APT37 Uses Fake Academic Invites and Dropbox to Spread Malicious LNK Files

In March 2025, cybersecurity researchers at Genians Security Center (GSC) flagged a sophisticated spear phishing campaign orchestrated by the North Korea-linked threat actor APT37.

This operation, dubbed “Operation ToyBox Story,” marks a significant evolution in the group’s tactics: using fake academic conference invites and Dropbox-hosted ZIP archives to deliver highly obfuscated, fileless malware via malicious Windows shortcut (LNK) files.

Social Engineering and Living off Trusted Sites

APT37, also known as ScarCruft, is notorious for espionage targeting governments, activists, and think tanks related to the Korean Peninsula. In this latest campaign, attackers sent emails pretending to be South Korean academics or security experts.

The emails contained Dropbox links or attachments purporting to be conference invitations or sensitive documents about North Korean troop movements in Russia.

The attached ZIP archives held LNK files engineered to look benign sometimes even using icons from legitimate services like Naver Mail to strengthen the ruse.

Upon extraction and execution, the LNK file launches a multi-stage infection chain:

1. LNK Execution: Clicking the LNK triggers embedded PowerShell commands.
2. Decoy Document: The command simultaneously opens a harmless document (e.g., a Hangul Word Processor file) to distract the victim.
3. Fileless Payload Staging: The PowerShell script writes and executes several hidden files (BAT and DAT) in the system’s %Temp% directory.
4. In-Memory Malware Loading: These scripts use XOR logic and dynamic code execution to decrypt and load shellcode directly into RAM, evading disk-based antivirus detection.
5. Final Payload: The ultimate payload is the RoKRAT malware, a signature espionage tool of APT37.

Technical Analysis: LNK and RoKRAT Malware Chain

LNK File Structure and Obfuscation

The core malicious LNK file is designed with command-line arguments to launch powershell.exe in hidden mode. To avoid detection, the attackers break up critical filenames in the batch script and reconstruct them at execution time:

textset bat=%temp%\toy03.b^a^t
powershell -windowstyle hidden -executionpolicy bypass -file %bat%

The batch file then loads further staged scripts from the %Temp% folder (e.g., toy02.dat and toy01.dat). Each stage relies on PowerShell and obfuscation to transfer and execute code solely in memory.

Decoy Documents

To disguise activity, the first visible action is opening a legitimate document often a news-style letter or conference invite, matching the lure’s email content. This helps delay suspicion while the background infection proceeds.

Fileless Execution Tactics

The process for dynamically loading the final PE executable (RoKRAT) includes:

• Decrypting a payload via XOR operations in PowerShell
• Allocating executable memory in the current process
• Injecting shellcode that reconstructs and runs the malware in memory

This “fileless” approach allows the attack to occur without writing a traditional .exe file to disk, bypassing signature-based AV solutions.

RoKRAT Functionality and C2 Exfiltration

RoKRAT, the final dropped malware, gathers detailed system information, takes real-time screenshots, scans removable drives, and executes commands received from the attackers’ control server. Data is bundled, obfuscated with a hardcoded value, and then encrypted via AES (with the AES key further encrypted by RSA for extra security).

Example Data Encryption Flow:

cuint32_t fixed_val = 0xFADEADBA;
xor_obfuscate(collected_data, random_key);
aes_cbc_encrypt(collected_data, aes_key);
rsa_encrypt(aes_key, rsa_pubkey);

For command-and-control (C2), RoKRAT uses legitimate cloud storage APIs as communication channels—a technique called “Living off Trusted Sites” (LoTS).

Common cloud providers abused include Dropbox, pCloud, and Yandex Disk. Exfiltration and command reception happen over authenticated API calls with stolen or fake credentials.

Sample Dropbox API Usage:

• Upload: https://content.dropboxapi.com/2/files/upload
• Download: https://content.dropboxapi.com/2/files/download
• Delete: https://api.dropboxapi.com/2/files/delete

GSC analysts discovered active access tokens linked to Russian Yandex email accounts, used to authorize Dropbox API calls and mask attacker identities.

Advanced Threats Demand Proactive Detection

This campaign underlines a growing trend: APTs like APT37 leveraging social engineering, fileless malware delivery, and trusted third-party services to bypass conventional defenses. Security teams must prioritize:

• Endpoint Detection and Response (EDR): For real-time process monitoring and behavioral analysis, especially on PowerShell and LNK execution.
• Threat Intelligence Integration: Mapping observed malware functions to frameworks like MITRE ATT&CK for faster triage.
• User Awareness: Training to recognize phishing lures, especially those carrying compressed archives with shortcut files.

As attackers increasingly “live off the cloud,” defenders must boost monitoring of legitimate cloud application usage and augment controls around cloud authentication and access tokens.

For high-risk organizations, proactive threat hunting and EDR solutions capable of dissecting PowerShell command lines, process trees, and cloud API behaviors are now vital to maintaining operational security.