The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Reaper Uses New TTPs to Drop RokRAT

May 15, 2023 2:27:27 PM / by The Hivemind

REAPERRelated Families: CloudMensis, RambleOn

Executive Summary

Reaper was recently observed using new TTPs to drop RokRAT. The infection chain leveraged LNK files delivered via the energy sector and politically themed phishing emails.

Key Takeaways

  • Reaper was recently observed using new TTPs to drop RokRAT. 
  • The infection chain used LNK files to deliver RokRAT.
  • In the campaign, Reaper used cloud storage services for C2. 

What is RokRAT

Check Point reported on RokRAT, a malware family used by Reaper to target entities in South Korea. RokRAT, also known as DogCall, has been in the wild since at least 2017. There is also a Mac variant of RokRAT, known as CloudMensis, and an Android variant, known as RambleOn.

RokRAT is used for credential theft, data exfiltration, capturing screenshots, gathering system information, executing commands and shellcode, and managing files and directories. Reaper often uses cloud storage services for C2.

While RokRAT has not changed much over the years, the TTPs used to deliver it have evolved. Since at least January 2022, Reaper has been using oversized LNK files to deliver RokRAT. These LNK archives are used to initiate a multistage infection chain to bypass macro blocking.

In recently analyzed samples, the LNK file was enveloped in a ZIP archive, along with three benign files, and delivered via a phishing email with an energy sector or politically themed lure. The LNK masquerades as a PDF document. When the LNK is opened, a decoy document is presented to the victim, and a PowerShell is executed. The PowerShell extracts a BAT script from the LNK, then drops it to disk and executes it. The BAT script, in turn, executes another PowerShell, which downloads a payload from the C2. The payload is reflectively injected into the PowerShell and runs as a new thread. The shellcode then decodes the RokRAT part of the payload and executes it.

Who is Reaper?

Reaper, also known as APT37, Inky Squid, RedEyes, ScarCruft, and Ricochet Chollima, is a North Korea nexus threat actor group. Reaper has been active since at least 2012 and typically targets entities in South Korea. However, the group has also been known to target entities in Japan, Vietnam, the Middle East, and elsewhere. Targeted verticals include chemical, electronics, manufacturing, aerospace, automotive, and healthcare. Reaper TTPs include Windows UAC bypass, C2 over HTTPS, SoundWave, Zumkong, a MBR wiper, RiceCurry, Flash exploits, steganography, Freenki, RokRAT, Bluelight, CoralDeck, Final1stspy, HappyWork, Karae, NavRAT, PoorAim, ShutterSpeed, SlowDrift, and WineRack.


PolySwarm has multiple samples associated with this activity.










You can use the following CLI command to search for all RokRAT samples in our portal:

$ polyswarm link list -f RokRAT


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, RokRAT, Reaper, Ricochet Chollima, LNK

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts