{
  "name": "Operation HanKook Phantom: Spear-Phishing Campaign",
  "slug": "operation-hankook-phantom-spear-phishing-campaign",
  "description": "APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection chain. This includes fileless PowerShell execution, in-memory loading of encrypted payloads, and covert data exfiltration mechanisms. The campaign, dubbed Operation HanKook Phantom, demonstrates APT37's continued focus on intelligence gathering and long-term espionage against South Korean targets. The attackers leverage cloud services for command-and-control and employ various techniques to evade detection, highlighting the persistent threat posed by North Korean state-sponsored actors.",
  "published": "2025-08-29T11:41:15+00:00",
  "created_at": "2025-08-29T11:41:15+00:00",
  "modified_at": "2025-08-29T13:49:35+00:00",
  "created_at_opencti": "2025-08-29T11:41:15+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-29",
    "cloud services",
    "data exfiltration",
    "espionage",
    "fileless",
    "lnk files",
    "north korea",
    "powershell",
    "rokrat",
    "south korea",
    "spear-phishing"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:a57ab4eb4680af9a",
        "name": "ROKRAT - S0240",
        "slug": "rokrat-s0240"
      }
    ],
    "intrusion_sets": [
      {
        "id": "950aa317-d079-47cd-913e-10433cf55ecc",
        "name": "APT37",
        "slug": "apt37"
      }
    ],
    "attack_patterns": [
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "British Indian Ocean Territory"
      },
      {
        "id": "",
        "name": "Kuwait"
      },
      {
        "id": "",
        "name": "Nepal"
      },
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "China"
      },
      {
        "id": "",
        "name": "Japan"
      },
      {
        "id": "",
        "name": "Romania"
      },
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Defense"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/68b1adfb268bf9fa0d35e008"
  ]
}