APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware

Unlike earlier versions that relied on cloud services for payload delivery, the latest attacks embed encrypted shellcode within malicious LNK files, reducing reliance on external servers likely flagged by security systems. PowerShell Script Activation: The LNK file invokes PowerShell to extract embedded files, including decoy documents, batch scripts, and encrypted RokRat shellcode. In-Memory Payload Decryption: A malicious batch script executes a secondary PowerShell script, applying XOR decryption to reveal the RokRat shellcode. The group, active since 2012, has shifted tactics to employ fileless malware delivery mechanisms for deploying its signature RokRat malware, targeting government personnel and corporations across South Korea and Asia. These emails contain ZIP attachments housing malicious LNK files disguised as documents related to North Korean affairs, diplomatic policies, or trade agreements. Thread Execution: The decrypted shellcode spawns a new thread to load the final RokRat payload, which connects to command-and-control (C2) servers while masquerading network traffic as Googlebot user agents. The 360 Advanced Threat Research Institute has uncovered a sophisticated cyber espionage campaign orchestrated by the North Korean-linked threat actor APT-C-28, also known as ScarCruft or APT37. The malware’s cloud-based infrastructure allowed operators to dynamically update payloads, but recent campaigns show a pivot toward embedding malicious components directly within phishing email attachments. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Security vendors’ rapid takedowns of malicious domains likely forced the group to minimize external dependencies. This evolution marks a significant escalation in the group’s ability to evade traditional security defenses while stealing military, economic, and political intelligence. Since 2016, RokRat has served as the group’s primary remote access tool (RAT), enabling persistent network infiltration and data exfiltration. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 20 Feb 2025 09:55:17 +0000

Cyber News related to APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware

APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware - Unlike earlier versions that relied on cloud services for payload delivery, the latest attacks embed encrypted shellcode within malicious LNK files, reducing reliance on external servers likely flagged by security systems. PowerShell Script ...
1 day ago Cybersecuritynews.com

What is an advanced persistent threat? - An advanced persistent threat is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APT attacks are initiated to steal highly sensitive data rather than cause damage to ...
1 year ago Techtarget.com

Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
7 months ago Pandasecurity.com

PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
1 year ago Securityintelligence.com

Cyber Insurance: A Smart Investment to Protect Your Business from Cyber Threats in 2023 - Don't wait until it's too late - get cyber insurance today and secure your business for tomorrow. According to the U.S. Federal Trade Commission, cyber insurance is a particular type of insurance that helps businesses mitigate financial losses ...
1 year ago Cyberdefensemagazine.com

Cyber Insurance for Businesses: Navigating Coverage - To mitigate these risks, many businesses opt for cyber insurance. With the wide range of policies available, navigating the world of cyber insurance can be overwhelming. In this article, we will delve into the complexities of cyber insurance and ...
1 year ago Securityzap.com

Fighting ransomware: A guide to getting the right cybersecurity insurance - While the cybersecurity risk insurance market has been around for more than 20 years, the rapidly changing nature of attacks and the rise in the ransomware epidemic has markedly changed the nature of cyber insurance in recent years. It's more ...
1 year ago Scmagazine.com

Cyber Insights 2023: The Geopolitical Effect - The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. The Russia/Ukraine war that started in early 2022 has been mirrored by a ...
2 years ago Securityweek.com

How to Remove Malware + Viruses - Malware removal can seem daunting after your device is infected with a virus, but with a careful and rapid response, removing a virus or malware program can be easier than you think. We created a guide that explains exactly how to rid your Mac or PC ...
10 months ago Pandasecurity.com

Three Key Threats Fueling the Future of Cyber Attacks - Improvements in cyber security and business continuity are helping to combat encryption-based ransomware attacks, yet the cyber threat landscape is continually evolving. Protecting an organization against intrusion remains a cat and mouse game, in ...
10 months ago Cyberdefensemagazine.com

Wargames director Jackie Schneider on why cyber is one of 'the most interesting scholarly puzzles' - In other games, we had people from Silicon Valley who were leading AI companies or cyber companies. What we found is those who had expertise in cyber operations were more likely to be more nuanced about how they used the cyber capability. On a larger ...
8 months ago Therecord.media

