Researchers at Genians Security Center have detailed a new advanced persistent threat (APT) campaign attributed to the North Korea–linked APT37 group, dubbed “Artemis.” The operation uses sophisticated social engineering and technical evasion techniques, delivering malware through trojanized Hangul Word Processor (HWP) documents.
According to the report, the campaign begins with spear-phishing emails that impersonate trusted figures such as Korean TV writers or university professors. Victims are contacted about casting, interviews, or conference participation, with attackers building credibility through multiple conversations before sending a malicious HWP file disguised as a questionnaire, event guide, or interview document.
The HWP file contains a covertly embedded malicious OLE object. The attack chain is only triggered when the user trusts the document and clicks a hyperlink, allowing the embedded OLE content to execute. Once loaded, the malware launches a legitimate process first, using masquerading techniques to blend into normal system activity and evade signature-based security tools.
Execution continues through a DLL side-loading technique. A legitimate executable (a Microsoft Sysinternals utility) is abused by placing a malicious DLL in the same directory, causing the program to load the attacker’s payload instead of the genuine library.
Genians also observed the threat actors using steganography hiding the RoKRAT backdoor inside image files. Since July, APT37 has deployed RoKRAT using this method, including a previously unreported portrait image observed in August.
Analysis showed that the C2 infrastructure identified in Operation Artemis relied on Russia-based Yandex Cloud as a core node.
“This aligns with the long-standing tactical patterns demonstrated by APT37, as the group has continually advanced its strategy of abusing legitimate commercial cloud services such as Dropbox, OneDrive, pCloud, and Yandex Cloud to disguise C2 traffic as normal communication,” the report notes.