ROKRAT
RokRAT is a remote access trojan/backdoor associated with the North Korea-linked threat group APT37, also known as ScarCruft, RedEyes, Reaper, and TA-RedAnt. The content describes it as a malicious tool used by APT37/ScarCruft and notes it is used exclusively by North Korean hacking groups. RokRAT has been delivered through spearphishing emails with malicious Hangul Office (HWP) or Microsoft Word documents, malicious LNK shortcut files, and trojanized software in social-engineering campaigns, including a trojanized Wondershare PDFelement installer. It was also delivered in a supply-chain compromise of the sqgame Windows client via a trojanized mono.dll/downloader chain, where a malicious Windows update fetched shellcode containing RokRAT and then deployed the BirdCall backdoor.
Capabilities directly described in the content include collecting user credentials, downloading additional malware, stealing credentials stored in web browsers by querying SQLite databases, sending collected files back over its command-and-control channel, and fingerprinting hosts by reading the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData registry key to obtain the system manufacturer. RokRAT can inject into processes: APT37 was observed injecting RokRAT into cmd.exe, and the malware can use VirtualAlloc, WriteProcessMemory, and CreateRemoteThread to execute shellcode in Notepad.exe. The content also states RokRAT can send collected data to cloud storage services such as pCloud and use the same C2 channel for exfiltration.
A notable characteristic is its abuse of legitimate web and cloud platforms for command and control. Reported C2 services include Twitter, Yandex, Dropbox, Mediafire, pCloud, and Zoho WorkDrive; one report also states RokRAT used legitimate social networking sites and cloud platforms for C2 communications. In one LNK-based campaign documented by ASEC, final-stage PowerShell downloaded encoded payload data from OneDrive, decoded it, and injected RokRAT into the PowerShell process; the malware then sent collected information to attacker-controlled cloud services such as pCloud and Yandex while disguising its User-Agent as Googlebot. Reported campaign artifacts and IoCs in the content include malicious LNK filenames such as 230407Infosheet.lnk, April 29th 2023 Seminar.lnk, 2023 Personal Evaluation.hwp.lnk, NK Diplomat Dispatch Selection and Diplomatic Offices.lnk, and NK Diplomacy Policy Decision Process.lnk; MD5 hashes 0f5eeb23d701a2b342fc15aa90d97ae0, 461ce7d6c6062d1ae33895d1f44d98fb, 657fd7317ccde5a0e0c182a626951a9f, 8e5cac0159a31ea808973508ce164e1d, and aa8ba9a029fa98b868be66b7d46e927b; OneDrive-related 1drv.ms and api.onedrive.com URLs; and a bearer token shown in file transmission: Authorization: Bearer RSbj7Zk5IYK5ThSbQZH4YBo7ZxiPOCH94RBbFuU9c04XXVJg7xbvX.
The malware is tied to espionage activity primarily affecting Windows systems, with campaigns targeting South Korean-related interests and, in the sqgame supply-chain case, ethnic Koreans in China’s Yanbian region, including individuals of interest to the North Korean regime such as refugees and defectors. The content also describes BirdCall as an advanced evolution of RokRAT and notes CloudMensis as spyware based on RokRAT targeting Windows and macOS systems.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Once the vulnerability was exploited, a multi-stage malware chain was deployed, culminating in the execution of a variant of RokRAT, a known malicious tool used by TA-RedAnt. | The group leveraged a previously unknown vulnerability (CVE-2024-38178) in IE’s legacy Chakra engine (jscript9.dll). Delivered via seemingly innocuous toast ads—pop-up windows displayed in free software—the attack exploited the vulnerability to execute remote commands.
Vulnerability Exploited CVE-2022-41128 (Internet Explorer Vulnerability) Malware and Tools RokRAT
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Once the vulnerability was exploited, a multi-stage malware chain was deployed, culminating in the execution of a variant of RokRAT, a known malicious tool used by TA-RedAnt.
Once the vulnerability was exploited, a multi-stage malware chain was deployed, culminating in the execution of a variant of RokRAT, a known malicious tool used by TA-RedAnt.
