APT37 Cybercriminals Utilize JPEG Images to Target Windows Systems Exploiting “mspaint.exe”

A sophisticated new wave of cyberattacks attributed to North Korea’s notorious APT37 (Reaper) group is leveraging advanced malware hidden within JPEG image files to compromise Microsoft Windows systems. This development signals a dangerous evolution in evasion tactics and fileless attack techniques. Security researchers at Genians Security Center (GSC) have recently identified a new variant of the infamous RoKRAT malware used by APT37. Unlike previous versions, this variant employs an intricate two-stage shellcode injection process designed to hinder forensic analysis and bypass traditional security controls. Of particular concern is the group’s use of steganography, where malicious code is concealed within seemingly innocuous image files, making detection exponentially more challenging for endpoint defences.

APT37’s current campaign, primarily observed in South Korea, is distributed via compressed archives, such as “National Intelligence and Counterintelligence Manuscript.zip,” containing large Windows shortcut (.lnk) files. These shortcuts embed several hidden components, including a legitimate decoy document, shellcode, and script files. PowerShell commands are designed to decrypt and execute further payloads. By exploiting user trust in seemingly routine files, especially those attached to emails or instant messages, APT37 maximises the likelihood of successful compromise. Once initiated, this multi-stage attack chain executes a batch script that launches PowerShell. The script decodes an encrypted shellcode payload using XOR operations, ultimately injecting the malicious code into trusted Windows processes like mspaint.exe or notepad.exe. This fileless approach leaves minimal forensic traces, allowing threat actors to evade both signature-based antivirus and many heuristic solutions.