RokRAT 악성코드를 유포하는 LNK 파일 (수료증 위장)

2024-04-23 Ahnlab LNK file distributing RokRAT malware (disguised as a certificate)

https://asec.ahnlab.com/ko/64423/

Thumbnail for RokRAT 악성코드를 유포하는 LNK 파일 (수료증 위장)

AhnLab analyzed oversized LNK files used to distribute the RokRAT backdoor against South Korean users, especially people connected to North Korea-related topics. The shortcuts used certificate and document-themed filenames, executed PowerShell through CMD, dropped decoy PDF or document content, and followed a pattern similar to prior RedEyes or ScarCruft LNK-based RokRAT delivery.

Indicators of Compromise

Type Value First Seen Last Seen
EMAIL [email protected] 2024-04-23 2025-12-21
URL https://content.dropboxapi.com/… 2020-03-25 2025-09-03
URL https://content.dropboxapi.com/… 2018-09-21 2025-09-03
URL https://cloud-api.yandex.net/v1… 2024-04-03 2025-08-29
URL https://cloud-api.yandex.net/v1… 2024-04-03 2025-08-29
URL https://api.pcloud.com/uploadfi… 2024-04-03 2025-08-29
URL https://api.pcloud.com/getfilel… 2024-04-03 2025-08-29
DOMAIN cloud-api.yandex.net 2018-02-27 2025-08-29
EMAIL [email protected] 2024-04-23 2025-05-12
EMAIL [email protected] 2024-03-27 2025-05-12
EMAIL [email protected] 2024-03-27 2025-05-12
HASH 358122718ba11b3e8bb56340dbe94f51 2024-04-23 2025-01-01
HASH b85a6b1eb7418aa5da108bc0df824fc0 2024-04-23 2024-11-04
HASH 3114a3d092e269128f72cfd34812ddc8 2024-04-23 2024-05-07
HASH 35441efd293d9c9fb4788a3f0b4f2e6b 2024-04-23 2024-05-07
HASH 6e5e5ec38454ecf94e723897a42450ea 2024-04-23 2024-05-07
HASH 68386fa9933b2dc5711dffcee0748115 2024-04-23 2024-05-07
HASH bd98fe95107ed54df3c809d7925f2d2c 2024-04-23 2024-05-07
HASH bd07b927bb765ccfc94fadbc912b0226 2024-04-23 2024-05-07

Related Actors

Related Reports

« Back