Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks
Essential information
- Published
- 22/12/2025 03:59
- Modified
- 22/12/2025 10:31
- Tags
- 2025-12-22 cloud infrastructure dll side-loading hwp ole rokrat south korea spear-phishing steganography
- Related entities
- 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 3 others
Description
The 'Artemis' campaign, conducted by APT37, utilizes malicious HWP documents with embedded OLE objects to initiate attacks. The threat actor impersonates legitimate entities to gain trust before delivering the payload. The attack chain combines HWP execution with DLL side-loading techniques to evade detection. Steganography is employed to conceal malicious code, and legitimate processes are abused to load malicious DLLs. The campaign targets South Korean organizations, exploiting the widespread use of the HWP format. Multiple stages of encryption and decryption are used to obfuscate the final RoKRAT payload. The threat actor leverages cloud services like Yandex and pCloud for command and control infrastructure, complicating detection and attribution efforts.