{ "id": "27f204f8-5308-4d2e-9d92-02c8ad65b50e", "created_at": "2026-04-06T03:37:46.874215Z", "updated_at": "2026-04-10T13:12:25.307553Z", "deleted_at": null, "sha1_hash": "8d81a6835e15f9eaef3a68959f5e3b22b73524b5", "title": "SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 12110805, "plain_text": "SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing\r\nCampaign Against Southeast Asia\r\nArchived: 2026-04-06 03:22:02 UTC\r\nBy Securonix Threat Research: Den Iuzvyk, Tim Peck\r\nOct 3, 2024\r\ntldr:\r\nNorth Korea has been identified delivering VeilShell, a stealthy PowerShell-based malware delivered using a series of\r\nadvanced evasion techniques targeting victims in Southeast Asia.\r\nThe Securonix Threat Research team has uncovered an ongoing campaign, identified as SHROUDED#SLEEP, likely\r\nattributed to North Korea’s APT37 (also known as Reaper or Group123). This advanced persistent threat group is\r\nbelieved to be based in North Korea and is delivering stealthy malware to targets across Southeast Asian countries.\r\nAPT37, unlike other APT groups from the region such as Kimsuky, has a long history of targeting countries outside\r\nof the expected South Korean targets. This includes a number of recent campaigns against Southeast Asia countries.\r\nThis is not the first time North Korea has targeted this particular region. Data from earlier campaigns show malware\r\nsimilar to that of this campaign. However, it appears the threat actors have retooled and resumed operations since\r\ntheir initial discovery in 2023, or have continued their activity largely undetected since then.\r\nVictims are likely the subject of phishing emails where the initial payload would be a zip file attached to the email.\r\nWhile it has all the hallmarks of a traditional phishing email attachment, our team was not able to identify the original\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 1 of 20\n\nemail that delivered the malware, only the attachment itself. Cambodia appears to be the primary target for this\r\ncampaign, however, it could extend into other Southeast Asian countries. This is based on the language and countries\r\nreferenced within the phishing lures, and geographical telemetry data based on related identified samples.\r\nTowards the end of a rather lengthy chain of malicious stages, the threat actors leveraged a custom PowerShell\r\nbackdoor featuring a wide range of RAT (Remote Access Trojan) capabilities. Our team has been tracking the custom\r\nbackdoor as VeilShell due to its stealthy method of execution and capabilities. The backdoor trojan allows the\r\nattacker full access to the compromised machine. Some features include data exfiltration, registry, and scheduled task\r\ncreation or manipulation. We’ll highlight each of these further down in the publication.\r\nOverall, the threat actors were quite patient and methodical. Each stage of the attack features very long sleep times in\r\nan effort to avoid traditional heuristic detections. Once VeilShell is deployed it doesn’t actually execute until the next\r\nsystem reboot.\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 2 of 20\n\nInitial infection\r\nCode execution was achieved through the usage of .lnk or shortcut files contained inside a zip archive. The shortcut\r\nfiles would leverage double extension techniques either ending in .pdf.lnk, or .xlsx.lnk. In Windows, the .lnk\r\nextension is always hidden from the user, making them think they’re opening an actual spreadsheet or PDF document.\r\nThe attackers also modified the shortcut’s icon to match the extension, making the shortcut file appear more\r\nlegitimate as seen in the figure below:\r\nFigure 1: Shortcut “lure file” – Report on NGO Income_edit.xlsx.lnk\r\nThe shortcut file links directly to the PowerShell process and executes an elaborate series of commands which we’ll\r\ndive into in separate parts. An example of the command can be seen in the image below.\r\nFigure 2: Shortcut file details – Report on NGO Income_edit.xlsx.lnk\r\nTypically, shortcut files are extremely lightweight, often just a few kilobytes in size. However, in the case of the\r\nSHROUDED#SLEEP campaign, we observed shortcut files ranging from 60KB to 600KB. This increased size is due\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 3 of 20\n\nto the fact that the shortcut file functions as dropper malware, with the next-stage payloads appended to the end of the\r\nfile.\r\nThe PowerShell commands embedded in the shortcut file primarily serve to decode and extract these payloads from\r\nwithin the shortcut file itself. This tactic is very similar to what we saw in the DEEP#GOSU campaign, attributed to\r\nNorth Korea, that we analyzed earlier this year.\r\nIn total, three payloads are extracted based on a predefined byte range, starting at byte 2903 and reading a total of\r\n64,744 bytes (ending at byte 67,647). Each “file” is Base64 encoded and separated by a colon (:), which acts as a\r\ndelimiter to indicate where one payload ends and the next begins. The script reads these contents into an array in\r\nPowerShell, where each payload is assigned an index value. Using PowerShell’s File.WriteAllBytes method, each\r\npayload is then written to disk. Examining the shortcut file in a hex editor reveals these Base64 encoded payloads\r\nembedded within the file structure. (extraction Python code in Appendix: A)\r\nTaking a look at a hexdump of the shortcut file we can see these large chunks of Base64 that get decoded via\r\nPowerShell:\r\nFigure 3: Shortcut file details – Hexdump observing embedded payloads\r\nThe three extracted files include an actual lure file document (e.xlsx), a configuration file (d.exe.config), and a\r\nmalicious DLL ( DomainManager.dll), to the Windows Startup directory for persistence. Each shortcut file that we\r\nanalyzed contained a lure document (an Excel file in one case and a PDF in another) that was opened to distract the\r\nuser while the malware was dropped in the background. We’ll dive into the lure documents further down.\r\nPowerShell execution overview\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 4 of 20\n\nPowerShell was the primary code base used by the threat actors contained within the shortcut file. Execution proceeds\r\nimmediately by running or double-clicking on the shortcut file. While the script is a pretty large one-liner, let’s break\r\nit down into smaller portions to better understand it.\r\nCall the PowerShell process\r\nThe command uses path traversal to first move backward from whatever directory it’s launched from in order to call\r\nthe PowerShell process from its default directory:\r\n..\\..\\..\\..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nCommand line:\r\nFirst it defines a variable ($t) to the user’s Startup directory. This means that any executable files dropped here will\r\nrun the next time the user logs in.\r\n$t=$env:appdata+’\\Microsoft\\Windows\\Start Menu\\Programs\\Startup’:\r\nThe command searches the user’s temp folder for the file named “Report on NGO Income_edit.xlsx.lnk” (the shortcut\r\nfile itself). This would be the result of launching the shortcut directly from the archive or zip file software or\r\nWindows Explorer. Its contents get auto-extracted prior to execution inside the user’s temp directory.\r\n If the file exists, it proceeds with opening this file.\r\nif(Get-ChildItem $env:temp -recurse ‘Report on NGO Income_edit.xlsx.lnk’):\r\nA file stream is created to open the shortcut file using “New-Object IO.FileStream” and read its contents. The\r\ncommand tries to read from the file stream starting from byte 2903 and reads 64744 bytes.\r\nThe read bytes that are read into memory are assumed to be Base64-encoded. The command decodes these bytes and\r\nsplits the result using a colon (:) into three parts and placed inside an array variable ($a).\r\nNext, the script attempts to copy a legitimate file (dfsvc.exe) from the Microsoft .NET framework located at:\r\n“C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe”. This file is used for .NET ClickOnce applications.\r\nThe file is copied to the Startup folder as “d.exe”.\r\nThe script then writes two files (d.exe.config and DomainManager.dll) into the Windows startup directory ($t), and an\r\nExcel file (e.xlsx) into the user’s temp directory.\r\nd.exe.config:\r\n[IO.File]::WriteAllBytes($t+’\\d.exe.config’,[Convert]::FromBase64″”String($a[0]))\r\nDomainManager.dll:\r\n[IO.File]::WriteAllBytes($t+’\\DomainManager.dll’,[Convert]::FromBase64″”String($a[1]))\r\ne.xlsx.