Genians Security Center identified a threat campaign suspected of being associated with APT37 that combines an obfuscated batch file command invocation technique with Compiled Python-based malware.
This threat is distributed through email-based spear phishing in the form of ZIP-compressed files and begins by inducing the user to execute an LNK shortcut file contained inside. When the user runs the file, the actual command is reconstructed through an environment variable-based substring expansion technique, after which additional payloads are downloaded and executed sequentially.
Analysis confirmed that the threat actor used various lures designed to attract the recipient’s attention, including airline e-ticket confirmations, invitations to events related to North Korea research, and impersonation of officials in the defense and police sectors, to induce execution of the attachment.
When the user extracts the compressed file and executes the LNK file, the obfuscated command embedded inside is triggered, downloading and executing a BAT file. Additional scripts using the same environment variable-based string recombination technique are then executed, continuing a multi-stage infection flow that communicates with the C2 server and receives subsequent payloads.
In the final stage, malware in the form of Compiled Python bytecode (.pyc), disguised with a .cat extension, is downloaded. The malware was analyzed as a remote command execution backdoor that operates through a Python runtime environment.
In particular, the environment variable-based batch file obfuscation method observed in this case shows characteristics similar to those in the "AI-Driven Deepfake-Based Military ID Forgery APT Campaign" report published on September 15 last year. A similar pattern was also identified in the abuse of C2 infrastructure, including Korea’s Cafe24 service and French (.fr) domains.
Taken together, this case shows strong similarities to the social engineering techniques, script obfuscation, and multi-stage download-based intrusion structure used by state-sponsored threat groups.
Accordingly, in addition to detection based on the identified indicators of compromise (IoCs), organizations need to strengthen behavior-based EDR response capabilities to identify obfuscated script execution, abnormal command invocation, and multi-stage download activity.
[Figure 1-1] Attack Flow of Police Official Impersonation Case
The APT37 group has continued to refine its intrusion tactics targeting individuals in the defense, security, and North Korea-related sectors by combining spear phishing, social engineering, script obfuscation, and multi-stage payload downloads. The group’s organizational structure was previously disclosed in a report by the Multilateral Sanctions Monitoring Team (MSMT).
According to the report, this threat group is classified as a cyber threat actor linked to the Ministry of State Security, an intelligence agency under North Korea’s State Affairs Commission. The organization has primarily conducted malicious cyber espionage against individuals involved in North Korea-related affairs, along with counterintelligence activities in support of the country’s interests.
According to media reports from last March, North Korea is known to have renamed the Ministry of State Security as the State Intelligence Bureau. This is interpreted as an organizational restructuring aimed at moving beyond its existing regime-security-centered role, strengthening its intelligence collection functions, and expanding its role as an external intelligence agency. In addition, in September 2025, North Korea is known to have expanded and reorganized the Reconnaissance General Bureau, an external operations agency under the General Staff Department of the Korean People’s Army, into the Reconnaissance Intelligence General Bureau. This is assessed as a measure to strengthen its external intelligence collection capabilities and cyber operations functions.
The fact that both organizations include the term "intelligence" in their names indicates that North Korea is redefining the functions of its security and reconnaissance organizations around a more intelligence-centric role. This appears to go beyond a simple name change and reflects a direction toward institutionally emphasizing intelligence collection, analysis, and operational use.
Given the nature of North Korea, its internal organizational structure is difficult to determine accurately from the outside. It is also necessary to consider the possibility of organizational restructuring or personnel reassignment. Because of these structural characteristics, caution is required when identifying the backing organization of a specific cyber threat actor or conducting attribution.
Relationships or affiliations between organizations can change over time, and a specific threat actor can be reassigned to another organization or carry out operations through inter-organizational cooperation as needed. In such cases, the same personnel, tools, and infrastructure can be used across multiple organizations. As a result, attributing an actor based solely on malware, attack tools, or infrastructure characteristics can lead to errors or misjudgments in the attribution process.
Meanwhile, the GitHub repository of the so-called "andydad," identified as being behind APT37, was found to have been operated for approximately three years from 2020. Multiple malicious files and signs of payload staging infrastructure usage were identified in this repository. In addition, signs of an operational security (OPSEC) failure that led to external exposure of the infrastructure were confirmed, and a large amount of related information used in the attack vector was also collected as evidence.
[Figure 2-1] Threat Actor’s GitHub Repository
At the time, the APT37 group used a wide range of malicious file formats, including Windows help files (CHM), HTML application files (HTA), Hancom Office document files (HWP), Microsoft Excel add-in files (XLL), macro-based Microsoft Office document files, and LNK shortcut files.
Amid this activity, on March 20, 2025, the Korean security company Hauri published an in-depth analysis report titled "Persistent Threat Attacks by the APT37 Group." The report identified numerous malicious LNK files linked to APT37 infrastructure.
When an LNK shortcut file is executed, PowerShell searches the current path for a ".lnk" file of a specific size, extracts data from a designated offset, saves it as "_ms3360.bat" in the temporary path ("%TEMP%"), and executes it in a hidden window.
The generated batch file uses an obfuscation technique that reconstructs the actual command through environment variable-based substring expansion. Depending on the variant, the file names were identified in three forms: "_pK3772.bat", "_wS1825.bat", and "_ms3360.bat".
The subsequently downloaded "WStemp163.cab" file from the C2 server contains an obfuscated Python script. This script inserts a large amount of comment data resembling Windows CBS (Component-Based Servicing) logs to disguise itself as a legitimate file, while placing only a portion of the actual code in the middle. This comment-based disguise technique makes it difficult to identify the malicious logic. It then downloads and executes the "MicroAppsTemp28h2.bat" file from the C2 server.
This background serves as an important point of comparison when assessing the threat linkage in this case.
In the AI deepfake-based military official ID impersonation case reported last year, a sender using the "cafe24[.]com" service and an attachment link hosted on "versonnex74[.]fr" were used. After the malicious LNK file inside the ZIP archive was executed, the attack flow proceeded to PowerShell invocation, followed by the download and execution of additional batch files.
In a similar LNK-based attack impersonating a unification studies research organization, the same "_ms3360.bat" file and a similarly named "MStemp109.cab" file were also used. The attack showed tactical similarities, including the same class of obfuscation techniques, such as environment variable-based substring expansion, branch-setting strings, and comment-disguised Python scripts.
In this case, a "cafe24[.]com" sender and a C2 server based on "choisy[.]fr" in France were also identified. Notably, the similarity goes beyond the domain registration country. The same IP address, "51.158.21[.]1", was used.
The execution flow also involved downloading subsequent payloads after environment variable-based batch script obfuscation. This indicates strong similarities with previously observed threat activity in terms of infrastructure operation, social engineering lure structure, and initial execution technique.
Overall, this case shows a high degree of continuity with previously disclosed cases across tactics, techniques, and infrastructure, and is assessed to be an extension of threat activity linked to the APT37 group.
This campaign follows a multi-stage infection chain consisting of initial access through spear-phishing emails, execution of an LNK file inside a compressed archive, chained execution of obfuscated BAT scripts, connection to an external C2 server, and execution of a final payload based on a Compiled Python Script.
The threat actor first sends emails tailored to the recipient’s interests and work context.
[Figure 3-1] Screens from Spear-Phishing Cases
The identified lure themes include airline e-tickets, email ID conflicts with a portal service, invitations to North Korea research-related events, and impersonation of defense and police officials. These themes are designed to make users open the files naturally.
The emails generally include a ZIP archive as a link or attachment, and the archive contains an LNK file disguised to look like a document. When the user extracts the archive and runs the LNK file, a malicious executable is not launched directly. Instead, an obfuscated command containing environment variable-based substring expansion is first executed through cmd.exe.
This process is designed to avoid directly exposing the actual command line. It combines multiple environment variables and substring expansion so that the final command is reconstructed only at runtime.
The reconstructed command downloads and executes a BAT script from a remote C2 server. The BAT file then extends the infection chain using a similar obfuscation technique. In the final stage, malware in the form of a Compiled Python Script using a .cat extension is downloaded and executed.
Although the file uses an extension that can be mistaken for a legitimate file, it actually functions as Python-based remote control malware. Through this malware, the threat actor can perform follow-up activities such as establishing persistence, executing additional commands, collecting files, and stealing system information.
In summary, this threat combines social engineering designed to induce user execution, substring expansion-based obfuscation to evade analysis and detection, and a multi-stage download structure to conceal the actual target payload after initial compromise.
Multiple variants of the malicious file used for initial delivery were identified. In this report, the latest sample identified in mid-April, which impersonates a police official, was selected as a representative case for detailed analysis.
This attack was carried out as spear phishing, delivering a compressed file containing a Windows Shortcut (LNK) file via email. The threat actor placed the shortcut file inside the compressed archive and disguised it as a work document or material related to a public institution to induce the user to execute it.
When the user extracts the archive and runs the LNK file, it appears to open a legitimate document, but malicious commands are executed in the background at the same time.
In this case, a decoy document with a file name that could be recognized as a legitimate document was configured to run together, making it likely that the user would perceive the action as simply opening a document.
This technique was analyzed as a typical social engineering method intended to lower the user’s suspicion and increase the success rate of initial execution.
Although LNK-based attacks are known as a relatively old technique, they remain an effective initial intrusion method that is repeatedly used by various threat actors.
In other words, continued caution is required because file formats that ordinary users may open casually during routine work can be abused and lead to actual compromise.
An environment variable-based string recombination obfuscation technique was applied to the command line embedded in the LNK file.
The LNK file is executed with the "cmd.exe /k" argument. It first stores a long string in the "a9390f0" environment variable, then constructs the actual command by sequentially combining only the required characters using substring reference syntax in the form of "%a9390f0:~offset,1%".
[Figure 4-1] Argument Values Embedded in the LNK File
This method is designed to avoid directly exposing the full execution command. Instead, commands, options, file paths, URLs, and variable names are split into individual characters and then recombined at runtime.
As a result, during static analysis, the actual execution syntax was difficult to identify immediately. This delayed threat analysts or security solutions from intuitively understanding the purpose of the command.
After restoring the original command, it was confirmed that the LNK file used cmd.exe to interpret the obfuscated string and ultimately invoked the powershell -executionpolicy bypass -command syntax. In other words, at this stage, cmd.exe handled the initial deobfuscation, while the subsequent file download and execution control were performed by the PowerShell script.
The restored PowerShell syntax showed an attempt to copy C:\Windows\System32\curl.exe, which exists in a normal system path, to the %TEMP% path as RpJjgMB.exe.
However, because the separator () was omitted during the path concatenation process, the file was actually created at %LOCALAPPDATA%\TempRpJjgMB.exe. The copied file was then used as a follow-up download tool.
[Figure 4-2] Restored Original Command
The abuse of curl.exe, an operating system built-in executable, can generally be classified as a LOLBins (Living-Off-the-Land Binaries) technique.
By contrast, pythonw.exe, which was used in a later stage, is not a Windows built-in component but an executable included in a legitimate software distribution. Therefore, rather than classifying it as a LOLBin in the same sense, it is more accurate to view it as the construction of an execution environment through the abuse of legitimate software.
The analysis confirmed that, during the LNK stage, two files were downloaded sequentially from the board.php path on the Korea-based C2 server kmot.co[.]kr.
The first file was "사이버범죄 신고시스템(ECRM).hwp", which was disguised as a legitimate document, and the second was "GuFLjO7q.bat", a batch file used to perform follow-up malicious activities.
The HWP file served as a decoy document displayed to the user, while the BAT file was executed separately and continued the actual infection flow.
In other words, the threat actor applied a dual-execution structure in which the user was led to believe that a legitimate document had been opened, while a separate script performed follow-up malicious activities in the background.
GuFLjO7q.bat, which was executed through the LNK file, was also confirmed to be obfuscated using environment variable-based string reassembly.
The batch file was a script designed to run in the Windows command interpreter (cmd.exe) environment. Internally, it was configured to reassemble and execute commands such as curl, mkdir, tar, del, ren, and schtasks.
[Figure 4-3] Deobfuscated Batch File Commands
After restoration, the batch file was found to first download "python-3.10.0-embed-amd64.zip" from the legitimate python.org website, save it to C:\Users\Public\temp012.zip, and use it in the subsequent extraction process.
It then created the C:\Users\Public\Music\MusicLibrariesPackage path and extracted the ZIP file into that directory to configure a Python Embed execution environment.
During this process, python.exe was deleted, and pythonw.exe was renamed to codeflush.exe. Analysis indicates that this was intended to remove the original identity of the legitimate Python interpreter and disguise it as a generic executable file.
In particular, pythonw.exe can run without displaying a console window, making it a suitable choice for configuring an environment that operates in the background without user awareness.
The batch file then downloaded an additional file, settingenv.cat, from the C2 server.
Analysis confirmed that this file was not a legitimate Windows security catalog (.cat) file, but a compiled file in Python bytecode (.pyc) format.
The threat actor used the legitimate Python Embed package as the execution base and stored the malicious script disguised with the .cat extension, thereby maintaining a more covert overall infection flow.
This approach worked to the threat actor's advantage because it allowed an independent execution environment to be configured quickly without formally installing a separate program on the operating system.
It also likely helped reduce the malicious suspicion of the network activity itself by obtaining the runtime from a legitimate software distribution server.
The batch file was not simply used to download additional files. Its primary purpose was to establish persistence by configuring an environment in which the malicious payload could continue running after infection.
To achieve this, the batch file created a Windows scheduled task to establish persistence.
The scheduled task name was identified as MicrosoftMusicLibrariesPackageTaskMachine.
This name was designed to resemble a legitimate Microsoft-related system task, making it difficult for users to visually identify it as suspicious.
The scheduled task was configured to run repeatedly at one-minute intervals, with the execution command structured as follows.
|
C:\Users\Public\Music\MusicLibrariesPackage\codeflush.exe C:\Users\Public\Music\MusicLibrariesPackage\settingenv.cat |
[Table 4-1] Scheduled Task Execution Command
In other words, the structure was designed so that the disguised executable, codeflush.exe, would periodically run with settingenv.cat passed as an argument.
This established a basis for the malware to be continuously re-executed regardless of whether the system was rebooted.
In particular, the short one-minute execution interval appears to have been configured to quickly restore malicious activity in situations such as process termination, errors, or user intervention.
As confirmed in the preceding analysis stage, the batch file downloaded settingenv.cat from the C2 server and saved it under the MusicLibrariesPackage path. Because this file was determined to be a key component in the subsequent execution stage, its structure was analyzed.
Although settingenv.cat is disguised as a Windows security catalog file (.cat) based on its extension, internal structure analysis identified it as a compiled file in Python bytecode (.pyc) format.
[Figure 4-4] Header Structure of the settingenv.cat File
A Python bytecode file (.pyc) is an intermediate code file generated by compiling Python source code. It is loaded and executed directly by the Python interpreter. To verify compatibility with the execution environment, these files include a Magic Number and additional information at the beginning of the file, in the header.
In Python 3.7 and later versions, an extended header structure is used in accordance with PEP 552. Here, PEP (Python Enhancement Proposal) refers to the official design document system used to propose and document features, structures, policies, and other aspects of the Python language and its standard implementation.
Analysis of the header area of settingenv.cat using a hex editor confirmed the following structure.
First, the value "6F 0D 0D 0A" at the beginning of the file matches the Magic Number format of a Python bytecode file. The Magic Number of a Python .pyc file consists of four bytes. In CPython, the first two bytes ("6F 0D") store the bytecode identifier value for each Python version in Little-endian format, while the last two bytes ("0D 0A") are combined as the Carriage Return Line Feed (CRLF) value.
In this context, CPython refers to the standard Python interpreter implemented in C and generally denotes the official Python distribution executed through "python.exe" or "pythonw.exe".
The "6F 0D" value identified in this sample is the Little-endian representation of the Magic Number value (3439) for Python 3.10.0, combined with "0D 0A". This confirms that the file was either generated in the Python 3.10 series or built as bytecode intended for a Python 3.10 runtime environment.
This also aligns with the attacker’s earlier behavior of downloading "python-3.10.0-embed-amd64.zip" to configure a Python runtime environment.
The following value, "01 00 00 00", corresponds to the Flags field defined in PEP 552, which was introduced in Python 3.7. This value indicates that the file is a hash-based .pyc file, not one generated using the timestamp-based method.
However, the 8-byte field that follows the Flags field, which typically stores hash or timestamp-related information, was set entirely to "0x00" in this sample. This is an abnormal structure that lacks the source information expected in a legitimate .pyc file. It is assessed to be an intentional measure to remove linkage information to the original source or to complicate analysis and tracking.
In particular, the absence of a hash value in a hash-based .pyc structure does not align with normal Python behavior. Therefore, this is interpreted as metadata being neutralized within a range that does not affect execution.
The value "0xE3" was then identified at Offset 0x10, which is an identifier that marks the beginning of a Code Object in the Python marshal format. This means that executable Python bytecode is included from that point onward.
In other words, the "settingenv.cat" file was confirmed to be a compiled file containing a code object that is directly executed by the Python interpreter, rather than a simple data file. It is structured so that the bytecode is executed through the previously configured Python runtime environment ("codeflush.exe"), and was analyzed as the core payload responsible for carrying out the actual malicious behavior.
The code object was then extracted from the area following "0xE3", and decompilation was performed to convert the Python bytecode into a form suitable for analysis.
The decompilation partially restored the Python code contained in the "settingenv.cat" file. However, the strings and major components remained obfuscated overall.
In particular, the following characteristics were identified in the initial section of the code.
[Figure 4-5] Initial Section of Decompiled Python Code
The decompilation showed that the code inside "settingenv.cat" does not directly expose key strings or module names as typical Python code would. Instead, it constructs them character by character using the chr() function or restores reversed strings through the [::-1] operation.
The __import__ function was also not called directly. Instead, the code accesses it in the form of getattr(__builtins__, "__import__") and dynamically loads the required modules.
The code uses modules such as os, base64, urllib.request, urllib.parse, sys, and io, but all module names were hidden through chr()-based string construction. Key analysis artifacts, including the C2 URL, HTTP header names (Cookie and User-Agent), transmission parameter (data), and encoding string (utf-8), were also obfuscated using the same method.
[Figure 4-6] Restoring Obfuscated Strings
This obfuscation makes it difficult to immediately understand the code’s meaning even after decompilation, and is used to delay string-based detection and analysis.
Accordingly, additional analysis was performed to restore the strings constructed using chr() and the reversed string operations, interpret the dynamic import structure, and identify the actual functions performed by the code.
After deobfuscation, the code was found to generate an identification token based on user information from the infected system, communicate with the C2 server, receive commands, and execute them.
Within the code, os.getlogin() is used to collect the currently logged-in username. The collected value is then combined with a predefined string and encoded with Base64 to generate a token value.
The generated token value is later included in the HTTP Cookie header during C2 communication and is used to identify the infected host. The code then uses “urllib.request” to send an HTTP request to the “board.php” path on “kmot.co[.]kr” and receive response data from the C2 server.
The received response data is processed as Base64-encoded Python code. The code is configured to decode the data and execute it through the "exec()" function. During execution, the standard output (stdout) is redirected to an "io.StringIO()" object, allowing the execution result to be collected as a string.
The collected execution result is then Base64-encoded again together with the command code delivered from the remote server, included in the "data" parameter, and sent back to the C2 server via POST.
Analysis confirmed that "settingenv.cat" is not a simple downloader, but a Python-based remote command execution backdoor that receives commands from the C2 server, executes them, and sends the results back.
This behavior provides a structure that allows the infected system to be controlled remotely. Its functionality can also be dynamically extended depending on the Python code delivered by the C2 server.
Therefore, the malware was assessed to operate in a manner similar to the control structure typically observed in RAT (Remote Access Trojan) families.
In 2020, the APT37 group has conducted attacks by embedding OLE objects in HWP document files and using them to trigger CVE-2018-15982, a vulnerability in Adobe Flash Player.
[Figure 5-1] Delivery of the Malicious "프로필 양식(Profile Form).hwp" File
In particular, the OLE object contained an external URL used to call the file that exploits the Flash vulnerability. During this process, the C2 server domain "sjem.co[.]kr" was used.
This attack infrastructure was not used only once, but was repeatedly observed over approximately two years. Although security patches for the Flash vulnerability had been released, the same exploitation method remained effective in some user environments where the patches had not been applied, allowing the threat to persist over an extended period.
[Figure 5-2] Flash Vulnerability Call URL
Once communication with the C2 server is established, additional Flash vulnerability activity is performed to download binary data stored in a OneDrive repository, after which the subsequent operation continues.
[Figure 5-3] zlib-Compressed SWF File with a CWS Signature
The final payload identified at this stage, "HncUpdate.exe", is a malicious file with information-stealing capabilities that was created on 2020-11-11 01:20:09 (UTC). It is widely known by the project name "Chinotto", based on the PDB path embedded in the file.
For reference, "Chinotto" is a term that refers to an Italian citrus fruit and a carbonated drink made from it.
This malicious file attempts to collect and exfiltrate user information through the C2 servers "haeundaejugong[.]com" and "kumdo[.]org".
[Figure 5-4] "Chinotto.pdb" String
At the time, similar malicious files used various C2 infrastructures, including "ljs5950.cafe24[.]com", "hanainternational[.]net", "kjdnc.gp114[.]net", "luminix[.]kr", "sunlin[.]org", "ezvm[.]kr", and "intobiz[.]kr".
[Figure 5-5] Attack Email Used in 2022
The threat actor used various types of malicious files, including DOCX, HWP, and EXE files, along with multiple C2 servers. A comparison of different cases and threat infrastructure reveals notable similarities.
|
THEME |
TYPE |
C2 |
IP |
|
'andydad'의 GitHub 저장소 |
chm |
attiferstudio[.]com/install.bak/sony/10.html |
121.78.88[.]93 |
|
평화 연구원 사칭 |
exe |
haeundaejugong[.]com/editor/chinotto/do.php |
121.78.88[.]88 |
|
서울 유엔 인권 사무소 사칭 |
docx |
sunlin[.]org/adm/phpMyAdmin/info/style.php |
211.169.73[.]104 |
|
민주평통 사무처 사칭 |
hwp |
hanainternational[.]net/editor/data/font.php |
121.78.88[.]92 |
|
경찰 수사관 사칭 |
exe |
intobiz[.]kr/bbs/data/bbs62/blog.php |
121.78.88[.]93 |
[Table 5-1] Comparison of C2 Servers by Attack Type
A common string-hiding technique was identified in three PHP files that perform C2 functions. Key strings are not stored directly in plaintext. Instead, dummy strings of the same length are declared and converted into byte arrays using "[System.Text.Encoding]::UTF8.GetBytes()".
Then, for each array index, two integer constants are processed with an XOR ("-bxor") operation to restore the byte values that form the actual string. This operation is repeated for the length of the string.
[Figure 5-6] Comparison of Similarities in XOR String Obfuscation
The restored byte array is ultimately reconstructed as a string through a "GetString()" call, and this process is performed only at runtime.
In April 2026, the decoy file "사이버범죄 신고시스템(ECRM).hwp" was identified among the files used by the threat actor while impersonating a police investigator.
[Figure 5-7] "Lailey" Account Name Recorded in the Decoy Document
The HWP document was last saved at 11:00:10 a.m. on Friday, April 17, 2026, and the last saved account was recorded as "Lailey".
The same "Lailey" account was also previously identified in malicious files used in 2022 attacks impersonating the National Unification Advisory Council Secretariat and the Seoul UN Human Rights Office.
The webshell registered at "hanainternational[.]net" in 2022 and the webshell used to download malware in the form of Compiled Python bytecode (.pyc) from "printory[.]kr" in 2026 were confirmed to be of the same type.
The webshell hosted at "udcontest[.]com", which was used in a phishing attack impersonating an admissions and academic major fair for North Korean defector youth in 2021, also showed the same form.
[Figure 5-8] Webshell Comparison
The "udcontest[.]com" domain used at the time resolved to the IP address "114.207.246[.]156".
This IP address was also associated with the "ableinfo.co[.]kr" domain and was used as distribution infrastructure for malicious files similar to the CHM and LNK types identified in the so-called "andydad" GitHub repository.
[Figure 5-9] C2 Server Hosting Malicious Files
During the investigation of this threat campaign, multiple similarities were identified with various infrastructures analyzed in previous cases. Consistent patterns were observed not only in the C2 infrastructure used in the attacks, but also in distinctive technical characteristics such as malware behavior, file structure, and the dropper and loader chain.
[Figure 5-10] Correlation Diagram
The threat actor appears to continuously change infrastructure details, including domains, IP addresses, file names, and distribution paths, to conceal traces of past activity.
Despite these changes, meaningful commonalities are repeatedly observed in specific batch script execution methods, configuration file structures, the use of intermediate loading files, and the staged structure of the infection chain.
This suggests that the campaigns are not merely replacing infrastructure, but are likely being operated continuously based on the same or similar attack framework or development resources. In particular, certain C2 server IP ranges, file packaging methods, and patterns in the use of purpose-specific decoy documents show strong links to previous cases.
Therefore, despite changes in the campaign’s external infrastructure, it is highly likely that this campaign was carried out by the same threat actor or an associated organization, based on the consistency of its internal structure and operational methods.
