Blog Details

  • Home
  • Blog
  • North Korean APT37 Delivers New VeilShell RAT in Southeast Asia Attack
North Korean APT37 Delivers New VeilShell RAT in Southeast Asia Attack

North Korean APT37 Delivers New VeilShell RAT in Southeast Asia Attack

North Korea-linked threat actors have been observed deploying a newly discovered backdoor and remote access trojan (RAT) called VeilShell, targeting Cambodia and likely other Southeast Asian nations.

This activity, labeled SHROUDED#SLEEP by Securonix, is attributed to APT37—a group also known by names such as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft. Active since at least 2012, APT37 is believed to operate under North Korea's Ministry of State Security (MSS). Like other state-sponsored groups, APT37, along with groups like Lazarus Group and Kimsuky, adapts its tactics to fulfill evolving state interests.

One of the key malware tools in APT37's arsenal is RokRAT (aka Goldbackdoor), but the group is also known for developing custom tools to conduct covert intelligence-gathering operations.

While it is unclear exactly how the first stage payload— a ZIP archive containing a Windows shortcut (LNK) file—reaches its targets, spear-phishing is suspected as a likely method of delivery.

According to researchers Den Iuzvyk and Tim Peck, “The [VeilShell] backdoor trojan grants attackers full access to the compromised machine. Its capabilities include data exfiltration, registry manipulation, and the creation or modification of scheduled tasks.”

The LNK file initiates PowerShell code to decode and extract components, including an innocent-looking Microsoft Excel or PDF document. Meanwhile, a configuration file ("d.exe.config") and a malicious DLL file ("DomainManager.dll") are quietly written to the Windows startup folder.

Stealthy Cyber Attacks

In addition to the malicious files, a legitimate executable named "dfsvc.exe," part of Microsoft .NET Framework's ClickOnce technology, is copied to the startup folder under the name "d.exe."

What sets this attack apart is the use of AppDomainManager injection, an uncommon technique used to execute DomainManager.dll when "d.exe" is launched at system startup. This method was also recently employed by the China-aligned Earth Baxia actor, signaling its growing popularity among cybercriminals as an alternative to DLL side-loading.

Once activated, the DLL file serves as a loader, retrieving JavaScript from a remote server. This JavaScript reaches out to another server to download the VeilShell backdoor.

VeilShell, written in PowerShell, connects to a command-and-control (C2) server to receive instructions. Its features include the ability to collect information about files, compress folders into ZIP archives, upload them to the C2 server, download files, rename or delete files, and extract ZIP archives.

“The attackers were patient and methodical throughout,” the researchers noted. “Each phase of the attack included long sleep intervals to evade traditional detection methods. Once VeilShell is deployed, it remains dormant until the next system reboot.”

The SHROUDED#SLEEP campaign showcases a highly sophisticated operation targeting Southeast Asia, utilizing multiple layers of execution, persistence mechanisms, and the versatile VeilShell backdoor for long-term control over compromised systems.

This report from Securonix closely follows Symantec’s revelation of another North Korean group, Andariel, which targeted three U.S. organizations in August 2024 in a financially motivated campaign.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067