Operation HanKook Phantom: Spear-Phishing Campaign

Aug. 29, 2025, 3:49 p.m.

Description

APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection chain. This includes fileless PowerShell execution, in-memory loading of encrypted payloads, and covert data exfiltration mechanisms. The campaign, dubbed Operation HanKook Phantom, demonstrates APT37's continued focus on intelligence gathering and long-term espionage against South Korean targets. The attackers leverage cloud services for command-and-control and employ various techniques to evade detection, highlighting the persistent threat posed by North Korean state-sponsored actors.

External References

https://otx.alienvault.com/pulse/68b1adfb268bf9fa0d35e008
Tags
espionage
north korea
powershell
rokrat
south korea
data exfiltration
fileless
spear-phishing
cloud services
lnk files
2025-08-29

Date

  • Created: Aug. 29, 2025, 1:41 p.m.
  • Published: Aug. 29, 2025, 1:41 p.m.
  • Modified: Aug. 29, 2025, 3:49 p.m.

Attack Patterns

  • ROKRAT - S0240
  • APT37

Additional Informations

  • Defense
  • Education
  • Government
  • British Indian Ocean Territory
  • Kuwait
  • Nepal
  • India
  • China
  • Japan
  • Romania
  • Russian Federation