{
	"id": "0d0c4bb8-71bd-49e9-acaf-6d851496276b",
	"created_at": "2026-04-06T00:17:57.051973Z",
	"updated_at": "2026-04-10T03:20:39.575108Z",
	"deleted_at": null,
	"sha1_hash": "d967a4e4a7e51a6933fd9f5e5acd8a24595322db",
	"title": "RokRAT Malware Using Malicious Hangul (.HWP) Documents - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4194051,
	"plain_text": "RokRAT Malware Using Malicious Hangul (.HWP) Documents -\r\nASEC\r\nBy ATCP\r\nPublished: 2025-07-20 · Archived: 2026-04-05 17:07:40 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of RokRAT malware using a\r\nHangul Word Processor document (.hwp). RokRAT is typically distributed by including a decoy file and malicious\r\nscript inside a shortcut (LNK) file. However, ASEC found a case where the malware was distributed through\r\nHWP documents instead of an LNK file.\r\nFile Name\r\n250615_Operation status of grain store.hwp\r\nRecent major portal site.hwpx\r\n[Notice] Q1 VAT Return Filing Deadline (Final)\r\nTable 1. Document file names used to distribute RokRAT\r\nThe document ‘250615_Operation status of grain store.hwp’ is shown in the following figure.\r\nhttps://asec.ahnlab.com/en/89130/\r\nPage 1 of 5\n\nFigure 1. Document content\r\nTo avoid suspicion, the document covers North Korea’s grain distribution points, matching the file name\r\n‘250615_Operation status of grain store’.\r\nhttps://asec.ahnlab.com/en/89130/\r\nPage 2 of 5\n\nFigure 2. Hyperlink to execute ShallRunas.exe\r\nAt the bottom of the document, a hyperlink to ‘[Appendix] Reference Materials.docx’ is inserted. When users\r\nclick this link, a warning window is displayed asking whether to execute ShellRunas.exe located in the %TEMP%\r\npath. If users select ‘Run’, their system will be infected with malware. This ShellRunas.exe is not downloaded\r\nfrom the threat actor’s C2 server, but is instead embedded in the document as an OLE object. When users access\r\nthe document page where the OLE object is located, it is automatically created in the %TEMP% path by the\r\nHangul process.\r\nhttps://asec.ahnlab.com/en/89130/\r\nPage 3 of 5\n\nFigure 3. OLE objects automatically created by the Hangul process (ShellRunas.exe, credui.dll)\r\nThe threat actor specified %TEMP%\\ShellRunas.exe as the hyperlink path. This way, the Hangul process\r\nautomatically creates and executes ShellRunas.exe. In addition, the document contains an OLE object that\r\ncorresponds to ShellRunas.exe and another OLE object that corresponds to credui.dll. Both of these objects are\r\ninserted into the document, and they are created together in the %TEMP% folder. ShellRunas.exe is a legitimate\r\nprogram signed with a Microsoft certificate. When it is executed, the malicious DLL, credui.dll, which is located\r\nin the same path, is loaded using the DLL side-loading technique. In this type of attack, the following legitimate\r\nexecutables were used by the threat actor along with ShellRunas.exe:\r\nLegitimate Program Malicious Files Loaded\r\naccessenum.exe mpr.dll\r\nShellRunas.exe credui.dll\r\nhhc.exe hha.dll\r\nTable 2. Legitimate programs used in DLL side-loading technique\r\nThe credui.dll file downloads the Father.jpg file from Dropbox. The JPG file is actually an image that contains a\r\nshellcode to load RokRAT into the memory at a specific location.\r\nhttps://asec.ahnlab.com/en/89130/\r\nPage 4 of 5\n\nFigure 4. Shellcode inserted into the image\r\nRokRAT, which is ultimately executed, can collect user information and perform various malicious behaviors\r\naccording to the threat actor’s commands, so extra caution is advised.\r\nMD5\r\na2ee8d2aa9f79551eb5dd8f9610ad557\r\nd5fe744b9623a0cc7f0ef6464c5530da\r\ne13c3a38ca58fb0fa9da753e857dd3d5\r\ne4813c34fe2327de1a94c51e630213d1\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/89130/\r\nhttps://asec.ahnlab.com/en/89130/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/89130/"
	],
	"report_names": [
		"89130"
	],
	"threat_actors": [],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d967a4e4a7e51a6933fd9f5e5acd8a24595322db.pdf",
		"text": "https://archive.orkl.eu/d967a4e4a7e51a6933fd9f5e5acd8a24595322db.txt",
		"img": "https://archive.orkl.eu/d967a4e4a7e51a6933fd9f5e5acd8a24595322db.jpg"
	}
}