\r\n[IO.File]::WriteAllBytes($env:temp+’\\e.xlsx’,[Convert]::FromBase64″”String($a[2]))\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 5 of 20\n\nLastly, the Windows Explorer process (explorer.exe) is called to execute the legitimate Excel file\r\nexplorer ($env:temp+’\\e.xlsx’):\r\nSummary of the shortcut file’s PowerShell code:\r\nThe PowerShell command executed from the shortcut file attempts to retrieve and decode a payload hidden in the\r\nshortcut file (.lnk). It drops malicious files into the Startup folder, ensuring persistence by making these files run on\r\nthe next login. It also opens an Excel file, likely to trick the user into thinking they are viewing a legitimate\r\ndocument, while malicious actions happen in the background.\r\nThis kind of attack leverages social engineering and fileless techniques to avoid detection by security tools.\r\nInterestingly enough, it does not actually execute any of the dropped files. However, as they were dropped into the\r\nuser’s startup directory, next-stage execution would not occur until the next system reboot.\r\nLure document\r\nWe observed that the lure documents were executed at the end of the PowerShell script by invoking the explorer.exe\r\nprocess, a clever technique to ensure the document opens with the system’s default application based on its file\r\nextension. Let’s go over a couple of examples:\r\nFigure 4: Lure document: e.xlsx\r\nThe first document (e.xlsx) is a simple spreadsheet related to annual income in U.S. dollars across various sectors,\r\nsuch as social work, education, health, and agriculture. The document is written in Khmer (Cambodian) which is\r\npredominantly spoken in Cambodia, Thailand, Vietnam and Laos.\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 6 of 20\n\nThe document is rather uninteresting and is not malicious in any way. Its sole purpose is to present something\r\nlegitimate to the user. This way the intended action (clicking an Excel file) produces an expected result.\r\nFigure 5: Lure document: e.pdf\r\nThis sample was first identified circulating late last year. The lure file was executed and presented to the user in a\r\nnearly identical manner. Although written in English, the PDF discusses strategies and research related to Cambodia.\r\nBased on the identified samples, it is evident that the target victimology is focused on Southeast Asia, specifically\r\nCambodia.\r\nPersistence in execution\r\nThe SHROUDED#SLEEP campaign uses a rather obscure, but documented technique known as\r\n AppDomainManager hijacking to maintain persistence by injecting malicious code into .NET applications. This\r\ntechnique exploits the .NET AppDomainManager class, allowing attackers to load their malicious DLL\r\n(DomainManager.dll) early in the application’s execution.\r\nWhen d.exe (renamed dfsvc.exe) runs at startup, it reads the accompanying .config file (needs to be named the same\r\nas the executable file with “.config” appended), which specifies a custom AppDomainManager class. Code execution\r\nis then redirected to the malicious DLL, enabling the code contained within the DLL to be executed before the\r\nlegitimate process runs.\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 7 of 20\n\nFigure 6: Contents of d.exe.config\r\nUsing the figure above, we can better understand how d.exe executes malicious code from within\r\nDomainManager.dll. The appDomainManagerType and appDomainManagerAssembly fields in the .config file\r\nspecify the custom AppDomainManager class (InjectedDomainManager) and the assembly (DomainManager.dll).\r\nDLL file analysis (DomainManager.dll)\r\nThe .NET binary file DomainManager.dll acts as a simple loader malware which attempts to parse code found from a\r\nremote server to download and execute further stages. Let’s take a look at the few functions contained within.\r\nThe main entry point function InitializeNewDomain provides several functions:\r\nSleeps for 10 minutes (Thread.Sleep(600000)), long sleeps are typically used to delay execution and evade\r\ndetection.\r\nIt calls the GetHttpResponse function to retrieve the response from the given URL, extracts data between the\r\nHTML \u003cpre\u003e and \u003c/pre\u003e tags and then decrypts it using a Caesar cipher.\r\nEvaluate the decrypted string as JavaScript using Eval.JScriptEvaluate. JavaScript code is then executed.\r\nThe function finally calls Environment.Exit(0) to terminate the current process, cleaning up after itself.