ASEC confirmed that the RedEyes threat group (also known as APT37, ScarCruft) has also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting user credentials and downloading additional malware.
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
5 techniquesThe IE vulnerability was exploited through a program that displays toast ads… Hackers infiltrated a server for a domestic ad agency and injected a malicious iframe into the HTML code delivered to the toast ad program.
ScarCruft Indicators of Compromise A rigged game: ScarCruft compromises gaming platform in a supply-chain attack
Trojanized game with Android BirdCall version 2.0.
The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.
Execution
5 techniquesThe LNK files that were discovered this time contain PowerShell commands that can perform malicious behavior by creating and executing a script file along with a normal file in the temp folder.
The PowerShell command that is executed through cmd.exe upon executing the LNK file is as follows: /c powershell -windowstyle hidden ...
The group leveraged a previously unknown vulnerability (CVE-2024-38178) in IE’s legacy Chakra engine (jscript9.dll). Delivered via seemingly innocuous toast ads—pop-up windows displayed in free software—the attack exploited the vulnerability to execute remote commands.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
RedEyes threat group ... has also recently distributed the RokRAT malware through LNK files.
Persistence
1 techniquePrivilege Escalation
3 techniquesFirst-Stage Malware: Injected into explorer.exe, designed to evade analysis.
ROKRAT can use VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread to execute shellcode within the address space of Notepad.exe. Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.
ROKRAT can use VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread to execute shellcode within the address space of Notepad.exe. Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread. Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread.
Stealth
8 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
The UserAgent in the request header is disguised as Googlebot.
First-Stage Malware: Injected into explorer.exe, designed to evade analysis.
ROKRAT can use VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread to execute shellcode within the address space of Notepad.exe. Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.
ROKRAT can use VirtualAlloc, WriteProcessMemory, and then CreateRemoteThread to execute shellcode within the address space of Notepad.exe. Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread. Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Defense Impairment
1 techniqueCredential Access
2 techniquesRokRAT is malware that is capable of collecting user credentials and downloading additional malware.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
5 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Second-Stage Malware: Collecting system information and relaying it to a staging server.
BADNEWS crawls the victim's local drives and collects documents with selected extensions; Machete searches the file system for files of interest; Rover searches for files on local drives based on a predefined list of file extensions.
Collection
2 techniquesThe content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
BoomBox can encrypt data using AES prior to exfiltration. ROKRAT can encrypt data prior to exfiltration by using an RSA public key. Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.
Command and Control
4 techniquesRokRAT: Leveraging cloud services for command and control, exfiltrating sensitive data, and executing commands. AhnLab’s analysis revealed, “The malware was configured to use Yandex Cloud by default, but it also includes functionality to communicate with other cloud services on command”
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
The adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.
The final PowerShell command that is executed downloads the encoded data from hxxps://api.onedrive[.]com/... decodes it, and injects it into the PowerShell process to perform malicious behavior.
Exfiltration
3 techniquesRokRAT: Leveraging cloud services for command and control, exfiltrating sensitive data, and executing commands.
The collected information is sent to the threat actor’s cloud server using cloud services such as pcloud and yandex.
Akira will exfiltrate victim data using applications such as Rclone. APT41 DUST exfiltrated collected information to OneDrive. BoomBox can upload data to dedicated per-victim folders in Dropbox. During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command.
IOCs tracked for this family
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
119 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A first-stage Windows backdoor delivered via a trojanized sqgame update package. It is fetched from a compromised South Korean website and used to install the BirdCall backdoor on victim systems.
A backdoor malware family used by ScarCruft and described as the predecessor/evolutionary basis for BirdCall. In this campaign, RokRAT is delivered via shellcode from a trojanized DLL and then used to fetch and install BirdCall. It relies on legitimate cloud services like Dropbox and pCloud for C2.
RokRAT is used in the Windows infection chain as a payload that is downloaded and executed by a trojanized DLL, after which it deploys the Windows version of BirdCall.
RokRAT is a backdoor used in the Windows portion of the supply-chain attack as an intermediate payload. A trojanized mono.dll downloader fetched shellcode containing RokRAT, which was then used to download and install BirdCall on victim machines.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.