This threat was confirmed to be an APT37-linked campaign that induces execution of a malicious LNK file inside a ZIP archive through email-based spear phishing, then executes a Python-based backdoor through obfuscated command invocation and multi-stage payload downloads.
The threat actor used lures reflecting the target’s work environment and interests, including airline e-tickets, invitations to North Korea research events, and impersonation of defense and police officials, to lower the user’s suspicion. When the user executes the LNK file, it appears to display a legitimate document, while in the background, environment variable-based substring expansion commands are reconstructed through "cmd.exe" and PowerShell, followed by the download and execution of subsequent BAT files.
In particular, this campaign was observed copying "curl.exe", a legitimate Windows component, and using it as a download tool. It also downloaded the legitimate Python Embed package to configure a separate runtime environment, renamed "pythonw.exe" to "codeflush.exe", and used it to execute Compiled Python bytecode disguised with a ".cat" extension. This is assessed as an attempt to reduce the likelihood of detection by security solutions by abusing legitimate tools and a legitimate software runtime environment.
The use of a scheduled task to repeatedly execute the malicious Python bytecode also clearly indicates an intent to establish persistence on the infected system. The final payload, "settingenv.cat", was confirmed to be a remote command execution backdoor that receives additional commands from the C2 server, executes them, and sends the results back.
Considering these characteristics, response to this threat requires not only IoC-based detection, but also behavior-based analysis across the full attack chain, including the following:
Accordingly, organizations should strengthen an EDR-centered response framework capable of comprehensively detecting the threat actor’s tactics, techniques, and procedures (TTPs) from initial delivery and execution to additional payload downloads, persistence, C2 communication, and remote command execution. In particular, domains, IP addresses, file names, and extensions can be changed easily. Therefore, instead of relying on individual indicators of compromise, organizations should also operate detection and threat hunting programs based on correlations among process execution relationships, command-line patterns, file creation locations, scheduled task creation, and abuse of legitimate tools.
This threat was confirmed to be a complex attack that combines social engineering, abuse of legitimate tools (LOLBins), obfuscated scripts, multi-stage downloads, and the operation of a Python-based backdoor. Therefore, an EDR-centered integrated security framework is essential to visualize the entire attack flow, from initial execution to persistence, C2 communication, and subsequent command execution, and to detect and respond based on correlations between events.
"Genian Insights E" is a single-agent-based integrated endpoint security platform that supports effective response to various threats through the following capabilities.
Through behavior-based analysis, EDR can immediately detect the initial delivery stage in which a suspicious LNK file is created on a specific endpoint using a compression utility. It also provides visibility into the arguments used when the LNK file was executed.
[Figure 6-1] Detection of a Suspicious LNK File through EDR
The Attack Storyline feature in "Genian Insights E" allows analysts to easily identify, based on the command line, which batch file command was executed by the LNK file.
This information can help security administrators analyze the threat flow through EDR.
[Figure 6-2] Command Line Lookup Screen
Analysts can also identify the behavior of the PowerShell command and sequentially analyze the subsequent activity in which "curl.exe" is renamed to "TempRpJjgMB.exe" and used to attempt downloading additional files from the C2 server.
Although communication with the C2 server did not occur at the time of analysis, the related attempt itself can still be confirmed through behavior-based event logs.
[Figure 6-3] C2 Connection through PowerShell and "curl.exe"
Through this sequence of behavior-based analysis data, EDR administrators can visually understand the entire attack flow from initial delivery to subsequent activity, providing a basis for quickly and accurately identifying the threat.
255155bad9af5e2c6cf550ff2a95219d
abbb362cdfe14b56b3a13a2a55937ee4
b5f9cd67cb32f44c138c382e17b06fd6
f7b2e0cebd7793c8cfee2c7c5b93df9c
fcb97f87905a33af565b0a4f4e884d61
1aa7751332710f4e963a708243d3d550
09dabe5ab566e50ab4526504345af297
16d7be5ebc3c2ff1cffbb83b965fd4fb
33c97fc4eacd73addbae9e6cde54a77d
804d12b116bb40282fbf245db885c093
7922f91281e8b0fe00518d05bf295b4a
oxenhan1.cafe24[.]com
kmot.co[.]kr
ycpatent.co[.]kr
printory[.]kr
fe01.co[.]kr
choisy[.]fr
51.158.21[.]1
183.111.174[.]69
211.239.157[.]126
218.150.78[.]198
220.73.160[.]23