\r\nSome of the notable functions can be seen in the figure below:\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 8 of 20\n\nFigure 7: .NET functions contained with DomainManager.dll\r\nThe primary purpose of the DLL is to attempt to reach out to a remote file hosting site and to parse an expected string.\r\nIt does this by issuing an HTTP GET request to hxxps://jumpshare[.]com/view/load/crjl6ovj7HVGtuhdQrF1 and\r\nretrieves a response. It uses TLS 1.2 for security, accepts all SSL certificates and retrieves the content of the page that\r\ngets returned as a string.  Finally, the parsed JavaScript code is executed using JavaScript within the .NET\r\nenvironment.\r\nJavaScript code analysis\r\nTaking a look at network data our team was able to parse a response which contained the string shown in the figure\r\nbelow. Using a simple Cyberchef recipe, we we able to implement the Caesar Cypher (-7 shift) to produce the\r\ndecoded result:\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 9 of 20\n\nFigure 8: Deobfuscated JavaScript payload\r\nThe JavaScript executed by the DLL file performs a few simple functions. The end goal is to reach out to a remote C2\r\nserver providing the victim’s hostname and then download and execute code sent back from the C2 server using\r\nJavaScript.\r\nCreate a WScript.Shell object, which allows the script to interact with the Windows environment, such as\r\naccessing environment variables.\r\nRetrieves the name of the computer from the %computername% environment variable. The computer name is\r\nused as part of the URL to create a unique identifier for each infected machine.\r\nSend an HTTP GET request to the URL hxxp://208.85.16[.]88/wy/[computername].txt, where\r\n[computername] is the name of the victim machine.\r\nEvaluate and execute the response text received from the server.\r\nPowerShell backdoor code analysis: VeilShell\r\nExecuted by the Javascript eval() function is a single large PowerShell one-liner. The script serves as a backdoor/RAT\r\n(Remote Access Trojan), allowing an attacker to control the victim’s system remotely. Below is a detailed breakdown\r\nof its functionality.\r\nAside from obfuscated variable names, most of the script is human-readable and not difficult to determine its purpose,\r\nespecially once it’s properly formatted.\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 10 of 20\n\nFigure 9 VeilShell: evaluated code example\r\nSetup and persistence\r\nAfter taking the time to clean up the code we get a better understanding as to its intent. At the beginning of the\r\nVeilShell script, new variables are defined which assist in the backdoor connection as well as persistence.\r\nThe script starts by delaying execution for 64 seconds with Start-Sleep -Seconds 64. As we saw previously with the\r\ncode found inside DomainManager.dll, long sleeps like this are often used as a form of detection bypass.\r\nNext, a buffer size of 1MB is defined for file operations which is defined by the $dohejBAVPCxp variable. This will\r\nbe referenced later on and is used during command and control operations.\r\nSystem details are then retrieved and stored into the $EVP variable. Details containing the computer name and\r\nusername are then parsed and then concatenated to uniquely identify the victim machine.\r\nA C2 connect URL is then constructed and placed inside the $yyVGPhBLYpqEzF variable. The control server is\r\nlocated at hxxp://172.93.181[.]249/control/com.php.\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 11 of 20\n\nFigure 10: Initial setup and persistence in the VeilShell backdoor\r\nPersistence is once again established, this time using the Windows Registry. The “if” statement checks if a certain file\r\nexists in the temp directory, and if it doesn’t, it adds a persistence mechanism to the Windows Registry’s startup key.\r\nThe command ensures that PowerShell runs at startup in hidden mode, attempting to connect to a control server\r\n(hxxp://172.93.181[.]249/control/html/1.html) through mshta.exe, a commonly abused utility for running HTML\r\napplications.\r\nVeilShell RAT functionality\r\nThis script is a highly versatile PowerShell-based backdoor/RAT. It communicates with a command and control\r\nserver, executes various commands based on the attacker’s instructions, and provides full control over the victim’s\r\nmachine. The attacker is able to download or upload system data, modify system settings and even run scheduled\r\ntasks at specified intervals.