ScarCruft’s “Operation HanKook Phantom” targeting South Korean academics with RokRAT malware

Cybersecurity researchers have identified a new phishing campaign orchestrated by the North Korea-linked hacking group known as ScarCruft (also referred to as APT37), aimed at delivering a malware called RokRAT. This operation, dubbed Operation HanKook Phantom by Seqrite Labs, appears to target individuals affiliated with the National Intelligence Research Association, including academics, former government officials, and researchers. Security researcher Dixit Panchal noted that the attackers likely seek to steal sensitive information, establish persistence, or conduct espionage. The attack begins with a spear-phishing email that lures recipients with a fake “National Intelligence Research Society Newsletter—Issue 52,” which is a publication from a South Korean research group focused on national intelligence, labour relations, security, and energy issues. The email contains a ZIP archive with a Windows shortcut (LNK) disguised as a PDF document, which, when opened, displays the newsletter as a decoy while simultaneously deploying RokRAT on the victim’s device.

RokRAT is a known malware associated with APT37, capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. The exfiltrated data is sent via platforms such as Dropbox, Google Cloud, pCloud, and Yandex Cloud. Seqrite also detected a second campaign where the LNK file acts as a conduit for a PowerShell script that drops a decoy Microsoft Word document and executes an obfuscated Windows batch script to deploy a dropper. This binary subsequently runs a next-stage payload to steal sensitive data while disguising network traffic as a Chrome file upload. The lure document in this instance features a statement from Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers’ Party of Korea, dated July 28, which rejects Seoul’s reconciliation efforts. The analysis underscores how APT37 continues to utilise highly tailored spear-phishing attacks, employing malicious LNK loaders, fileless PowerShell execution, and covert exfiltration methods, specifically targeting South Korean government sectors, research institutions, and academics for intelligence gathering and long-term espionage.