Pierluigi Paganini September 01, 2025

ScarCruft (APT37) launches Operation HanKook Phantom, a phishing campaign using RokRAT to target academics, ex-officials, and researchers.

Cybersecurity firm Seqrite Labs uncovered a phishing campaign, tracked as dubbed Operation HanKook Phantom, by the North Korea-linked group APT37 (aka Ricochet Chollima, ScarCruft, Reaper, and Group123).

Threat actors are using a fake “National Intelligence Research Society Newsletter – Issue 52” PDF and a disguised malicious LNK file. When executed, the LNK downloads a payload or executes commands, compromising the system.

The last stage malware employed in this campaign is the RokRAT malware, which is believed to be the handiwork of APT37.

“The malicious LNK file disguised as a newsletter triggers a multi-stage RokRAT infection. Embedded PowerShell extracts payloads, drops decoy PDFs, and executes batch scripts leading to fileless in-memory execution via XOR-decoded binaries. RokRAT fingerprints hosts and implements anti VMs features to avoid detection and analysis.” reads the report published by Seqrite Labs. “The malware captures screenshots and supports commands for remote execution, data theft, and malware control. The malicious code communicates with C2 servers through Dropbox, pCloud, and Yandex to exfiltrate data and deploy further payloads.”

The campaign aims at academics, ex-government officials, and researchers tied to the Association. The goals of the campaign are data theft, persistence, and espionage.

Seqrite uncovered a second ScarCruft campaign where a malicious LNK file drops a decoy Word doc and runs obfuscated scripts. These deploy a dropper that executes a payload to steal sensitive data, disguising traffic as Chrome uploads. The lure is a July 28 statement by Kim Yo Jong rejecting Seoul’s reconciliation efforts, used to trick targets into opening the malicious files.

“The analysis of this campaign highlights how APT37 (ScarCruft/InkySquid) continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms. The attackers specifically target South Korean government sectors, research institutions, and academics with the objective of intelligence gathering and long-term espionage.” concludes the report.

“Overall, Operation HanKook Phantom demonstrates the persistent threat posed by North Korean state-sponsored actors, reinforcing the need for proactive monitoring, advanced detection of LNK-based delivery, and vigilance against misuse of cloud services for command-and-control.”

ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

Kaspersky first documented the operations of the group in 2016. Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ScarCruft)