{ "id": "ec4b09e8-9b4f-46ca-8cbb-38d7784482c3", "created_at": "2026-04-06T01:31:52.552412Z", "updated_at": "2026-04-10T13:13:07.221556Z", "deleted_at": null, "sha1_hash": "797ba0db398d7143141742a014db29e4ac375fe3", "title": "NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 581537, "plain_text": "NavRAT Uses US-North Korea Summit As Decoy For Attacks In\r\nSouth Korea\r\nBy Warren Mercer\r\nPublished: 2018-05-31 · Archived: 2026-04-06 00:12:36 UTC\r\nThursday, May 31, 2018 19:00\r\nThis blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.\r\nExecutive Summary\r\nTalos has discovered a new malicious Hangul Word Processor (HWP) document\r\ntargeting Korean users. If a malicious document is opened, a remote access trojan\r\nthat we're calling \"NavRAT\" is downloaded, which can perform various actions\r\non the victim machine, including command execution, and has keylogging\r\ncapabilities.\r\nThe decoy document is named \"미북 정상회담 전망 및 대비.hwp\" (Prospects for US-North Korea\r\nSummit.hwp). The HWP file format is mainly used in South Korea. An Encapsulated PostScript (EPS) object is\r\nembedded within the document in order to execute malicious shellcode on the victim systems. The purpose is to\r\ndownload and execute an additional payload hosted on a compromised website: NavRAT.\r\nThis is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform\r\nkeylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver\r\nemail platform in order to communicate with the attackers via email. The uploaded file(s) are sent by email, and\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 1 of 12\n\nthe downloaded files are retrieved from an email attachment. We have already observed malware using free email\r\nplatforms for abuse, but this is the first time we have identified a malware that uses Naver — which is known for\r\nits popularity in South Korea.\r\nOne of the most interesting questions we still have is regarding attribution — and who is behind this malware.\r\nPreviously, we published several articles concerning Group123 (here, here, here, here and here). We currently\r\nassess with medium confidence that this campaign and NavRAT are linked to Group123.\r\nMalicious Document\r\nDecoy Document\r\nThe attack starts with a spear-phishing email containing the HWP document named \"미북 정상회\r\n담 전망 및 대비.hwp\" (Prospects for US-North Korea Summit .hwp). This references a legitimate\r\nevent that could potentially take place on June 12. Here is a screenshot of the document:\r\nThis document explains concerns prior to the summit between the U.S. and North Korea, which is expected to\r\nfocus on the topic of denuclearization. The summit is the latest in a line of signs of diplomatic outreach from\r\nNorth Korea, following the Panmunjom Declaration for Peace, Prosperity and Unification of the Korean Peninsula\r\nbetween South Korea and North Korea on April 27, 2018.\r\nThis document contains the aforementioned EPS object. This object is used to execute malicious shellcode on the\r\nsystem. This is a seemingly common vector for attackers when using HWP documents, which we have previously\r\nencountered and described.\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 2 of 12\n\nMalicious Code\r\nAs we already mentioned in our previous articles concerning malicious documents, EPS is\r\neffective from an attacker's point of view. It is a powerful, stack-based scripting language, and in\r\nmalicious use cases, can be abused to obtain additional payloads. Here is the content of the file:\r\n/shellcode \u003c90909090909090909090E800\u003c...redacted…\u003e4D2D6DC95CBD5DC1811111111111111\u003e def\r\n\u003c7B0D0A2756...redacted…\u003e312067657420636C6F736566696C650D0A717569740D0A7D\u003e\r\ntoken pop exch pop\r\nExec\r\nThe executed shellcode will first perform a decoding routine designed to download an additional payload from the\r\ninternet. In our case, the file URI was:\r\nhxxp://artndesign2[.]cafe24[.]com:80/skin_board/s_build_cafeblog/exp_include/img.png\r\nThis website is a legitimate Korean website. We assume that this website was compromised in order to deliver the\r\nfinal payload on the targeted systems. This is a method we have previously observed with attacks focusing on the\r\nKorean peninsula.\r\nThe image is downloaded directly, and the shellcode is loaded and executed in memory. This is an example of\r\nfileless execution by only running malicious processes within the memory of the victim host. The purpose is to\r\ndrop and execute a decoded executable using the following path:\r\n%APPDATA%\\Local\\Temp\\~emp.exe\r\nOnce executed, NavRAT will immediately leverage cmd.exe to perform a systeminfo and a tasklist check on the\r\nsystem it is running on while writing the output to a TMP file, once again attempting to hide within an AhnLab\r\nfolder. Interestingly, the attacker has used the \u003e\u003e method to append to the file so there can be multiple outputs\r\nwritten to their single TMP file:\r\n\"C:\\Windows\\system32\\cmd.exe\" /C systeminfo \u003e\u003e \"C:\\Ahnlab\\$$$A24F.TMP\"\r\n\"C:\\WINDOWS\\system32\\cmd.exe\" /C tasklist /v \u003e\u003e \"C:\\Ahnlab\\$$$A24F.TMP\"\r\nNavRAT\r\nCapabilities\r\nNavRAT is a remote access trojan (RAT) designed to upload, download and execute files. The\r\nanalysed sample contains many verbose logs. The malware's author logs every action to a file\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 3 of 12\n\n(encoded). It's not often we are able to use the attacker's own logging capability to facilitate\r\nanalysis, which can make our research easier.\r\nThis screenshot shows the logs messages during the process injection with the API usage.\r\nNavRAT starts by copying itself (~emp.exe) to the %ProgramData%\\Ahnlab\\GoogleUpdate.exe path. It uses the\r\npath of a well-known security company located in South Korea named AhnLab. NavRAT then creates a registry\r\nkey in order to execute this file copy at the next reboot of the system, an initial method of persistence. The log\r\nfiles mentioned previously are stored in the same directory as NavRAT on the victim machine, again making it\r\neasy for us to find and analyse the additional log files.\r\nNavRAT has support for process injection. By using this method, it will copy itself into a running Internet\r\nExplorer process in order to avoid detection by running as an independent process. The malware is able to register\r\nthe keystrokes on the targeted user's system:\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 4 of 12\n\nThe most interesting part of this RAT is the C2 server architecture. The malware uses the Naver email platform in\r\norder to communicate with the operators.\r\nCommand \u0026 Control\r\nThe malware communicates with the Naver email platform in order to communicate with the\r\noperator. The credentials are hardcoded in the sample:\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 5 of 12\n\nHowever, during our investigation, NavRAT was unable to communicate with the email address:\r\n[05/30/2018, 17:39:45] NaverUpload Start!!\r\n[05/30/2018, 17:39:46] NaverUpload :PreUploading success\r\n[05/30/2018, 17:39:46] uploading step-1 : HttpSendRequest failed. Err[12150]\r\n[05/30/2018, 17:39:46] ////////////// Response Headers getting failure //////////\r\n[05/30/2018, 17:39:46] NaverUpload :Uploading failed. Try[0]\r\n[05/30/2018, 17:39:47] uploading step-1 : HttpSendRequest failed. Err[12150]\r\n[05/30/2018, 17:39:47] ////////////// Response Headers getting failure //////////\r\n[05/30/2018, 17:39:47] NaverUpload :Uploading failed. Try[1]\r\n[05/30/2018, 17:39:48] uploading step-1 : HttpSendRequest failed. Err[12150]\r\n[05/30/2018, 17:39:48] ////////////// Response Headers getting failure //////////\r\n[05/30/2018, 17:39:48] NaverUpload :Uploading failed. Try[2]\r\n[05/30/2018, 17:39:49] uploading step-1 : HttpSendRequest failed. Err[12150]\r\n[05/30/2018, 17:39:49] ////////////// Response Headers getting failure //////////\r\n[05/30/2018, 17:39:49] NaverUpload :Uploading failed. Try[3]\r\n[05/30/2018, 17:39:51] uploading step-1 : HttpSendRequest failed. Err[12150]\r\n[05/30/2018, 17:39:51] ////////////// Response Headers getting failure //////////\r\n[05/30/2018, 17:39:51] NaverUpload :Uploading failed. Try[4]\r\n[05/30/2018, 17:39:52] UploadProc : UploadFile Err\r\n[05/30/2018, 17:39:52] PreCommProc : UploadProc failed\r\nThe broken communication was due to protection implemented by Naver. The malware was presumably executed\r\nfrom too many different countries, and the account is currently locked:\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 6 of 12\n\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 7 of 12\n\nThe password must be reset by providing information on the account, or with a mobile phone of the owner (the\r\nphone number is located in the UK). In its current status, NavRAT cannot work correctly. We assume that the\r\nowner of the malware didn't know that Naver implemented this protection.\r\nNavRAT is able to download and execute files located in the attachment of a received email. It is able to remove\r\nemails, and finally, it is able to send an email via the Naver account. In our sample, the data is attempted to be sent\r\nto: chioekang59@daum[.]net.\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 8 of 12\n\nArcheology\r\nDuring our investigation, we tried to find additional samples of NavRAT. We only identified one\r\nold sample compiled in May 2016. As in our case, this old sample used a fake AhnLab directory to\r\nstore logs files (C:\\AhnLab\\). In this version, the compilation path was not removed:\r\nN:\\CodeProject\\VC_Code Project\\Attack_Spy\\mailacounts.com\\src_total_20160430 - v10.0(DIV)\\bin\\PrecomExe(Win32)\r\nWe can conclude that NavRAT has probably existed since 2016 — which we believe to be version 10 at the time.\r\nThe attacker(s) appear to have remained under the radar for several years. We assume this malware has been\r\nsparingly used and only for very specific targets.\r\nGroup123 Links?\r\nAs we explore the Korean malware landscape, we always have burning questions\r\nrelating to any possible links with Group123. We identified some relevant points\r\nwhich we believe with medium confidence suggests the involvement of Group123\r\nbased on previous TTPs used by this group.