APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing campaign targeting activists focused on North Korean issues.

Named “Operation: ToyBox Story” by Genians Security Center (GSC), this campaign exploited legitimate cloud services, primarily Dropbox, as command-and-control (C2) infrastructure to evade detection.

The attackers delivered malicious shortcut (LNK) files disguised as legitimate documents via phishing emails, luring victims with tailored content related to North Korean troop deployments in Russia and a fictitious national security conference hosted by a South Korean think tank.

These emails contained Dropbox links to ZIP archives that, when extracted, executed malicious payloads, including the notorious RoKRAT malware, designed for data exfiltration and system reconnaissance.

Campaign Targets North Korea Activists

The technical sophistication of APT37’s attack lies in its use of fileless malware techniques, leveraging weaponized LNK files to execute hidden PowerShell commands without leaving detectable footprints on the disk.

Upon execution, these LNK files trigger a multi-stage infection process, creating temporary files in the %Temp% directory and deploying decoy documents to maintain the illusion of legitimacy.

The payload, identified as RoKRAT, exhibits advanced behavior, including system information collection (such as OS build version, device name, and BIOS details), real-time screenshot capture saved as hexadecimal-named temporary files, and encrypted data exfiltration to cloud-based C2 servers like Dropbox, pCloud, and Yandex.

RoKRAT Payload Analysis

The malware encrypts collected data using a combination of XOR obfuscation, AES-CBC-128, and RSA-encrypted keys, ensuring secure communication with C2 endpoints.

Notably, Dropbox access tokens linked to Russian Yandex email accounts were used for authentication, highlighting APT37’s reliance on “Living off Trusted Sites” (LoTS) tactics to mask their operations.

The malware’s ability to execute dynamic code in memory further complicates detection by traditional antivirus solutions, emphasizing the need for Endpoint Detection and Response (EDR) systems with anomaly hunting capabilities, as demonstrated by Genian EDR’s real-time threat identification and detailed process tracking.

This campaign underscores APT37’s persistent use of RoKRAT, with code similarities to prior attacks like the February 2025 K-Messenger HWP document distribution, as confirmed by static analysis tools like Capa.

The group’s infrastructure also reveals consistent patterns, including the use of VPN services like NordVPN and AstrillVPN to obfuscate their origins.

GSC’s investigation, supported by HUMINT and international intelligence-sharing, identified multiple email accounts tied to the threat actor, some potentially linked to impersonated LinkedIn profiles.

Organizations are urged to bolster defenses by monitoring endpoint activity, avoiding execution of unknown LNK files, and leveraging advanced EDR solutions to detect fileless threats and malicious cloud API interactions mapped to MITRE ATT&CK frameworks.

Indicators of Compromise (IoC)

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download