Home > News > APT37’s Sneaky JPEG Malware: How North Korean Hackers Are Weaponizing Images to Target Windows

APT37’s Sneaky JPEG Malware: How North Korean Hackers Are Weaponizing Images to Target Windows

By /

In the ever-evolving world of cybersecurity threats, state-sponsored hackers continue to innovate in their methods to evade detection. Recently, on August 4, 2025, reports emerged about APT37—a North Korea-linked hacking group also known as Reaper or ScarCruft—deploying a sophisticated variant of their RoKRAT remote access trojan (RAT). What’s particularly alarming is their use of everyday JPEG image files as a delivery mechanism, injecting malware into legitimate Windows processes like mspaint.exe. In this post, I’ll break down the details of this attack, explain how it works, why images like JPEGs are perfect for hiding malware, and even touch on how you can safely test your defenses (like with a Palo Alto firewall) without risking real harm.

The News: A Fileless Attack Hidden in Plain Sight

APT37 has been active for years, often targeting South Korean entities, activists, and organizations involved in North Korea-related issues for espionage purposes. This latest campaign, detailed by cybersecurity firms like Genians Security Center and outlets such as Cybersecurity News and GBHackers, showcases their shift toward fileless techniques. The malware arrives via phishing emails containing a ZIP archive (e.g., “National Intelligence and Counterintelligence Manuscript.zip”) with a malicious Windows shortcut (.LNK) file inside.

Once opened, the attack unfolds in memory, minimizing disk footprints to dodge traditional antivirus scans. The payload? A RAT called RoKRAT, which steals sensitive data like documents, screenshots, keystrokes, and system information, exfiltrating it via legitimate cloud services like Dropbox or Yandex.

This isn’t just another phishing scam—it’s a masterclass in evasion, blending steganography (hiding data in images) with process injection into trusted apps.

How the Attack Works: A Step-by-Step Breakdown

The attack chain is multi-stage and designed to look benign at every turn. Here’s how it typically plays out:

  1. Phishing Delivery: Victims receive a ZIP file with an oversized .LNK shortcut (over 50MB). This file embeds a decoy document (to fool the user into thinking it’s legitimate), encrypted shellcode, PowerShell scripts, and batch files.
  2. Initial Execution: Opening the .LNK triggers a batch script (e.g., ttf03.bat), which launches PowerShell. This decodes encrypted data using simple XOR operations (a bitwise flip with keys like 0x33 or 0xAE), revealing 32-bit shellcode.
  3. JPEG as the Malware Carrier: The core payload is hidden in a JPEG file (e.g., “Father.jpg”), often fetched from cloud storage during the attack. The image starts with a valid Exif header to display normally, but malicious shellcode is embedded at a specific offset (like 0x4201). Extraction uses two XOR decryptions (keys 0xAA and 0x29), loading the code directly into memory—no files written to disk.
  4. Process Injection: The shellcode is injected into legitimate processes like mspaint.exe (Microsoft Paint) or notepad.exe from the SysWOW64 folder. Techniques like VirtualAlloc allocate memory, write data blocks (e.g., 892,928 bytes), and apply another XOR (key 0xD6) to unveil the full RoKRAT module. By hijacking trusted apps, the malware masquerades as normal system activity.
  5. Espionage Payload: RoKRAT then goes to work, collecting data and communicating with command-and-control (C2) servers via APIs from services like api.dropboxapi.com or cloud-api.yandex.net. It uses revoked access tokens to blend in with legitimate traffic, making detection harder.

The result? Stealthy persistence for data theft, all without leaving obvious traces.

Why JPEG Files Can Embed Malware: The Power of Steganography

You might wonder: How can a simple image file carry executable code? It boils down to the flexibility of the JPEG format and a technique called steganography.

  • JPEG Structure: JPEGs aren’t just pixels—they include headers, metadata (like Exif tags for camera info), and variable data segments. Attackers can append or hide arbitrary data (like shellcode) after the image’s end-of-image marker (FFD9 in hex) without breaking the file. The image still opens fine in viewers, but custom scripts can extract the hidden payload.
  • Steganography Basics: This involves altering the least significant bits of pixel colors or embedding data in metadata/comments. It’s subtle—changes are invisible to the naked eye—and tools can encrypt the payload for added security. Unlike executables, images aren’t deeply scanned by default security tools, and they’re ubiquitous in emails or downloads, lowering suspicion.
  • Why It Works for Evasion: Basic antivirus focuses on signatures in .exe files, but stego-images slip through. Combined with memory-only execution, it’s a nightmare for defenders. APT groups have used this for years, but APT37’s twist with .LNK files and injection into mspaint.exe adds a fresh layer of cleverness.

In short, any file format that allows “extra” data can be weaponized, but images are especially sneaky because they’re trusted and visual.

Testing Your Defenses: Can Your Firewall Catch This?

If you’re in IT security or just curious, you might want to test tools like Palo Alto Networks firewalls against similar threats. Remember: Never handle real malware. Instead, create a benign proof-of-concept (PoC) using safe test strings like EICAR (a non-harmful virus signature: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*).

Steps for a Safe Test JPEG:

  1. Tools Needed: Free options like ExifTool (for metadata), Steghide (for steganography), or a hex editor like HxD.
  2. Simple Embedding with ExifTool:
    • Run: exiftool -Comment=”X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*” test.jpg
    • This hides the EICAR string in the image’s metadata.
  3. Steganography with Steghide:
    • Create payload.txt with the EICAR string.
    • Run: steghide embed -cf test.jpg -ef payload.txt -p “testpass”
    • The image looks normal but contains hidden data.
  4. Test with Palo Alto:
    • In a isolated VM, upload/download the file through your firewall.
    • Check logs or submit to WildFire (Palo Alto’s cloud sandbox) for behavioral analysis—it should flag anomalies like hidden data.
    • Sandboxing is key, as static scans might miss it, but execution in a controlled environment reveals suspicious behavior.

For real-world indicators of compromise (IOCs), look up hashes like a2ee8d2aa9f79551eb5dd8f9610ad557 or C2 domains like api.dropboxapi.com. Always test ethically and in a lab setup.

Related posts:

  1. How to Spot a Fake Domain
  2. Deep Dive into Ransomware Embedded in Phishing Attachments
  3. Top 5 CDN service provider in the market of 2025
  4. Common Cyber Attacks on Personal Devices in 2024 and How to Stay Protected
  5. Cisco Splunk with Secure Network Analytics vs. Darktrace – Comparative Analysis for Network Security Deployments
  6. Cybersecurity Roundup: Critical Incidents and Trends in April 2025
  7. Top 5 Critical Cybersecurity Incidents in July 2025
  8. WordPress Security Alert: Understanding the Alone Theme Hack (CVE-2025-5394)

Powered by YARPP.

Leave a Comment