Weaponized PDFs and LNK Files Used in Windows Attacks

A clandestine campaign in which threat actors are weaponizing a legitimate-looking PDF document, titled “국가정보연구회 소식지 (52호)” (National Intelligence Research Society Newsletter – Issue 52), alongside a malicious Windows shortcut (LNK) file named 국가정보연구회 소식지(52호).pdf.LNK.

The attackers distribute both files together—either within the same archive or as seemingly related attachments.

When victims open the LNK file, it silently executes a PowerShell payload that downloads and runs additional malware, allowing the attackers to gain foothold on the target system.

The principal targets appear to be individuals associated with the National Intelligence Research Association, including academics, former government officials, and researchers.

The adversaries aim to steal sensitive information, establish persistence, and conduct long-term espionage.

Evidence points to the involvement of APT-37—also known as InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, or Ricochet Chollima—a North Korean state-sponsored cyber espionage group active since at least 2012.

Although APT-37 typically focuses on South Korea, its operations have also impacted Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern countries.

The infection chain begins when a user opens the LNK file.

A Procmon trace reveals that embedded PowerShell scripts extract multiple payloads from within the .LNK itself.

Specifically, the script reads binary data from predefined offsets—0x0000102C for the decoy PDF, 0x0007EDC1 for a loader binary, 0x0015A851 for scripting commands, and 0x0015AED2 for the final payload.

These fragments are reconstructed into separate files (aio0.dat, aio1.dat, aio2.dat, and aio1+3.b+la+t) in the %TEMP% directory.

A batch file (aio03.bat) then invokes PowerShell Invoke-Command to load the final payload entirely in memory, exemplifying fileless execution via reflective DLL injection.

The in-memory stage decodes the XOR-encrypted executable (aio01.dat) using a single-byte key (0x35), allocates executable memory with GlobalAlloc and VirtualProtect, and launches a new thread via CreateThread.

Analysis of the extracted executable reveals classic ROKRAT malware behaviors: host fingerprinting (including WOW64 checks, computer name, BIOS information), anti-VM file creation tests, screenshot capture routines, and a suite of single-character commands for remote shellcode execution, file exfiltration, system enumeration, and remote command execution.

The payload exfiltrates documents (e.g., .doc, .xls, .ppt, .pdf, .hwp) by mimicking legitimate browser file uploads to a hardcoded C2 endpoint at daily.alltop.asia, then deletes local copies to cover its tracks.

Campaign 2 features a similar LNK-based delivery using a decoy document attributed to Kim Yō-jong’s July 28 statement reported by KCNA.

The .LNK drops a Word document (file.doc) and launches a highly obfuscated PowerShell loader via tony33.bat and tony32.dat, which double-decodes a Base64 payload into an XOR-encrypted binary stored in tony31.dat.

Once decoded using key 0x37, the payload executes directly in memory, downloads additional components such as abs.tmp from cloud storage, and persists via scheduled tasks before cleaning up staging files.

Throughout both campaigns, APT-37 leverages public cloud services—Dropbox, pCloud, and Yandex.Disk—to host C2 channels.

The malware uses legitimate API endpoints for listing, uploading, downloading, and deleting files, blending malicious traffic with normal cloud interactions.

This stealthy approach underscores the group’s advanced tradecraft and ability to evade traditional security controls.

Seqrite Lab has dubbed this operation HanKook Phantom, combining “HanKook” (한국, Korea) with “Phantom” to reflect both the geographical focus and the stealthy, evasive techniques employed.

HanKook Phantom illustrates how state-sponsored actors continue to refine spear-phishing methodologies, weaponize everyday file formats, and embrace fileless execution to maintain long-term access.

Defenders must adopt proactive monitoring of LNK-based threats, enhance detection of in-memory execution patterns, and scrutinize outbound HTTP uploads for anomalies in file type and MIME headers.

Only through layered defenses and threat intelligence sharing can organizations mitigate the persistent danger posed by APT-37’s evolving arsenal.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!