■■■■■ The RoKRAT family typically uses 3 cloud-based API services and tokens.
Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)
◈ Executive Summary
Disguised the content as an academic forum invitation from a South Korean national security think tank to attract attention
Lured targets by referencing an actual event titled “Trump 2.0 Era: Prospects and South Korea’s Response”
Delivered malicious LNK files via the Dropbox cloud platform
APT37 used Dropbox as a C2 server, following earlier use of pCloud and Yandex
EDR-based anomaly hunting required to improve detection of fileless threats.
Overview
○ In March 2025, the APT37 threat actor launched a spear phishing campaign targeting several activists focused on North Korea. The email contained a Dropbox link leading to a compressed archive that included a malicious shortcut (LNK) file. When extracted and executed, the LNK file activated additional malware containing the keyword “toy.”
Indicator of Compromise
MD5
81c08366ea7fc0f933f368b120104384
723f80d1843315717bc56e9e58e89be5
7822e53536c1cf86c3e44e31e77bd088
324688238c42d7190a2b50303cbc6a3c
a635bd019674b25038cd8f02e15eebd2
beeaca6a34fb05e73a6d8b7d2b8c2ee3
d5d48f044ff16ef6a4d5bde060ed5cee
d77c8449f1efc4bfb9ebff496442bbbc
2f431c4e65af9908d2182c6a093bf262
7cc8ce5374ff9eacd38491b75cbedf89
8f339a09f0d0202cfaffbd38469490ec
46ca088d5c052738d42bbd6231cc0ed5
C2
89.147.101[.]65
89.147.101[.]71
37.120.210[.]2
E-Mail
rolf.gehrung@yandex.com
ekta.sahasi@yandex.com
gursimran.bindra@yandex.com
sneha.geethakrishnan@yandex.com
tanessha.samuel@gmail.com
tianling0315@gmail.com
w.sarah0808@gmail.com
softpower21cs@gmail.com
sandozmessi@gmail.com
tiger.man.1999@mail.ru
navermail_noreply@mail.ru
https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story