Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)
2025-05-12 • Genians •
https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story
Genians analyzed Operation ToyBox Story, a March 2025 APT37 spear-phishing campaign that targeted activists and experts focused on North Korea. The attackers impersonated a South Korean national security think tank event and a North Korea-focused expert, using Dropbox links to deliver ZIP archives containing malicious LNK files disguised as HWP documents or event materials. Executing the LNK launched hidden PowerShell and BAT stages, created temporary files, loaded XOR-transformed shellcode in memory, and ultimately ran RoKRAT as a fileless payload. RoKRAT collected host details, process information, removable-drive data, and screenshots, then encrypted and attempted to exfiltrate the data through cloud-based C2 services including Dropbox, with references to pCloud and Yandex API patterns. The case matters because it shows APT37 continuing to abuse trusted cloud platforms and fileless LNK execution to evade pattern-based detection.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 37.120.210.2 | 2025-05-12 | 2026-01-21 |
| [email protected] | 2024-04-23 | 2025-12-21 | |
| URL | https://content.dropboxapi.com/… | 2020-03-25 | 2025-09-03 |
| URL | https://content.dropboxapi.com/… | 2018-09-21 | 2025-09-03 |
| URL | https://cloud-api.yandex.net/v1… | 2025-03-10 | 2025-08-29 |
| URL | https://cloud-api.yandex.net/v1… | 2024-04-03 | 2025-08-29 |
| URL | https://cloud-api.yandex.net/v1… | 2024-04-03 | 2025-08-29 |
| URL | https://api.pcloud.com/uploadfi… | 2024-04-03 | 2025-08-29 |
| URL | https://cloud-api.yandex.net/v1… | 2024-04-03 | 2025-08-29 |
| URL | https://api.pcloud.com/getfilel… | 2024-04-03 | 2025-08-29 |
| URL | https://api.pcloud.com/listfold… | 2024-04-03 | 2025-08-29 |
| URL | https://api.dropboxapi.com/2/fi… | 2023-01-16 | 2025-08-29 |
| URL | https://api.dropboxapi.com/2/fi… | 2018-09-21 | 2025-08-29 |
| URL | https://api.pcloud.com/deletefi… | 2018-09-21 | 2025-08-29 |
| DOMAIN | cloud-api.yandex.net | 2018-02-27 | 2025-08-29 |
| HASH | 7cc8ce5374ff9eacd38491b75cbedf89 | 2025-05-12 | 2025-05-12 |
| HASH | d5d48f044ff16ef6a4d5bde060ed5cee | 2025-05-12 | 2025-05-12 |
| HASH | 8f339a09f0d0202cfaffbd38469490ec | 2025-05-12 | 2025-05-12 |
| HASH | 324688238c42d7190a2b50303cbc6a3c | 2025-05-12 | 2025-05-12 |
| HASH | 81c08366ea7fc0f933f368b120104384 | 2025-05-12 | 2025-05-12 |
| [email protected] | 2025-05-12 | 2025-05-12 | |
| [email protected] | 2025-05-12 | 2025-05-12 | |
| [email protected] | 2025-05-12 | 2025-05-12 | |
| [email protected] | 2025-05-12 | 2025-05-12 | |
| [email protected] | 2025-05-12 | 2025-05-12 | |
| [email protected] | 2025-05-12 | 2025-05-12 | |
| IPv4 | 89.147.101.65 | 2025-05-12 | 2025-05-12 |
| IPv4 | 89.147.101.71 | 2025-05-12 | 2025-05-12 |
| HASH | 723f80d1843315717bc56e9e58e89be5 | 2025-03-27 | 2025-05-12 |
| HASH | 46ca088d5c052738d42bbd6231cc0ed5 | 2025-03-27 | 2025-05-12 |
| HASH | 2f431c4e65af9908d2182c6a093bf262 | 2025-03-27 | 2025-05-12 |
| [email protected] | 2024-04-23 | 2025-05-12 | |
| [email protected] | 2024-03-27 | 2025-05-12 | |
| [email protected] | 2024-03-27 | 2025-05-12 | |
| [email protected] | 2024-03-27 | 2025-05-12 | |
| HASH | 7822e53536c1cf86c3e44e31e77bd088 | 2023-09-19 | 2025-05-12 |
| HASH | d77c8449f1efc4bfb9ebff496442bbbc | 2023-09-19 | 2025-05-12 |
| HASH | a635bd019674b25038cd8f02e15eebd2 | 2023-09-19 | 2025-05-12 |
| HASH | beeaca6a34fb05e73a6d8b7d2b8c2ee3 | 2023-09-19 | 2025-05-12 |