APT37 Hackers Weaponizes JPEG Files to Attack Windows System Leveraging “mspaint.exe” File

A sophisticated new wave of cyberattacks attributed to North Korea’s notorious APT37 (Reaper) group is leveraging advanced malware hidden within JPEG image files to compromise Microsoft Windows systems, signaling a dangerous evolution in evasion tactics and fileless attack techniques.

Security researchers at Genians Security Center (GSC) recently identified a new variant of the infamous RoKRAT malware used by APT37. Unlike previous versions, this variant employs an intricate two-stage shellcode injection process designed to hinder forensic analysis and bypass traditional security controls.

Of particular concern is the group’s use of steganography: malicious code is concealed within what appear to be innocuous image files, making detection exponentially more challenging for endpoint defenses.

APT37’s Enhanced RoKRAT Malware Infection Process

The current campaign, observed primarily in South Korea, is distributed via compressed archives (e.g., “National Intelligence and Counterintelligence Manuscript.zip”) containing huge Windows shortcut (.lnk) files. These shortcuts embed several hidden components, including:

• A legitimate decoy document.
• Shellcode and script files.
• PowerShell commands are designed to decrypt and execute further payloads.

By exploiting user trust in seemingly routine files, especially those attached to emails or instant messages, APT37 maximizes the likelihood of successful compromise.

Once initiated, this multi-stage chain executes a batch script that launches PowerShell. The script decodes an encrypted shellcode payload using XOR operations, ultimately injecting the malicious code into trusted Windows processes such as mspaint.exe or notepad.exe.

This fileless approach leaves minimal forensic traces, allowing threat actors to evade both signature-based antivirus and many heuristic solutions.

In a major leap forward, the malware leverages steganography by embedding RoKRAT modules within JPEG files distributed via cloud storage providers like Dropbox and Yandex.

For example, “Father.jpg” contains valid image data, but careful analysis reveals encrypted shellcode concealed alongside standard photo content.

The malware extracts the JPEG resource and, after a series of XOR decoding steps, reveals and executes the hidden RoKRAT malware, all while bypassing conventional file-based detection systems.

RoKRAT continues to exfiltrate information documents, screenshots, and session data from infected endpoints by abusing legitimate cloud APIs for C2 communication.

The use of genuine cloud tokens and registered accounts further muddies attribution and frustrates defenders seeking suspicious traffic patterns.

APT37’s technical agility is seen in its switching of injection targets (from mspaint.exe to notepad.exe as Windows evolves) and the careful camouflage of developer artifacts like PDB paths and toolchain names (e.g., “InjectShellcode” and “Weapon”).

Cloud accounts attributed to the attackers are linked to Yandex email addresses and pseudonymous social media profiles, complicating tracking efforts.

This campaign highlights the growing necessity for security teams to implement advanced Endpoint Detection and Response (EDR) solutions focused on behavioral monitoring rather than relying on signatures or static rules.

Regular user awareness training, strict endpoint management, and proactive monitoring of cloud service traffic are now essential arms in the fight against state-sponsored threats.

Genians’ report underscores that as threat actors refine their techniques, especially via steganography and fileless methods, proactive, adaptive defense strategies must keep pace to mitigate these evolving risks.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches