account Information #1\r\ny0__xCvwqD6BxiitDUgtK7BqRJKUd5n0zFOnE5JA1vpobhCHkgkZg\r\nphilp.stwart\r\n2025-02-20T05:29:09+00:00\r\nYandex Account Information #2\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 14 of 21\n\ny0__xCgjYyMBxjIhDUgqp2umhIg72AOcJ1RXdfk-fIWhJrHtL7_Iw\r\ntanessha.samuel\r\n2023-10-19T07:09:54+00:00\r\n[Figure 5-1] Yandex Registration Information of the RoKRAT Threat Actor\r\nSuch legitimate cloud-based threat infrastructure is difficult to completely block through the efforts of individual\r\nnations or enterprises alone.\r\nTherefore, it is essential to establish a framework that enables the neutralization of malicious tokens and the rapid\r\nidentification and termination of abused accounts through close cooperation among cloud service providers,\r\ninternational cyber threat response organizations, and diplomatic channels.\r\nIn addition, this cooperative framework must extend beyond simple blocking to include accelerated investigative\r\nprocedures through international coordination, tracking adversary activity, and implementing measures to prevent\r\nrecurrence. Through such efforts, cloud-based threat infrastructure can be effectively suppressed at a global level.\r\n5-4. Linkage to Threat Actor\r\nThe Yandex Cloud login account used, “tanessha.samuel,” shares the same user ID as the pCloud\r\nregistration account (tanessha.samuel@gmail.com) identified in Operation Toybox Story.\r\nThis is not a simple coincidence; analysis confirmed that the registration dates for both cloud services (Yandex\r\nand pCloud) match exactly, with both created on October 19, 2023.\r\npCloud Account Information\r\nPoz17Z5rmhrc0S5SSZJIfPykZBBY1K3GcDmXzwM2kSaK1wfoS40zX\r\ntanessha.samuel@gmail.com\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 15 of 21\n\nThu, 19 Oct 2023 02:34:32 +0000\r\n[Figure 5-2] pCloud Registration Information of the RoKRAT Threat Actor\r\nThis concurrent account registration strongly indicates that the actor operates multiple cloud infrastructures under\r\na unified identifier, integrating and managing command-and-control (C2) and payload distribution channels.\r\nIn addition, the actor’s choice to register with Russia-based Yandex and Switzerland-based pCloud at the same\r\ntime suggests a strategy of evasion and concealment through geographic and legal jurisdictional separation,\r\nproviding critical clues for attribution and threat tracking.\r\n6. Conclusion \r\nTo effectively counter APT37’s DLL side-loading and cloud-based concealment strategies, a multilayered defense\r\nframework that integrates EDR-driven endpoint and behavior-based detection is essential. The following are the\r\nkey recommended measures.\r\nDetection of Suspicious Activity Related to DLL Side-Loading\r\nMonitor events where legitimate processes load DLLs from abnormal paths\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 16 of 21\n\nElevate alert levels for digital signature mismatches\r\nAnalyze whether network communication occurs shortly after the execution of a legitimate process\r\nMonitoring Abnormal Behavior of HWP and OLE-Based Executables\r\nTrack child process creation from the HWP process (hwp.exe)\r\nElevate alert levels when processes such as rundll32.exe, cmd.exe, or powershell.exe are spawned.\r\nTrack file drop events and temporary-folder DLL loading when OLE objects are executed.\r\nDetecting Endpoint Behavior Linked to Cloud C2\r\nApply higher anomaly scores when endpoints communicate with services such as Yandex, Dropbox,\r\nor OneDrive outside business hours, outside business pathways, or through non-business processes.\r\nClassify the host for priority response when a sequential attack chain is observed, including\r\nreconnaissance, payload drop, and subsequent cloud communication.\r\nGenian EDR can effectively detect the DLL sideloading technique leveraged by APT37 through XBA-based\r\ndetection rules, ensuring that no detection gaps.\r\nThis analysis-based detection framework goes beyond simple hash matching and provides behavior-focused\r\npayload identification capabilities, enabling reliable coverage against DLL sideloading and various related attack\r\nvariants.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 17 of 21\n\n[Figure 6-1] Genian EDR-based detection view for APT37 DLL sideloading\r\nGenian EDR’s attack storyline feature provides high visibility into the entire DLL sideloading chain, where a\r\nmalicious version.dll is loaded through a Sysinternals utility spawned by the HWP process.