home.social
Sign in Create account

#apt37 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #apt37, aggregated by home.social.

  1. OTX Bot @[email protected] ·

    Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

    A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

    Pulse ID: 6a04a9a090a64de310cb0568
    Pulse Link: otx.alienvault.com/pulse/6a04a
    Pulse Author: AlienVault
    Created: 2026-05-13 16:41:04

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

    #apt37 #backdoor #cybersecurity #email #infosec #korea
  2. OTX Bot @[email protected] ·

    Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

    A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

    Pulse ID: 6a04a9a090a64de310cb0568
    Pulse Link: otx.alienvault.com/pulse/6a04a
    Pulse Author: AlienVault
    Created: 2026-05-13 16:41:04

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

    #apt37 #backdoor #cybersecurity #email #infosec #korea
  3. OTX Bot @[email protected] ·

    Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

    A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

    Pulse ID: 6a04a9a090a64de310cb0568
    Pulse Link: otx.alienvault.com/pulse/6a04a
    Pulse Author: AlienVault
    Created: 2026-05-13 16:41:04

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

    #apt37 #backdoor #cybersecurity #email #infosec #korea
  4. OTX Bot @[email protected] ·

    Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

    A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

    Pulse ID: 6a04a9a090a64de310cb0568
    Pulse Link: otx.alienvault.com/pulse/6a04a
    Pulse Author: AlienVault
    Created: 2026-05-13 16:41:04

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

    #alienvault #bot #spearphishing #remotecommandexecution #rat #python
  5. OTX Bot @[email protected] ·

    Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

    A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

    Pulse ID: 6a04a9a090a64de310cb0568
    Pulse Link: otx.alienvault.com/pulse/6a04a
    Pulse Author: AlienVault
    Created: 2026-05-13 16:41:04

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

    #apt37 #backdoor #cybersecurity #email #infosec #korea
  6. OTX Bot @[email protected] ·

    Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks

    APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution.

    Pulse ID: 69de00eccc0fa8439b871c56
    Pulse Link: otx.alienvault.com/pulse/69de0
    Pulse Author: AlienVault
    Created: 2026-04-14 08:55:08

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #APT37 #CyberSecurity #Encryption #Facebook #ICS #InfoSec #Japan #Korea #Malware #Military #NorthKorea #OTX #OpenThreatExchange #PDF #RAT #Rust #ShellCode #SocialEngineering #Telegram #bot #AlienVault

    #apt37 #cybersecurity #encryption #facebook #ics #infosec