The North Korea-linked APT37 threat group has launched a sophisticated spear phishing campaign targeting South Korean activists and researchers focused on North Korean affairs, employing deceptive academic forum invitations to distribute malicious shortcut files through cloud-based infrastructure.

The campaign, which began in March 2025, represents a significant evolution in the group’s tactics, leveraging legitimate cloud services to bypass traditional security measures while maintaining operational security.

The attackers crafted convincing emails masquerading as invitations from a South Korean national security think tank, specifically referencing an actual academic event titled “Trump 2.0 Era: Prospects and South Korea Response” to enhance credibility and increase the likelihood of victim engagement.

These carefully constructed lures demonstrate APT37’s deep understanding of their target audience’s interests and the geopolitical landscape surrounding Korean peninsula affairs.

Genians Security Center analysts identified this campaign and designated it “Operation ToyBox Story” based on the distinctive characteristics of the malware payload, which contained embedded references to “toy” keywords throughout its execution chain.

The researchers noted that this campaign represents a continued evolution of APT37’s fileless attack methodologies, designed to evade traditional endpoint detection systems.

The threat actors utilized Dropbox as their primary delivery mechanism, distributing compressed archives containing malicious LNK shortcut files through the cloud platform’s sharing functionality.

This approach allows the attackers to leverage trusted infrastructure while maintaining plausible deniability, as Dropbox links appear legitimate to both security systems and end users.

The campaign employed multiple variations of social engineering themes, including documents purporting to contain information about North Korean troops deployed to Russia and conference materials related to national security strategy.

Analysis of the LNK-Based Infection Chain

The malicious LNK files serve as the primary infection vector, containing embedded PowerShell commands that initiate a complex multi-stage payload deployment process.

When executed, the shortcut files trigger a sophisticated command sequence that creates multiple temporary files while simultaneously displaying a decoy document to maintain the illusion of legitimacy.

The embedded command structure demonstrates advanced obfuscation techniques, with the malware breaking file extensions into separate character components and reconstructing them at runtime to evade static analysis.

The PowerShell command embedded within the LNK file follows this pattern:-

$executePath = $env:temp+'\'+toy0'+'3.b'+'a'+'t

This technique fragments the “.bat” extension using string concatenation to bypass signature-based detection systems.

The infection process creates three distinct files in the temporary directory: toy01.dat (containing shellcode), toy02.dat (PowerShell script), and toy03.bat (batch execution file).

The shellcode transformation process employs XOR encryption with a simple key value of 0x31 (ASCII character ‘1’), allowing for straightforward decryption while maintaining basic obfuscation.

The PowerShell script responsible for this transformation loads the encrypted shellcode into memory, applies the XOR operation, and then utilizes Windows API calls including GlobalAlloc, VirtualProtect, and CreateThread to establish an executable memory region and launch the payload.

The final payload, identified as RoKRAT malware, establishes persistence through cloud-based command and control infrastructure utilizing multiple services including api.dropboxapi.com, api.pcloud.com, and cloud-api.yandex.net.

The malware employs authentication tokens linked to Russian Yandex email accounts, including [email protected] and [email protected], demonstrating the international scope of the threat actor’s infrastructure.

This multi-layered approach enables APT37 to maintain operational flexibility while complicating attribution efforts and reducing the likelihood of infrastructure disruption.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests