Cyber Security News

North Korean Hackers Use ZIP Files to Deploy Malicious PowerShell Scripts

North Korean state-sponsored hackers, known as APT37 or ScarCruft, have been employing sophisticated tactics to breach systems, leveraging malicious ZIP files containing LNK files to initiate attacks.

These LNK files, often disguised as documents related to North Korean affairs or trade agreements, are distributed via phishing emails.

Once opened, they trigger a multi-stage attack involving PowerShell scripts and batch files, ultimately deploying the RokRat remote access Trojan (RAT) as the final payload.

PowerShell ScriptsPowerShell Scripts
Infection Flow Diagram

Infection Flow and Technical Details

The infection process begins with phishing emails that appear critical, using real information from websites to enhance their credibility.

These emails contain ZIP attachments with malicious LNK files.

When executed, the LNK file checks if it’s running from System32 or Program Files and moves to the %temp% directory if necessary.

It then extracts several payloads, including a decoy HWPX document, a batch script named shark.bat, and other files like caption.dat and elephant.dat.

content of HWPX document

The shark.bat script executes PowerShell commands in a hidden window, loading and executing the elephant.dat script, which decrypts the caption.dat file using a single-byte XOR key.

This decrypted content is then executed in memory, leading to the deployment of the RokRat RAT.

RokRat is designed to gather detailed system information, including OS version, computer name, and logged-in user details.

It also captures screenshots and enumerates running processes, exfiltrating this data to command-and-control (C2) servers via cloud services like pCloud, Yandex, and Dropbox.

The malware uses these platforms’ APIs to send, download, and delete files, embedding OAuth tokens for seamless communication.

Additionally, RokRat can execute remote commands, allowing attackers to perform data exfiltration, system reconnaissance, and process termination.

Anti-Analysis Techniques and C2 Communications

To evade detection, RokRat employs anti-analysis techniques such as detecting VMware Tools to identify virtual environments and using sandbox detection methods like creating and deleting temporary files.

According to the researchers, it also checks for debuggers using IsDebuggerPresent.

The malware encrypts its communications using XOR and RSA encryption, ensuring that only the attackers can decrypt the data.

Commands from the C2 server are received in AES-CBC encrypted form, decrypted locally, and executed on the system.

These commands can include data collection, file deletion, and termination of the malware process.

The use of legitimate cloud services for C2 operations allows RokRat to blend into normal network traffic, making it challenging to detect.

This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

6 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

7 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

7 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

9 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

9 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

9 hours ago