CyberSecurityBoard
Sponsor Register Login

North Korean Hackers Weaponizing ZIP Files To Execute Malicious PowerShell Scripts

The LNK file contains embedded code that executes PowerShell commands to extract multiple components: a decoy HWPX document (a Korean document format), executable data files, and a batch script. While the security analyst, Mohamed Ezat from ZW01f noted that the attack begins with phishing emails containing ZIP attachments that conceal malicious LNK files masquerading as documents related to North Korean affairs or trade agreements. Their latest attack leverages ZIP file attachments containing hidden malicious LNK files that deploy the RokRat remote access trojan through a multi-stage process. It also includes multiple command functions that enable attackers to execute remote commands, scan drives, collect files, and download additional payloads, making it a versatile tool for espionage and data theft operations. The PowerShell commands look for the LNK file itself by searching for files with a specific size, then extracts data from predetermined offsets within the file structure. The first stage begins with the LNK file executing PowerShell code that extracts several files at specific byte offsets. Security researchers have identified a sophisticated attack campaign attributed to APT37, a North Korean state-sponsored hacking group also known as ScarCruft, Reaper, and Red Eyes. This technique helps the attackers evade detection by security solutions that focus solely on the initial file. For example, at offset 0x111E, it extracts 0xAD36 bytes and saves it as an HWPX file, which serves as a decoy document. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Upon execution, the LNK file initiates a sequence that extracts multiple payloads and saves them to the victim’s temporary directory. The shark.bat file launches PowerShell in a hidden window that reads elephant.dat from the temporary directory. The final payload, RokRat, is a sophisticated remote access trojan that collects detailed system information, including OS version, hardware details, running processes, and screenshots.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 10 Mar 2025 19:55:08 +0000


Cyber News related to North Korean Hackers Weaponizing ZIP Files To Execute Malicious PowerShell Scripts

