North Korean-backed threat actors are impersonating writers from major Korean broadcasting companies to deliver malicious documents and establish initial access to targeted systems, according to threat intelligence research by Genians Security Center.
The “Artemis” campaign, attributed to the APT37 group, combines social engineering with sophisticated technical evasion techniques to bypass endpoint defenses.
The attack begins with careful reconnaissance and trust-building. Threat actors contact targets while posing as writers for well-known Korean television programs, initially requesting interviews or casting opportunities related to North Korean human rights and defector topics.
This approach leverages the credibility of legitimate media organizations to establish rapport with victims.
After multiple trust-building conversations, attackers deliver malicious Hangul Word Processor (HWP) documents disguised as interview questionnaires or event guides.
The investigation confirmed that the threat actors used real names of writers from separate broadcasting programs without authorization, amplifying their credibility and increasing the likelihood of document execution by unsuspecting targets.
Multi-Stage Technical Evasion
Once the malicious HWP document reaches the victim, a sophisticated attack chain is triggered. The document embeds a malicious OLE (Object Linking and Embedding) object disguised as a hyperlink. When users click the link, the compromise process begins.
The attack leverages DLL side-loading a technique where legitimate Microsoft Sysinternals utilities (such as VolumeId.exe, vhelp.exe, and mhelp.exe) are exploited to load malicious DLLs from the same directory.
This approach is particularly practical because signature-based security solutions often allow legitimate system utilities, allowing the malware to execute under the guise of trusted processes.
The malicious payload undergoes multiple layers of XOR encryption using different key values (0xFA, 0xF9, and 0x29) across successive decryption stages.
This obfuscation technique complicates static analysis and delays the researcher’s understanding of the attack mechanics. The final decrypted payload activates as RoKRAT a sophisticated remote access trojan attributed to APT37.
Analysis of the C2 infrastructure revealed that APT37 continues leveraging legitimate cloud services for command and control.
The “version.dll” file used for DLL side-loading was continuously leveraged from October to November 2025.
Specifically, the threat actors registered Yandex Cloud (Russia-based) and pCloud (Switzerland-based) accounts using the identifier “tanessha.samuel,” both created on October 19, 2023.
This geographic and jurisdictional separation reflects a deliberate strategy to complicate attribution and evade geographic blocking.
The account tokens recovered from infected systems show the actors actively maintained and renewed infrastructure over extended periods one token created in October 2023 and another in February 2025.
This pattern demonstrates sustained operational capability and long-term strategic intent rather than isolated campaign activity.
Detection and Response
Traditional signature-based security tools struggle against this attack due to legitimate process abuse and multi-stage encryption.
The module decrypts the encrypted block in memory using a continuous 16-byte key (0xF9) through XOR and then transfers control, clearly exhibiting the characteristics of a typical shellcode loader pattern.
Endpoint Detection and Response (EDR) solutions capable of behavioral analysis are essential for identifying abnormal execution flows, particularly when legitimate utilities load DLLs from suspicious paths or HWP processes spawn unexpected child processes like rundll32.exe or cmd.exe.
Organizations should prioritize monitoring for:
- DLL loading from abnormal paths by legitimate processes.
- Child process creation from HWP applications.
- Outbound communication to cloud storage services outside normal business hours.
- Sequential attack chains including reconnaissance, file drops, and cloud-based C2 communication.
The Artemis campaign underscores APT37’s evolving capabilities and operational maturity. By combining credible social engineering with sophisticated technical evasion, the threat actor demonstrates clear strategic intent to establish persistent access to high-value targets in South Korea and allied nations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.