APT37-GOLDBACKDOOR
2022-04-27 • Hauri •
https://download.hauri.net/DownSource/down/dwn_detail_down.html?uid=38
Attachments
Hauri reported an APT37 spear-phishing campaign targeting journalists who cover North Korea-related issues. The attack used a large LNK file named "Kang Min-chol Edits 2.lnk" that hid PowerShell commands behind junk data and extracted a decoy Word document to appear legitimate. The decoded PowerShell reached an attacker-controlled OneDrive resource through Microsoft Graph API to retrieve encrypted shellcode, enabling a fileless Goldbackdoor infection chain.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 99fb399c9b121ef6e60e9bdff8b324b2 | 2022-04-27 | 2022-04-27 |
| HASH | 3f209fa947acfa93d67d40de9fa32fb2 | 2022-04-27 | 2022-04-27 |
| URL | https://api.onedrive.com/v1.0/s… | 2022-04-27 | 2022-04-27 |
| DOMAIN | 40hotmail.com | 2022-04-27 | 2022-04-27 |
| URL | https://1drv.ms/u/s!Ar9zfrwxWWE… | 2022-04-21 | 2022-04-27 |
Related Actors
Related Reports
Shares tags: APT37, GoldBackdoor • Shares 1 IOC • Published within a week
Shares tag: APT37 • Same author: Hauri
Shares tag: APT37 • Same author: Hauri
2021-12-04 •
45% Match
#DreamJob
#APT37
#T1082
#T1071.001
#T1112
#T1027
#T1071
#T1059.005
#T1547.001
#T1059.001
#T1566
#T1059
#T1547
#T1012
#T1518
Shares tag: APT37
2026-06-14 •
40% Match
#APT37
#LNK
#T1059.003
#T1567.002
#T1113
#T1071.001
#T1497
#T1056.001
#T1027
#T1204.002
#T1566.001
#T1053.005
#T1059.001
#T1102
#T1497.001
#T1105
#T1123
#T1025
#NarwhalRAT
Shares tag: APT37
2026-06-14 •
40% Match
#APT37
#LNK
#T1059.003
#T1567.002
#T1113
#T1071.001
#T1497
#T1056.001
#T1027
#T1204.002
#T1566.001
#T1053.005
#T1059.001
#T1102
#T1497.001
#T1105
#T1123
#T1025
#NarwhalRAT
Shares tag: APT37