216.73.217.80

Operation Artemis: Analysis of HWP-Based DLL Side Loading Attacks

· Published 22/12/2025 03:59 · Modified 22/12/2025 10:31

Export JSON

Essential information

Published
22/12/2025 03:59
Modified
22/12/2025 10:31
Tags
2025-12-22 cloud infrastructure dll side-loading hwp ole rokrat south korea spear-phishing steganography
Related entities
1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 3 others

Description

The 'Artemis' campaign, conducted by APT37, utilizes malicious documents with embedded objects to initiate attacks. The threat actor impersonates legitimate entities to gain trust before delivering the payload. The attack chain combines execution with techniques to evade detection. is employed to conceal malicious code, and legitimate processes are abused to load malicious DLLs. The campaign targets South Korean organizations, exploiting the widespread use of the format. Multiple stages of encryption and decryption are used to obfuscate the final payload. The threat actor leverages cloud services like Yandex and pCloud for command and control infrastructure, complicating detection and attribution efforts.

External references