How to Extract Malware Configurations in a Sandbox - The most sought-after source of these indicators is malware configurations. Malware Sandboxing Leader ANY.RUN handles the heavy lifting of phishing and malware analysis for SOC and DFIR teams and also helps 300,000 professionals use the platform to ...
1 year ago Gbhackers.com

Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
9 months ago Cybersecurity-insiders.com

Latest Cyber News

Ukrainian hackers claim breach of Russian loan company linked to Putin’s ex-wife | The Record from Recorded Future News - 13 minutes ago
Black Basta is latest ransomware group to be hit by leak of chat logs | The Record from Recorded Future News - 2 hours ago
CISA Releases 7 ICS Advisories Detailing Vulnerabilities & Exploits - 7 hours ago
Pegasus Spyware Used Widely to Target Individuals in Private Industry & Finance Sectors - 8 hours ago
SPAWNCHIMERA Malware Exploiting Ivanti Buffer Overflow Vulnerability By Applying A Fix - Cyber Security News - 8 hours ago
Chinese Hackers Using New Bookworm Malware In Attacks Targeting Southeast Asia - 9 hours ago
Google Released PoC Exploit for Palo Alto Firewall Command Injection Vulnerability - 11 hours ago
New Active Directory Pentesting Tool For KeyCredentialLink Management - 11 hours ago
Windows Wi-Fi Password Stealer Malware Found Hosted on GitHub - 13 hours ago
China-linked hackers target European healthcare orgs in suspected espionage campaign | The Record from Recorded Future News - 14 hours ago
CVE-2025-27097 - 17 hours ago
CVE-2025-27098 - 17 hours ago
Apiiro unveils free scanner to detect malicious code merges - 18 hours ago
Black Basta ransomware gang's internal chat logs leak online - 18 hours ago
CVE-2025-0352 - 18 hours ago
CVE-2025-1265 - 18 hours ago
CVE-2025-24893 - 18 hours ago
CVE-2025-25299 - 18 hours ago
Ivanti Endpoint Manager Vulnerabilities Proof-of-Concept (PoC) Exploit Released - 19 hours ago
New NailaoLocker Ransomware Attacking European Healthcare - 19 hours ago

Cyber Trends (last 7 days)

Okta - 1 year ago
23andMe - 1 year ago
Kimsuky - 1 year ago
LogoFAIL - 1 year ago
Gh0st rat - 1 year ago

Trending Cyber News (last 7 days)

Ukrainian hackers claim breach of Russian loan company linked to Putin’s ex-wife | The Record from Recorded Future News - 13 minutes ago
Black Basta is latest ransomware group to be hit by leak of chat logs | The Record from Recorded Future News - 2 hours ago
CISA Releases 7 ICS Advisories Detailing Vulnerabilities & Exploits - 7 hours ago
Pegasus Spyware Used Widely to Target Individuals in Private Industry & Finance Sectors - 8 hours ago
SPAWNCHIMERA Malware Exploiting Ivanti Buffer Overflow Vulnerability By Applying A Fix - Cyber Security News - 8 hours ago
Chinese Hackers Using New Bookworm Malware In Attacks Targeting Southeast Asia - 9 hours ago
Google Released PoC Exploit for Palo Alto Firewall Command Injection Vulnerability - 11 hours ago
New Active Directory Pentesting Tool For KeyCredentialLink Management - 11 hours ago
Windows Wi-Fi Password Stealer Malware Found Hosted on GitHub - 13 hours ago
China-linked hackers target European healthcare orgs in suspected espionage campaign | The Record from Recorded Future News - 14 hours ago
CVE-2025-1272 - 2 days ago
CVE-2025-27090 - 1 day ago
CVE-2023-51305 - 1 day ago
CVE-2024-10339 - 1 day ago
CVE-2024-37359 - 1 day ago
CVE-2024-37360 - 1 day ago
CVE-2024-5705 - 1 day ago
CVE-2024-5706 - 1 day ago
CVE-2025-21355 - 1 day ago
CVE-2025-24989 - 1 day ago