2025-03-20ììëìë³ê³ìAPT37ê³µê²êë¹ìììììíê³µê².pdf (1 MB)

APT37 activity is described using malicious LNK files disguised as Microsoft Store update content to trigger infection. When executed, the LNK drops a decoy document and batch file, changes the shortcut into an HTML file, and uses obfuscated code to retrieve a CAB payload from a compromised legitimate South Korean company website. The infection chain registers MicrosoftAppStoreAutoUpdateTaskMachine as a scheduled task, runs MicrosoftAppStore.exe with appstore.version, and attempts to download an additional MicroAppStoreTemp28h2.bat payload from the same abused infrastructure. The decoy themes include aviation, banking, and security, showing socially targeted lures across sensitive sectors, with hashes and C2 paths supplied for detection and response.