\r\nThis allows security administrators to clearly trace each stage of the attack flow and promptly carry out anomaly\r\nanalysis and response actions without delay.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 18 of 21\n\n[Figure 6-2] Attack storyline view\r\nGenian EDR also closely monitors network activity performed during the infection stage and immediately collects\r\nand identifies abnormal outbound communication attempts, particularly those directed to Yandex Cloud APIs in\r\nRussia.\r\nSuch external connections are considered key detection points because threat actors often use them as command\r\nand control (C2) servers or data exfiltration channels.\r\nThis high-visibility network analysis capability enables security administrators to promptly determine whether\r\nmalicious communication has occurred and provides the supporting information needed to perform rapid response\r\nactions, including threat blocking, isolation, and forensic investigation, without delay.\r\nAs a result, it functions as a core defensive capability for detecting and responding to covert intrusion and\r\ninformation theft attempts at the network stage.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 19 of 21\n\n[Figure 6-3] Yandex Cloud communication detection view\r\nGenian EDR’s attack storyline feature visualizes the malware’s entire execution flow in chronological order and\r\nwith contextual relationships. This allows SOC operators to view the process tree, command lines, file and\r\nregistry changes, and network events at a glance, and to promptly carry out required response procedures such as\r\nprioritization, isolation, blocking, and forensic collection.\r\nThe EDR collects and analyzes endpoint activity in real time, clearly presenting the flow of malicious behavior\r\nand supporting rapid containment of attack propagation through automated response capabilities. This enables\r\norganizations to detect and respond to security threats more effectively.\r\nThe EDR also integrates with forensic analysis and threat intelligence to establish a comprehensive security\r\nmanagement framework, including identifying the cause of compromise, preventing recurrence, and blocking\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 20 of 21\n\ninternal data leakage.\r\nIn an increasingly advanced threat landscape, EDR has become an essential security component to complement\r\ntraditional controls, such as anti-virus software and firewalls, which cannot detect many modern attacks.\r\n7. IoC (Indicator of Compromise)     \r\nMD5\r\n8e4a99315a3ef443928ef25d90f84a09\r\n17171c644307b17d231ad404e25f08b1\r\n31662a24560b3fe1f34f0733e65509ff\r\na196fb11a423076f66f5e4b2d02813a9\r\nad3433f5f64abdec7868a52341f14196\r\nc0cac70c93d213d113001e3410c24fd2\r\nd2b2c6646535a62e4c005613d6a036f0\r\ne726b59f96ab8360f323469d72b8b617\r\nea95109b608841d2f99a25bd2646ff43\r\nf13a4834e3e1613857b84a1203e2e182\r\nf3603f68aadc8bc1ea8939132f0d5252\r\n2f3dff7779795fc01291b0a31d723aca\r\n7e8c24bb3b50d68227ff2b7193d548dd\r\nd287dcaeaf17c9dae8a253994502ee58\r\nSource: https://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/dll\r\nPage 21 of 21\n\n https://www.genians.co.kr/en/blog/threat_intelligence/dll \n[Figure 3-2] Spear-Phishing Email Disguised as a Discussion Invitation \nAt the end of August, the attacker sent an email disguised as an official invitation to participate in a National\nAssembly international conference and impersonated a university professor with a high level of public credibility.\nThe email included an attachment titled “북한의민간인납치문제해결을위한국제협력방안(국제세미나) \n(International Cooperation Strategies for Resolving North Korea’s Civilian Abduction Issue (International\nSeminar).hwpx,” and a targeted deception tactic was used that aligned with the recipient’s area of interest.\n Page 4 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/dll" ], "report_names": [ "dll" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434052, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3fb8e3cf876ed07ad3f71fe286cd202c1d89dfb9.pdf", "text": "https://archive.orkl.eu/3fb8e3cf876ed07ad3f71fe286cd202c1d89dfb9.txt", "img": "https://archive.orkl.eu/3fb8e3cf876ed07ad3f71fe286cd202c1d89dfb9.jpg" } }