In March 2025, the Ricochet Chollima APT group, widely recognized as APT37 and linked to North Korean state-sponsored operations, launched a targeted spear-phishing campaign against activists focused on North Korean affairs.
The threat actors initiated the attack chain via spear-phishing emails impersonating a North Korea-focused security expert based in South Korea.
The emails referenced legitimate topics, including North Korean troops deployed to Russia and a national security conference hosted by a South Korean think tank, to establish credibility.
The attack, dubbed “Operation: ToyBox Story” by Genians Security Center (GSC), reveals sophisticated techniques combining LNK file exploitation with fileless malware execution to evade traditional security solutions.
The malicious emails contained Dropbox links redirecting victims to compressed ZIP archives containing weaponized LNK shortcut files.
Multi-Stage Delivery Mechanism
The attack employed a carefully orchestrated delivery technique. The first documented case occurred on March 8, 2025, with an email titled “To North Korean Soldiers Deployed to the Russian Battlefield.hwp.”
The attachment mimicked a legitimate Hangul (HWP) document by leveraging the HWP icon associated with Naver Mail, increasing the likelihood of victim interaction however, the embedded link redirected to Dropbox rather than delivering the claimed document.
Upon extraction, victims discovered a ZIP archive containing a malicious LNK file sharing the same name as the archive, differing only in file extension.
A secondary campaign variant on March 11, 2025, used a “Related Poster.zip” archive containing both a benign JPG image and a malicious LNK shortcut file to maintain deceptive appearances.
The LNK file serves as the attack’s critical component, embedding hidden PowerShell commands designed to execute automatically upon activation.
When triggered, the shortcut launches a multi-stage payload delivery process. The embedded commands create three temporary files in the %Temp% directory and execute a BAT batch file while displaying a decoy HWP document to the user.
The execution sequence involves loading “toy02.dat” as a loader, which then loads “toy01.dat” from the temporary folder. These files contain XOR-transformed data that, when decoded, is injected into memory as executable shellcode.
This fileless technique enables runtime malware injection and dynamic code execution without writing malicious binaries to disk, effectively bypassing signature-based endpoint detection systems.
RoKRAT Payload and C2 Communication
The final payload deploys the RoKRAT remote access trojan, which collects extensive system information, including Windows OS build version, computer name, user credentials, BIOS version, and system manufacturer.
RoKRAT captures real-time screenshots and exfiltrates data through encrypted channels using AES-CBC-128 encryption, with AES keys further secured via RSA encryption.
Most notably, the malware leverages Dropbox as a command-and-control server, using cloud API services to hide malicious traffic among legitimate Dropbox communications.
This “Living off Trusted Sites” (LoTS) technique complicates detection by security teams analyzing network traffic.
Organizations should prohibit LNK file execution from email attachments and implement endpoint detection and response (EDR) solutions capable of monitoring fileless attacks through behavioral anomaly detection.
The campaign demonstrates APT37’s continued sophistication in exploiting legitimate cloud services to maintain persistent access while evading traditional security controls.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.