Fake Korean TV Writer Identities Used to Lure Victims Into Malware Attacks

Genians Security Center has uncovered a new cyber-espionage campaign dubbed “Artemis” linked to North Korea’s APT37 (Reaper) group.

The campaign uses clever social engineering to distribute malicious Hangul Word Processor (HWP) files disguised as legitimate documents to compromise South Korean targets.

Impersonation and Infection Chain

The attackers posed as writers for major Korean television programs and contacted potential victims, typically journalists, academic researchers, and political experts, offering casting or interview opportunities.

After a few trust‑building exchanges, they sent fake interview questionnaires or event guide documents in HWP format.

These weaponized files contained malicious OLE objects that launched legitimate Microsoft Sysinternals utilities.

The malware used DLL side‑loading, where a tampered .dll was placed alongside a legitimate executable, which was loaded to trigger further stages of the attack.

This method allowed the payload to run inside a trusted process, bypassing traditional antivirus signature checks.

The embedded OLE objects dropped legitimate‑looking executables such as Volumeid1.exe and vhelp.exe, which silently loaded the malicious DLL from the same directory.

Once active, the DLL decrypted hidden shellcode using multiple layers of XOR encryption to execute RoKRAT, a long‑standing espionage tool used by APT37 for command‑and‑control (C2) operations, data theft, and system surveillance.

Advanced Evasion and Attribution

Genians showed that all HWP samples referenced the username “Artemis” in their file metadata. The malicious DLLs contained consistent PDB strings, confirming continuous reuse of development resources across campaigns.

The final payload was connected to Russia‑based Yandex Cloud for C2 communication, an approach aligned with APT37’s ongoing strategy of abusing legitimate cloud services such as Dropbox, OneDrive, and pCloud to hide traffic within regular internet activity.

Two Yandex tokens registered under the account “philp”. Stwart and Tanessha.Samuel found reused across operations matched a pCloud account previously linked to APT37’s “ToyBox Story” operation.

This cross‑infrastructure overlap confirms that the same actor manages cloud assets to coordinate payload delivery and data exfiltration while evading geographic tracking.

Experts warn that this hybrid of social engineering, steganographic concealment, and layered encryption shows APT37’s continued technical maturity.

The group is systematically enhancing its stealth capabilities by combining trusted execution paths with adaptive obfuscation.

Security analysts recommend real‑time EDR monitoring to detect DLL side‑loading behavior, child-process creation from hwp.exe, and abnormal cloud-service connections outside regular business patterns.

With the Artemis campaign, APT37 once again demonstrates how nation‑state groups exploit legitimate technologies and human trust to maintain persistent access to South Korean institutions.

Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.

The post Fake Korean TV Writer Identities Used to Lure Victims Into Malware Attacks appeared first on Cyber Security News.