\r\nThe attacker is able to send the following commands remotely to the infected computer. At a high level, these perform\r\nthe following tasks:\r\nCommand Description\r\nfileinfo\r\nLists details (name, size, last modification date, full path) of files in the specified directory. It also\r\nhas the ability to export the file information to a CSV file and upload it to the attacker’s server.\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 12 of 20\n\ndir Compresses the specified directory into a .zip archive and upload it to the attacker’s server.\r\nfile Upload a specific file from the victim’s machine to the attacker’s server.\r\ndown Download a file from a URL provided by the attacker and save it to the victim’s machine.\r\nregedit Create or modify a registry key and value based on parameters sent by the attacker.\r\ntask\r\nCreates a scheduled task on the victim’s machine to execute a command or script at a specified\r\ninterval. This is done using the New-ScheduledTaskAction PowerShell module.\r\nzip Extract a .zip archive on the victim’s machine.\r\nrename Renames a specified file on the victim’s machine.\r\ndel Deletes a specified file on the victim’s machine.\r\nBelow is an example of some of the cleaned up code which relates to this particular backdoor command and control\r\nfunctionality.\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 13 of 20\n\nFigure 11: PowerShell code example of some of the attacker’s command switches\r\nStrangely enough, there doesn’t appear to be a way to directly execute system commands from this backdoor, at least\r\nnot directly. However, several functions are able to indirectly execute commands, either through the usage of\r\nscheduled tasks or through the registry.\r\nThere are probably several reasons why the threat actors did not include this functionality, however, one of the more\r\nlikely scenarios is that it was not included to reduce the overall footprint of the code. Issuing terminal or system\r\ncommands also increases the likelihood that this script will be detected by antivirus software.\r\nCommand and Control\r\nCommunication between the victim machine and the attacker’s C2 server are managed through HTTP POST and GET\r\nrequests. These are primarily referenced in the fpBb, vSlobVl and the hUbUWkZbX functions.\r\nfpBb Function (HTTP POST Request):\r\nThis function sends POST requests to the attacker’s control server. It uses\r\nPowerShell’s System.Net.WebRequest object to send and receive data from the server.\r\nvSlobVl Function (File Upload):\r\nThis uploads files to the control server using a multipart POST request. It reads the file in chunks of 1MB (as defined\r\nearlier in setup) and sends each chunk in a POST request to $eaeXyhlNWdalm (the control server). The file being\r\nuploaded could be any specified file on the victim’s system.\r\nhUbUWkZbX Function (File Download):\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 14 of 20\n\nThis function downloads a file from the provided URL ($eaeXyhlNWdalm) and saves it to the victim’s machine at the\r\nlocation specified by $rOuMF. It reads the downloaded file in chunks (1MB) and writes it to disk.\r\nFigure 12: PowerShell code example containing command and control functions\r\nThe script continues to run in the background by issuing a continually true statement at the end of the script “while\r\n($true -eq $true)”. As it loops it constantly checks the control server for new command switches being used by the\r\nthreat actors and executes them on the victim’s machine. This makes it a fully functional RAT capable of exfiltrating\r\nfiles, modifying the registry, creating scheduled tasks, and more.\r\nWrapping up…\r\nThe SHROUDED#SLEEP campaign represents a sophisticated and stealthy operation targeting Southeast Asia\r\nleveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to\r\nachieve long-term control over compromised systems. Throughout this investigation, we have shown how the threat\r\nactors methodically crafted their payloads and made use of an interesting combination of legitimate tools and\r\ntechniques to bypass defenses and maintain access to their targets.\r\nAt a glance: Key tactics and techniques\r\nShortcut File as a Dropper [T1204.001]: The campaign begins with a malicious shortcut file (.lnk) that once executed\r\nfrom a zip file, drops and executes next-stage payloads using PowerShell. By appending encoded payloads to the end\r\nof the shortcut file, the attackers cleverly disguise their malware from the user.\r\nAppDomainManager Hijacking [T1574.014]: The attackers exploit the AppDomainManager class in .NET to hijack\r\nexecution flow and load a custom-crafted DLL, DomainManager.dll, at runtime. The DLL was executed via a\r\nrenamed legitimate executable (d.exe), effectively injecting their malicious code before any legitimate activity occurs.\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 15 of 20\n\nRemote JavaScript execution [T1059.007]: The primary purpose of the DLL was to execute an obfuscated JavaScript\r\npayload from a remote C2 server. Once parsed and executed, this led to the execution of the VeilShell backdoor.\r\nPowerShell Backdoor/VeilShell [T1059.001]: Finally, last in the execution chain was the PowerShell-based VeilShell.\r\nThis was discovered to be a versatile and powerful tool for maintaining backdoor access to the victim’s system. It\r\ncommunicates with the attacker’s C2 server, sending back system information and awaiting further instructions. The\r\nscript is capable of uploading and downloading files, creating scheduled tasks, modifying the Windows registry, and\r\ninteracting with the file system.\r\nThe use of Base64 encoding and Caesar ciphers added to the overall stealthiness of the backdoor, making it difficult\r\nfor traditional security tools to analyze or detect the underlying malicious behavior.\r\nOverall, the campaign is incredibly stealthy, and the threat actors exercised a huge amount of patience in order to\r\nremain undetected. This is evident by the large sleeps found within each stage and due to the fact that after the initial\r\nshortcut code execution, the next stages will not run until the user reboots their computer.\r\nSecuronix recommendations\r\nThe emergence of the SHROUDED#SLEEP campaign highlights the importance of robust endpoint security,\r\nespecially when it comes to monitoring PowerShell activity, registry modifications, and network communications.\r\nDefenders must stay vigilant, as the attackers continue to exploit commonly trusted system utilities to evade\r\ntraditional defenses.\r\nAs this campaign likely started using phishing emails, avoid downloading files or attachments from external\r\nsources, especially if the source was unsolicited. Common file types include zip, rar, iso, and pdf. Additionally,\r\nexternal links to download these kinds of files should be considered equally dangerous. Zip files, sometimes\r\npassword-protected,  were used during this campaign.\r\nMonitor common malware staging directories, especially script-related activity in world-writable directories.\r\nIn the case of this campaign the threat actors staged in the user’s startup directory\r\nat %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup.\r\nMonitor for the use of traditional persistence, especially in the Windows Registry and using scheduled tasks.\r\nWe strongly recommend deploying robust endpoint logging capabilities to aid in PowerShell detections. This\r\nincludes leveraging additional process-level logging such as Sysmon and PowerShell logging for additional\r\nlog detection coverage.\r\nSecuronix customers can scan endpoints using the Securonix hunting queries below.\r\nMITRE ATT\u0026CK Matrix\r\nTactics Techniques\r\nInitial Access T1566.001: Phishing: Spearphishing Attachment\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 16 of 20\n\nCollection T1560: Archive Collected Data\r\nCommand and Control T1132: Data Encoding\r\nCredential Access\r\nT1003: OS Credential Dumping\r\nT1555: Credentials from Password Stores\r\nDefense Evasion\r\nT1027: Obfuscated Files or Information\r\nT1070.004: Indicator Removal: File Deletion\r\nT1112: Modify Registry\r\nT1574.014: Hijack Execution Flow: AppDomainManager\r\nDiscovery\r\nT1033: System Owner/User Discovery\r\nT1057: Process Discovery\r\nT1069: Permission Groups Discovery: Domain Groups\r\nT1082: System Information Discovery\r\nExecution\r\nT1059.001: Command and Scripting Interpreter: PowerShell\r\nT1059.007: Command and Scripting Interpreter: JavaScript\r\nT1204.001: User Execution: Malicious Link\r\nT1204.002: User Execution: Malicious File\r\nPersistence\r\nT1053: Scheduled Task/Job\r\nT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nRelevant Securonix detections\r\nEDR-ALL-941-RU\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 17 of 20\n\nEDR-ALL-1274-RU\r\nPSH-ALL-331-RU\r\nRelevant hunting queries\r\n(remove square brackets “[ ]” for IP addresses or URLs)\r\nindex = activity AND rg_functionality = “Web Proxy” AND (destinationaddress = “172.93.181[.]249” OR\r\ndestinationaddress = “208.85.16[.]88”)\r\nindex = activity AND rg_functionality = “Next Generation Firewall” AND (destinationhostname CONTAINS\r\n“hxxps://jumpshare[.]com/view/load/crjl6ovj7HVGtuhdQrF1” OR destinationhostname CONTAINS\r\n“hxxps://jumpshare[.]com/viewer/load/zB564bxDA3yG8PnFR90I” )\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “File\r\ncreated” OR deviceaction = “File created (rule: FileCreate)”) AND customstring49 ENDS WITH\r\n“DomainManager.dll” AND (customstring49 CONTAINS “\\\\Appdata\\\\Local”)\r\nindex = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process\r\nCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR\r\ndeviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND\r\n(FileDescription = “ClickOnce” OR filename = “Dfsvc.exe”) AND destinationprocessname NOT ENDS\r\nWITH “Dfsvc.exe”)\r\nC2 and infrastructure\r\nC2 Address\r\n172.93.181[.]249\r\n208.85.16[.]88\r\nhxxps://jumpshare[.]com/view/load/crjl6ovj7HVGtuhdQrF1\r\nhxxps://jumpshare[.]com/viewer/load/zB564bxDA3yG8PnFR90I\r\nAnalyzed files/hashes\r\nFile Name SHA256\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 18 of 20\n\nReport on NGO\r\nIncome_edit.zip\r\nBEAF36022CE0BD16CAAEE0EBFA2823DE4C46E32D7F35E793AF4E1538E705379F\r\nKey Data 2023\r\nQuarterly Cambodia\r\nPoll Appendix.zip\r\n913830666DD46E96E5ECBECC71E686E3C78D257EC7F5A0D0A451663251715800\r\nReport on NGO\r\nIncome_edit.xlsx.lnk\r\n9D0807210B0615870545A18AB8EAE8CECF324E89AB8D3B39A461D45CAB9EF957\r\nQuarterly Cambodia\r\nPoll\r\nAppendix.pdf.lnk\r\nCFBD704CAB3A8EDD64F8BF89DA7E352ADF92BD187B3A7E4D0634A2DC764262B5\r\nd.exe.config 55235BC9B0CB8A1BEA32E0A8E816E9E7F5150B9E2EEB564EF4E18BE23CA58434\r\nDomainManager.dll\r\n106C513F44D10E6540E61AB98891AEE7CE1A9861F401EEE2389894D5A9CA96EF\r\n6B95BC32843A55DA1F8186AEC06C0D872CAC13D9DF6D87114C5F8B7277C72A4F\r\ne.xlsx 4E8B6DECCDFC259B2F77573AEF391953ED587930077B4EDB276DBBB679EF350B\r\ne.pdf 50BF6FDBFF9BFC1702632EAC919DC14C09AF440F5978A162E17B468081AFBB43\r\nExcelDna.xll\r\nAF74D416B65217D0B15163E7B3FD5D0702D65F88B260C269C128739E7E7A4C4D\r\n7E9F91F0CFE3769DF30608A88091EE19BC4CF52E8136157E4E0A5B6530D510EC\r\nReferences\r\n1. Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting\r\nVictims with Stealthy Malware\r\nhttps://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/\r\n2. Use AppDomainManager to maintain persistence\r\nhttps://3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 19 of 20\n\nAppendix A: Embedded .lnk payload extractor (Python)\r\nimport os;import base64\r\nlnk_path = “.\\\\Report on NGO Income_edit.xlsx.lnk”\r\nwith open(lnk_path, ‘rb’) as f:\r\n        # Modify start/end of embedded paylaods\r\n        f.seek(2903)\r\n        data = f.read(64744)\r\n        decoded_data = base64.b64decode(data).decode(‘utf-16’)   \r\n        split_data = decoded_data.split(‘:’)\r\n        if len(split_data) == 3:\r\n            output_dir = “.\\\\ExtractedFiles”\r\n            os.makedirs(output_dir, exist_ok=True)\r\n            # Rename documents if needed based on shortcut file data\r\n            with open(os.path.join(output_dir, ‘d.exe.config’), ‘wb’) as config_file:\r\n                config_file.write(base64.b64decode(split_data[0]))\r\n            with open(os.path.join(output_dir, ‘DomainManager.dll’), ‘wb’) as dll_file:\r\n                dll_file.write(base64.b64decode(split_data[1]))\r\n            with open(os.path.join(output_dir, ‘e.xlsx’), ‘wb’) as excel_file:\r\n                excel_file.write(base64.b64decode(split_data[2]))\r\n        else:\r\n                    print(“An extraction error has occured, check payload count.”)\r\nSource: https://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nhttps://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/" ], "report_names": [ "shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446666, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d81a6835e15f9eaef3a68959f5e3b22b73524b5.pdf", "text": "https://archive.orkl.eu/8d81a6835e15f9eaef3a68959f5e3b22b73524b5.txt", "img": "https://archive.orkl.eu/8d81a6835e15f9eaef3a68959f5e3b22b73524b5.jpg" } }