Cyber Security News

North Korean Hackers Use ZIP Files to Deploy Malicious PowerShell Scripts

North Korean state-sponsored hackers, known as APT37 or ScarCruft, have been employing sophisticated tactics to breach systems, leveraging malicious ZIP files containing LNK files to initiate attacks.

These LNK files, often disguised as documents related to North Korean affairs or trade agreements, are distributed via phishing emails.

Once opened, they trigger a multi-stage attack involving PowerShell scripts and batch files, ultimately deploying the RokRat remote access Trojan (RAT) as the final payload.

PowerShell ScriptsPowerShell Scripts
Infection Flow Diagram

Infection Flow and Technical Details

The infection process begins with phishing emails that appear critical, using real information from websites to enhance their credibility.

These emails contain ZIP attachments with malicious LNK files.

When executed, the LNK file checks if it’s running from System32 or Program Files and moves to the %temp% directory if necessary.

It then extracts several payloads, including a decoy HWPX document, a batch script named shark.bat, and other files like caption.dat and elephant.dat.

content of HWPX document

The shark.bat script executes PowerShell commands in a hidden window, loading and executing the elephant.dat script, which decrypts the caption.dat file using a single-byte XOR key.

This decrypted content is then executed in memory, leading to the deployment of the RokRat RAT.

RokRat is designed to gather detailed system information, including OS version, computer name, and logged-in user details.

It also captures screenshots and enumerates running processes, exfiltrating this data to command-and-control (C2) servers via cloud services like pCloud, Yandex, and Dropbox.

The malware uses these platforms’ APIs to send, download, and delete files, embedding OAuth tokens for seamless communication.

Additionally, RokRat can execute remote commands, allowing attackers to perform data exfiltration, system reconnaissance, and process termination.

Anti-Analysis Techniques and C2 Communications

To evade detection, RokRat employs anti-analysis techniques such as detecting VMware Tools to identify virtual environments and using sandbox detection methods like creating and deleting temporary files.

According to the researchers, it also checks for debuggers using IsDebuggerPresent.

The malware encrypts its communications using XOR and RSA encryption, ensuring that only the attackers can decrypt the data.

Commands from the C2 server are received in AES-CBC encrypted form, decrypted locally, and executed on the system.

These commands can include data collection, file deletion, and termination of the malware process.

The use of legitimate cloud services for C2 operations allows RokRat to blend into normal network traffic, making it challenging to detect.

This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago