A large-scale spear-phishing campaign targeting South Korean government and intelligence staff has exploited a national intelligence newsletter to lure victims.
In a new report published on August 29, cybersecurity firm Seqrite revealed that APT37, a nation-state hacking group believed to be backed by North Korea, was behind a large-scale spear phishing campaign.
The effort, dubbed Operation HanKook Phantom, involved two campaigns during which APT37 weaponized documents of interest to South Korean government officials and intelligence officers.
Spear Phishing with Seoul Intelligence Lure
The first campaign leveraged ‘National Intelligence Research Society Newsletter – Issue 52’ (‘국가정보연구회 소식지 (52호)’ in Korean) as a decoy document to lure victims.
The National Intelligence Research Society Newsletter is a monthly or periodic internal newsletter issued by the National Intelligence Research Association, a South Korean research group.
It provides members with an overview of the latest and upcoming seminars, research initiatives and organizational developments. It also highlights ongoing discussions on national security, labor dynamics, current geopolitical shifts, technological advancements (e.g. AI) and North-South Korea relations.
According to the Seqrite researchers, the attackers are distributing this legitimate-looking PDF along with a malicious LNK (Windows shortcut) file named as 국가정보연구회 소식지(52호).pdf.
Once the LNK file is executed, it triggers the download of a payload or command execution, enabling the attacker to compromise the system.
The intrusion chain includes several methods to obfuscate the malicious payload and evade detection, including in-memory execution, disguised decoys and hidden data exfiltration routines.
Upon analyzing the attack chain, Seqrite researchers found that the payload delivers RokRAT, a backdoor commonly distributed as an encoded binary file that is downloaded and decrypted by shellcode following the exploitation of weaponized documents.
APT37 has been observed delivering RokRAT in previous campaigns.
The primary targets of this spear-phishing campaign include recipients of the newsletter, who are typically members of one or several of the following South Korean institutions:
- National Intelligence Research Association
- Kwangwoon University
- Korea University
- Institute for National Security Strategy
- Central Labor Economic Research Institute
- Energy Security and Environment Association
- National Salvation Spirit Promotion Association
- Yangjihoe (Host of Memorial Conference)
- Korea Integration Strategy
Spear Phishing with North Korean Official Communication Lure
The second campaign used a July 28 statement issued by Kim Yō-jong, the Vice Department Director of the Central Committee of the Workers’ Party of North Korea and sister of Supreme Leader of North Korea, Kim Jong-un, as a decoy.
According to reports by the Pyongyang-based Korean Central News Agency (KCNA), this statement indicates North Korea’s rejection of any reconciliation efforts from South Korea, the Seqrite report noted.
“It strongly criticizes the South’s attempts to improve inter-Korean relations, labelling them as meaningless or hypocritical,” the Seqrite researchers continued.
The document also mentioned that North Korea flatly rejects any future dialogue or cooperation with South Korea, declaring an end to reconciliation efforts and adopting a hostile, confrontation-based stance moving forward.
This attack chain mirrors the first campaign, starting with a malicious LNK file that drops a decoy while deploying obfuscated components (tony33.bat, tony32.dat, tony31.dat) to %TEMP%.
The LNK self-deletes, then the batch script triggers a fileless attack: tony32.dat decodes in memory, XOR-decrypts tony31.dat (key 0x37), and injects it via API calls (VirtualAlloc+CreateThread).
The dropper fetches a secondary payload (abs.tmp) from a command-and-control (C2) server via spoofed HTTP requests, executes it via PowerShell (-EncodedCommand) and deletes traces.
Simultaneously, it exfiltrates %TEMP% files via disguised POST requests (mimicking PDF uploads) before deletion, using LOLBins, memory execution, and traffic blending to evade detection.
Targets for this second campaign included:
- Lee Jae-myung administration (South Korean government cabinet)
- Ministry of Unification
- S.–South Korea Military Alliance
- Asia-Pacific Economic Cooperation (APEC)
APT37 Uses Highly Tailored Spear-Phishing Attacks
Seqrite named the combined campaigns ‘Operation HanKook Phantom’ after ‘HanKook,’ a Korean word generally used to refer to South Korea and ‘Phantom,’ which represents the stealthy and evasive techniques used throughout the infection chain.
APT37 is a cyber espionage group known under many names, including InkySquid, ScarCruft, Reaper, Group123, RedEyes and Ricochet Chollima.
The group has been active since at least 2012 and is believed to be associated with the North Korean regime.
Its primary focus is the South Korean public and private sectors, with recent spear phishing campaigns involving lures exploiting documents about the involvement of North Korean soldiers helping Russia in the war in Ukraine.
In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East and to a broader range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare organizations.
“The analysis of [the Operation HanKook Phanthom] campaign highlights how APT37 continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms,” the Seqrite researchers concluded.
Read more about APT37: North Korean Hackers Sniffing for US Defense Secrets