ROKRAT
RokRAT is a custom remote access trojan/backdoor consistently associated with the North Korea-linked threat group APT37, also known as ScarCruft and RedEyes. It has been used in espionage campaigns including Operation ToyBox Story and other spearphishing operations targeting South Korean activists, media, academics, and North Korea-focused experts. Delivery methods directly mentioned in the content include spearphishing emails with malicious Hangul Office or Microsoft Word documents, Dropbox download links leading to weaponized ZIP/LNK files, and oversized Windows shortcut files that launch multi-stage infection chains. Reported chains open decoy PDF, HWP, or HWPX documents while dropping staged files such as BAT and DAT components, decrypting shellcode, and executing RokRAT entirely in memory as a fileless payload; one report also notes injection into cmd.exe and another describes injection into the PowerShell process.
The malware is described as a fully featured backdoor for surveillance and data theft. Capabilities directly mentioned include collecting the username, computer name, Windows version, system architecture, hardware model, system manufacturer, screenshots, files, clipboard contents, browser credentials from SQLite databases, user credentials, and machine fingerprinting data. Additional collection noted in the content includes operating system version, running processes, USB usage information, file listings for numerous document and media extensions, cookies and saved passwords from Chrome, Firefox, Internet Explorer, Edge, Opera, and Naver Whale, as well as data from Outlook, Thunderbird, Wi-Fi, WinSCP, and FileZilla. RokRAT can execute arbitrary commands, download secondary payloads or additional malware, and send collected files and data back over its command-and-control channel.
RokRAT has repeatedly abused legitimate cloud and social platforms for command and control and exfiltration, including Dropbox, pCloud, Yandex Cloud, MediaFire, Twitter, and OneDrive-related infrastructure. In the March 2025 Operation ToyBox Story reporting, RokRAT authenticated to Dropbox using hardcoded access tokens and used Dropbox API functions such as /files/list_folder, /files/download, /files/upload, and /files/delete via api.dropboxapi[.]com and content.dropboxapi[.]com. Other analyses observed communication attempts to api.pcloud.com, pcloud.com, cloud-api.yandex.net, api.dropbox.com, and content.dropboxapi.com, sometimes using a Googlebot-like User-Agent and bearer-token authorization headers. The malware has also been reported to encrypt stolen data before exfiltration, with one report noting the hardcoded marker 0xFADEADBA appended to encrypted packets.
Technical behaviors described in the content include staged DLL loading, API hashing, PEB walking for dynamic API resolution, resource unpacking, JPEG steganography to conceal later-stage payloads, registry-based infection checks using HKCU\SOFTWARE\DefaultEdit\Installed, anti-VM and anti-debugging logic, temporary file creation, and fileless in-memory execution. Reported indicators include the malicious LNK hkais_1e9ce53a18e24ebc01b539ba7ba6bedd.lnk; dropped files toy03.bat, toy02.dat, and toy01.dat; registry key HKCU\SOFTWARE\DefaultEdit\Installed; network endpoints api.dropboxapi[.]com, content.dropboxapi[.]com, api.pcloud.com, pcloud.com, cloud-api.yandex.net, and api.dropbox.com; campaign-associated IPs 89.147.101[.]65, 89.147.101[.]71, and 37.120.210[.]2; and sample hashes including MD5 81c08366ea7fc0f933f368b120104384 and 723f80d1843315717bc56e9e58e89be5, plus SHA-256 7d514021c472e6e17f587ed30555d3f120653e6c7f8dc25d2331514b92ffd7bc, 3fa06c290c477c133ca58512c7852fc998632721f2dc3a0984f18fbe86451e18, and 7537f0e9da88e5dced70328cb0110ef8e9a60eaed10bd4a4d863501caef9d643.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Once the vulnerability was exploited, a multi-stage malware chain was deployed, culminating in the execution of a variant of RokRAT, a known malicious tool used by TA-RedAnt. | The group leveraged a previously unknown vulnerability (CVE-2024-38178) in IE’s legacy Chakra engine (jscript9.dll). Delivered via seemingly innocuous toast ads—pop-up windows displayed in free software—the attack exploited the vulnerability to execute remote commands.
Vulnerability Exploited CVE-2022-41128 (Internet Explorer Vulnerability) Malware and Tools RokRAT
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The campaign is known as Operation ToyBox Story, the malware is called RokRAT ... Their signature tool, RokRAT, is a highly sophisticated RAT (Remote Access Trojan).
