ScarCruft Unleashes Operation HanKook Phantom: RokRAT Malware Targets South Korean Academics

ScarCruft, a North Korean state-linked hacking group also known as APT37, has recently carried out a new cyber-espionage operation that researchers have named Operation HanKook Phantom. This campaign is focused on South Korean academics, researchers, and policy experts, and its main weapon is a malware strain called RokRAT. The operation was uncovered by Seqrite and reported publicly on August 29, 2025, with further coverage appearing on September 1, 2025.

The attack begins with targeted phishing emails that come with a compressed ZIP file. Inside this archive, the attackers hide a Windows shortcut file (.LNK) that has been made to look like a normal PDF document. When the unsuspecting victim clicks on it, the file opens a decoy document on the screen to avoid suspicion, but at the same time, the malware silently installs RokRAT in the background.

One of the lures discovered by researchers is disguised as a newsletter from the National Intelligence Research Society. This fake file, labeled as “Issue 52,” was sent to people believed to be part of or connected with the National Intelligence Research Association, including academic figures, former officials, and policy researchers. Because the document appears professional and legitimate, it can easily trick someone into opening it.

The technical chain used in this attack is multi-layered. The malicious shortcut launches PowerShell and batch scripts, which then create temporary files on the system. From there, the final RokRAT payload is loaded directly into the computer’s memory. By avoiding writing the malware to disk, the attackers reduce the chances of being detected by standard antivirus software. This technique shows the sophistication of ScarCruft’s operations.

Seqrite also observed a second wave of this campaign. In this version, the LNK file again uses PowerShell but instead drops a fake Microsoft Word document. The decoy in this case was a political statement allegedly from Kim Yo Jong, the sister of Kim Jong Un, dated July 28. The statement rejects reconciliation with South Korea, making it an attention-grabbing lure for the intended targets. Behind the scenes, however, an obfuscated dropper installs RokRAT on the victim’s device.

Once RokRAT is active, it can carry out a wide range of malicious tasks. It collects detailed information about the system, executes remote commands, searches and lists files, takes screenshots, and can download and run additional malware if the attackers decide to expand their access. In short, it gives ScarCruft full control of an infected device.

The stolen information is not sent directly to suspicious servers but instead routed through well-known cloud services. RokRAT makes use of Dropbox, Google Cloud, pCloud, and Yandex Cloud to exfiltrate data. By blending malicious traffic with legitimate cloud usage, the attackers make detection even harder. Seqrite’s analysis also revealed that RokRAT uses Yandex cloud APIs in a carefully designed way to avoid raising alarms.

This kind of campaign is clearly not about money. Unlike ransomware groups that demand payment, ScarCruft’s focus is intelligence gathering. The choice of targets government-linked academics, think-tank researchers, and policy professionals shows that the attackers are interested in sensitive knowledge, analysis, and insider perspectives on South Korea’s security and political environment.

The name “HanKook Phantom” was given to highlight both the Korean focus of the operation and the stealthy, ghost-like manner in which the malware infiltrates systems. Victims often have no idea they have been compromised since the decoy documents look genuine, and RokRAT hides its tracks by running in memory and using trusted cloud services for communication.

For South Korean academics and researchers, this discovery is a strong warning. Even if a document looks legitimate, it may be a trap. Carefully checking file extensions, avoiding unexpected ZIP attachments, and verifying the sender through other means are crucial steps to staying safe. Operation HanKook Phantom is a reminder that cyber-espionage groups like ScarCruft are active, persistent, and constantly refining their techniques to gather valuable intelligence from unsuspecting victims.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news