North Korea's state hackers stole $3 billion in crypto since 2017 - North Korean-backed state hackers have stolen an estimated $3 billion in a long string of hacks targeting the cryptocurrency industry over the last six years since January 2017. Kimsuky, Lazarus Group, Andariel, and other North Korean hacking groups ...
1 year ago Bleepingcomputer.com Andariel Kimsuky Lazarus Group
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks - Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet, that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for ...
1 year ago Microsoft.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
2 years ago Therecord.media
North Korean IT worker scam is now a threat to all companies, cybersecurity experts say | The Record from Recorded Future News - Since disruptions began last year and law enforcement has publicly warned companies of the practice, DTEX’s Barnhart and others said they have seen some workers try to extort companies or hand off their access to more sophisticated North Korean ...
2 months ago Therecord.media
North Korean Hackers Utilizing Credential Stuffing to Launch Cyberattacks - In an alarming new report, researchers found that North Korean-linked hackers have been using stolen passwords during cyberattacks to gain access to various government, military and financial networks. According to security experts, the creative ...
2 years ago Thehackernews.com
North Korea's Kimsuky Attacks Rivals' Trusted Platforms - North Korea-linked threat groups are increasingly using living-off-the-land (LotL) techniques and trusted services to evade detection, with a recent Kimsuky campaign showcasing the use of PowerShell scripts and storing data in Dropbox folders, along ...
5 months ago Darkreading.com Andariel Kimsuky
U.S DoJ Announces Nationwide Actions to Combat North Korean Remote IT Workers - The U.S. Department of Justice announced coordinated nationwide law enforcement actions on June 30, 2025, targeting North Korean remote information technology workers’ illicit revenue generation schemes that have defrauded American companies ...
3 weeks ago Cybersecuritynews.com
Reserachers Uncovered North Korean Nationals Remote IT Worker Fraud Scheme - In a significant cybersecurity investigation, researchers have revealed an elaborate fraud scheme orchestrated by North Korean nationals who used stolen identities to secure remote IT positions at US-based companies and nonprofits. The operation ...
2 months ago Cybersecuritynews.com
North Korean Hackers Weaponizing ZIP Files To Execute Malicious PowerShell Scripts - The LNK file contains embedded code that executes PowerShell commands to extract multiple components: a decoy HWPX document (a Korean document format), executable data files, and a batch script. While the security analyst, Mohamed Ezat from ZW01f ...
4 months ago Cybersecuritynews.com APT3 APT37
US govt sanctions North Korea's Kimsuky hacking group - The Treasury Department's Office of Foreign Assets Control has sanctioned the North Korean-backed Kimsuky hacking group for stealing intelligence in support of the country's strategic goals. OFAC has also sanctioned eight North Korean agents for ...
1 year ago Bleepingcomputer.com Andariel Kimsuky
North Korean IT worker army expands operations in Europe - GTIG's report follows multiple warnings issued by the FBI regarding North Korea's massive army of IT workers sent abroad to generate revenue, who have tricked hundreds of companies in the United States and worldwide into hiring them over the years. ...
3 months ago Bleepingcomputer.com
macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks - North Korean advanced persistent threat groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of ...
1 year ago Darkreading.com
Woman Accused of Helping North Korean IT Workers Infiltrate Hundreds of US Firms - The US government has announced charges, seizures, arrests and rewards as part of an effort to disrupt a scheme in which North Korean IT workers infiltrated hundreds of companies and earned millions of dollars for North Korea. According to the ...
1 year ago Securityweek.com
North Korean Hackers Stole $600m in Crypto in 2023 - North Korean hackers stole at least $600m in cryptocurrency in 2023, around a third of the total value of such heists, according to blockchain intelligence firm TRM. Despite the eye-watering sum, this figure represents a 30% reduction on ...
1 year ago Infosecurity-magazine.com
FBI Charges North Korean Hackers Over $100 Million Stolen in Crypto Hack - The FBI has recently charged a North Korean hacker in connection with the Harmony crypto hack from which the hacker allegedly stole over $100 million. The hacker, Jon Chang Hyok, is a member of the North Korean military intelligence agency, the ...
2 years ago Bleepingcomputer.com
Experts from the United Nations Report North Korean Hackers Have Taken a Large Amount of Digital Assets - Last year, North Korean hackers working for the government stole a record-breaking amount of virtual assets estimated to be worth between $630 million and more than $1 billion, according to a new report from U.N. experts. The panel of experts said ...
2 years ago Securityweek.com Andariel Kimsuky Lazarus Group Rocke
Operation RusticWeb Using PowerShell Commands to filtrate Doc - Hackers use PowerShell commands because they provide a powerful scripting environment on Windows systems, allowing them to stealthily execute malicious scripts and commands called Operation RusticWeb. The PowerShell's capabilities make it an ...
1 year ago Gbhackers.com
Microsoft: BlueNoroff hackers plan new crypto-theft attacks - Microsoft warns that the BlueNoroff North Korean hacking group is setting up new attack infrastructure for upcoming social engineering campaigns on LinkedIn. This financially motivated threat group also has a documented history of cryptocurrency ...
1 year ago Bleepingcomputer.com
The past year was the most detrimental for digital currency security breaches, with North Korean organizations profiting. - In 2022, cyberattacks on cryptocurrency platforms resulted in the theft of almost $4 billion, with a large portion of the activity being attributed to hackers working on behalf of the North Korean government. According to blockchain research firm ...
2 years ago Therecord.media Lazarus Group
US seizes Sinbad crypto mixer used by North Korean Lazarus hackers - The U.S. Department of the Treasury has sanctioned the Sinbad cryptocurrency mixing service for its use as a money-laundering tool by the North Korean Lazarus hacking group. A cryptocurrency mixer is a server that allows people to deposit crypto, ...
1 year ago Bleepingcomputer.com Lazarus Group
Microsoft links North Korean hackers to new FakePenny ransomware - Microsoft has linked a North Korean hacking group it tracks as Moonstone Sleet to FakePenny ransomware attacks, which have led to millions of dollars in ransom demands. While this threat group's tactics, techniques, and procedures largely overlapped ...
1 year ago Bleepingcomputer.com Kimsuky Lazarus Group LockBit Ransomhub
Microsoft: North Korean hackers join Qilin ransomware gang - Microsoft says Moonstone Sleet hackers are targeting both financial and cyberespionage targets using trojanized software (e.g., PuTTY), custom malware loaders, malicious games and npm packages, and fake software development companies (e.g., C.C. ...
4 months ago Bleepingcomputer.com Qilin
North Korean hackers linked to defense sector supply-chain attack - In an advisory today Germany's federal intelligence agency and South Korea's National Intelligence Service warn of an ongoing cyber-espionage operation targeting the global defense sector on behalf of the North Korean government. The attacks aim to ...
1 year ago Bleepingcomputer.com Lazarus Group
US hits senior North Korean officials with sanctions, $3 million bounties | The Record from Recorded Future News - U.S. law enforcement action centered on Korea Sobaeksu Trading Company — a North Korean company allegedly used as a front for the country’s Munitions Industry Department, which oversees the DPRK’s nuclear program and is involved in the ...
1 day ago Therecord.media
Woman gets 8 years for aiding North Koreans infiltrate 300 US firms - According to court documents, Chapman hosted the North Korean IT workers' computers in her own home beteen October 2020 and October 2023, creating a so-called "laptop farm" which was used to make it appear as though the devices were located in the ...
13 hours ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)