\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 9 of 12\n\nThe modus operandi is identical to previous Group123 campaigns — a HWP document with embedded EPS\r\nobject containing malicious shellcode. The shellcode of the embedded object is designed to download an image,\r\nwhich is, in fact, a new shellcode used to decode an embedded executable. We saw this exact same methodology\r\nused by Group123 during previous attacks. One such example is ROKRAT, another remote access trojan we\r\ndiscovered in April 2017 that targeted the Korean peninsula.\r\nThe shellcode used in the EPS object is not exactly the same, but it contains a lot of similarities right down to the\r\nnumber of instructions used, the amount of NOP (No Operations) and almost identical command layout. (On the\r\nleft is NavRAT, and on the right is the shellcode of ROKRAT):\r\nWe performed the same analysis for the shellcode located in the downloaded image file and the shellcode is not\r\nexactly the same, but the design is very similar.\r\nAdditionally, we can add the victimology and usage of a public cloud platform as C2 server. The attacker simply\r\nmoved from Yandex, Pcloud, Mediafire, Twitter, and now they are using Naver. This platform is mainly used\r\nlocally in South Korea. A connection to this platform cannot be identified as a malicious activity. The malicious\r\ntraffic will be hidden in the global flow.\r\nDue to all these elements, we asses with medium confidence that NavRAT and this campaign can be linked to\r\nGroup123. The malware developer is probably a different person within Group123's working team, but the\r\ninfection framework and the operating mode are the same. When Talos published on Olympic Destroyer we were\r\nable to see a lot of false flags used. When we look at NavRAT we do not see this intentional and less vague level\r\nof IOC/False Flag scenarios in an attempt to infer attribution to another entity. NavRAT lacks these non-obvious\r\nfalse flags and thus we do not believe this to be related to non Group123 actors.\r\nConclusion\r\nSouth Korea is still, and always will remain, an attractive target for advanced\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 10 of 12\n\nactors. The region has geopolitical interests that arise from the segregations that\r\nexist between the secretive North Korea and the more open South Korea. In this\r\ncampaign, the attackers used a classical HWP document in order to download and\r\nexecute a previously unknown malware: NavRAT. The author used real events in\r\norder to forge the decoy document. It chose the U.S. - North Korea Summit to\r\nentice the targets to open it.\r\nThe approach is close to the techniques used by Group123 attacks we have observed and written about over the\r\npast 18 months or so: the shellcode contains similarities, the final payload is malicious shellcode located in an\r\nimage hosted on a compromised website, and the author uses an open platform as the C2 server. In this case,\r\nNavRAT used an email provider: Naver, while ROKRAT previously used cloud providers. And finally, the\r\nvictimology and the targeted region are the same. All these elements are not strict proof of a link between\r\nNavRAT and ROKRAT. However, we asses with medium confidence that NavRAT is linked to Group123.\r\nUsing well-known local cloud/email providers is smart from an attacker's point of view. It's really hard to identify\r\nthe malicious traffic in the middle of the legitimate traffic. In this case, the email provider locked the account due\r\nto attempts from too many different countries to access the email inbox. We identified the sample on several\r\npublic sandbox systems, and we assume the multiple connection attempts were performed by these sandboxes.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWSor WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 11 of 12\n\nNetwork Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with\r\nthis threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen-source Snort subscriber rule set customers can stay up to date by downloading the latest rule pack available\r\nfor purchase on Snort.org.\r\nIOCs\r\nMalicious HWP:\r\ne5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574\r\nNavRAT: 4f06eaed3dd67ce31e7c8258741cf727964bd271c3590ded828ad7ba8d04ee57\r\nOnline Payload: hxxp://artndesign2[.]cafe24[.]com:80/skin_board/s_build_cafeblog/exp_include/img.png\r\n2016 NavRAT sample:\r\ne0257d187be69b9bee0a731437bf050d56d213b50a6fd29dd6664e7969f286ef\r\nSource: https://blog.talosintelligence.com/2018/05/navrat.html\r\nhttps://blog.talosintelligence.com/2018/05/navrat.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2018/05/navrat.html" ], "report_names": [ "navrat.html" ], "threat_actors": [ { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439112, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/797ba0db398d7143141742a014db29e4ac375fe3.pdf", "text": "https://archive.orkl.eu/797ba0db398d7143141742a014db29e4ac375fe3.txt", "img": "https://archive.orkl.eu/797ba0db398d7143141742a014db29e4ac375fe3.jpg" } }