Once the vulnerability was exploited, a multi-stage malware chain was deployed, culminating in the execution of a variant of RokRAT, a known malicious tool used by TA-RedAnt.
ASEC confirmed that the RedEyes threat group (also known as APT37, ScarCruft) has also recently distributed the RokRAT malware through LNK files. RokRAT is malware that is capable of collecting user credentials and downloading additional malware.
Techniques & procedures
39 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
RokRAT logs into a legitimate Dropbox account using an embedded access token (a hardcoded, pre-saved password string).
Execution
6 techniques
Execution
Arbitrary Execution: Executes any command sent down by its handlers
Hidden Files Dropped — toy03.bat, toy02.dat, toy01.dat placed in % Temp %
The called function actually resolves an API called ‘RtlMoveMemory’... This API is a native API so it may bypass some API hooks... Also interesting to note that the malware resolves another native winAPI ‘RtlFillMemory’ to corrupt the PE header of the file located in the dump.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
12 techniques
Stealth
rule Scarcruft_Reverse_BS64_Loader ... $require_base64 ... $bs64_decode64 = {4261736536342e6465636f64653634} ... $reverse = {2e72657665727365}
We can see from the magic bytes that the resource is in fact a ‘jpeg’ file (Exif). The resource also makes up over 98% of the file size, which tells me that this is no ordinary jpeg and is probably using steganography to mask the next payload.
We see these hashed APIs passed as a parameter to a function that accesses the PEB which may indicate a dynamic API resolution technique known as ‘PEB Walking’. This technique is used to avoid static signatures for risky APIs and to make analysis more difficult for analysts.
We identified our next payload and what appears to be the main functionality of this sample, the dll is a dropper which holds an embedded second stage payload.
This sample was once again pulled from MalwareBazaar and is a Dynamic Link Library (DLL)... we have one export called ‘WNetGetConnectionW’. This particular function... does appear to be part of a legitimate dll known as ‘mpr.dll’.
Taking a look at this function we see straight away that the malware is moving the PEB (fs: [30]) into the EAX register. This is likely how the author identifies the address of the hashed APIs, by walking the PEB.
/files/delete — Deletes the files afterward to clean up its operational track.
RokRAT logs into a legitimate Dropbox account using an embedded access token (a hardcoded, pre-saved password string).
The execution loader applies a simple XOR decryption to toy01.dat and spawns a thread to run the resulting shellcode. This shellcode in turn XOR-decrypts an embedded Portable Executable (PE) and launches RokRAT entirely in-memory.
The majority of these strings are referenced in the function ‘FUN_100011c0’... This is the anti-analysis/anti-vm technique the sample uses.
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
8 techniques
Discovery
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
Machine Fingerprinting: Collects the computer name, active username, Windows OS version, system architecture, and hardware model.
2) 파일 목록 doc mdb xls ppt txt amr 3gp csv vcf hwp pdf eml msg m4a rtf url key der
The majority of these strings are referenced in the function ‘FUN_100011c0’... This is the anti-analysis/anti-vm technique the sample uses.
Collection
4 techniques
Collection
Command and Control
3 techniques
Command and Control
This creates a connection to the url... hxxps[:]//api[.]pcloud[.]com/listfolder?path=/ ... A GET request is then sent to the following using the API ‘WinHttpOpenRequest’: api[.]pcloud[.]com/listfolder?path=/
RokRAT logs into a legitimate Dropbox account using an embedded access token ... From there, it speaks Dropbox’s own standard API language to execute commands
the sample appears to locate the embedded resource in the file, format a string, use the formatted string as a parameter to create a file and then write data to that file so this is likely going to be the unpacking technique used here — we can see in the above image that the string ’version1.0.tmp’ is also passed in above the call to CreateFileW so that is likely going to be our second stage file. | The JPEG was using steganography to mask the dll embedded within which was our next stage.
IOCs tracked for this family
122 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
129 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A North Korean espionage RAT used by APT37/ScarCruft that executes entirely in memory, uses Dropbox API as command-and-control, collects system information, captures screenshots, executes arbitrary commands, downloads secondary payloads, and exfiltrates encrypted stolen data.
Previously used remote access trojan associated with ScarCruft/APT37, mentioned here as the malware family being replaced by NarwhalRAT in this campaign.
A malware family exclusively attributed to APT37/ScarCruft, mentioned as the prior malware family from which NarwhalRAT represents a departure.
A first-stage Windows backdoor delivered via a trojanized sqgame update package. It is fetched from a compromised South Korean website and used to install the BirdCall backdoor on victim systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.