By rssfeeds-admin 
Deceptively named 국가정보연구회 소식지(52호).pdf.LNK, the shortcut leverages embedded PowerShell scripts to orchestrate a multi-stage, mostly fileless infection chain.
By extracting payloads from specific binary offsets within the LNK, the attacker avoids dropping conventional executables to disk and instead executes reflective DLL injection in memory. This approach leaves minimal forensic evidence and bypasses many endpoint defenses.
Deception in Plain Sight
Victims receive an archive containing the authentic PDF and the malicious LNK. When the LNK is opened, it invokes PowerShell rather than a PDF viewer.
The script reads hidden binary chunks at hardcoded offsets, extracting the decoy PDF, a loader binary, a command script, and the final payload.
These components are written to the user’s temporary directory and staged for execution. A batch script triggers the loader, which decrypts the XOR-encoded DLL payload with a single-byte key (0x35) and performs in-memory reflective injection.
This process not only conceals the true nature of the file but also exploits the ubiquity of PDFs in legitimate workflows to lure high-value targets, including academic researchers, former government officials, and policy analysts associated with South Korean intelligence bodies.
C2 Communications and Weaponized Commands
Once resident in memory, the implant fingerprints the host environment by gathering architecture flags, computer and user names, BIOS details, and checks for virtualization artifacts such as VMware tools.
It then abuses popular cloud storage APIs—including Dropbox, pCloud, and Yandex.Disk—to establish covert command-and-control channels over HTTPS. By masquerading as legitimate cloud traffic, the malware evades network filters and blends with regular enterprise communications.
The implant’s concise command set supports retrieving and executing shellcode, downloading additional executables, enumerating and exfiltrating document files under specified extensions, capturing screenshots, and executing arbitrary system commands.
Exfiltration routines scan the Temp directory, package discovered files into browser-style HTTP POST requests with WebKit multipart boundaries, spoof MIME types as PDFs, and delete local traces upon successful upload.
Download-and-cleanup beacons mimic benign browser GET requests followed by server-side deletion of payload stubs to minimize evidence.
Stealth and Strategic Impact
Operation HanKook Phantom’s strategic selection of a trusted internal newsletter targets both technical and policy-oriented personnel, broadening the espionage vantage points.
The campaign spans South Korea, Japan, Vietnam, Russia, India, and other nations in the Asia-Pacific region, reflecting APT-37’s long-standing focus on regional intelligence gathering.
By combining spear-phishing, fileless PowerShell execution, reflective DLL injection, and cloud-based C2, the attackers achieve exceptional stealth.
Defenders must enhance detection of anomalous LNK executions, enforce strict policies on shortcut file handling, and closely monitor outbound cloud storage traffic for irregular patterns.
Proactive behavioral analysis and thorough inspection of attachment types are crucial to intercept these potential threats before they can materialize into full compromise.
IOCs:
| MD5 | File Name |
| 1aec7b1227060a987d5cb6f17782e76e | aio02.dat |
| 591b2aaf1732c8a656b5c602875cbdd9 | aio03.bat |
| d035135e190fb6121faa7630e4a45eed | aio01.dat |
| cc1522fb2121cf4ae57278921a5965da | *.Zip |
| 2dc20d55d248e8a99afbe5edaae5d2fc | tony31.dat |
| f34fa3d0329642615c17061e252c6afe | tony32.dat |
| 051517b5b685116c2f4f1e6b535eb4cb | tony33.bat |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post From PDF to Pwned – How Malicious LNK Files Turn Documents into Attack Vectors appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.