ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Scarcruft’s ROKRAT Malware: Recent Changes
2026.02.06

✅ Report Title: Scarcruft’s ROKRAT Malware: Recent Changes



✅ Executive Summary:


- Recently, ScarCruft has been employing a new attack method to distribute ROKRAT using an HWP OLE-based Dropper/Loader structure, deviating from their traditional LNK-based attack chain.


- All three cases mentioned in the report share the same signature characteristics identified in previous ScarCruft campaigns, such as ROR13-based API resolving, XOR-based payload decryption, and the abuse of legitimate cloud services (pCloud, Yandex) for C2 communication.


- While the Droppers and Downloaders exhibit functional differences—such as file dropping, environment checks, and memory loading—they all ultimately share the common goal of executing ROKRAT directly in memory.



📌 What is ROKRAT malware?


- ROKRAT, a malware utilized by the North Korean-backed APT group ScarCruft, was first discovered in 2017 and has been continuously distributed up to the present day.


- ScarCruft has historically utilized an attack chain that drops BAT scripts and shellcode via LNK files to execute ROKRAT, and S2W has been tracking these primary malware types by naming them DROKLINK and DROKBAT, respectively.


- However, unlike these existing attack vectors, recent cases have confirmed that ROKRAT is being distributed by embedding Droppers and Loaders within OLE objects of Hangul (HWP) documents, and evidence suggests that ScarCruft has developed and utilized new malware for this purpose.



📌 What are the New Distribution Methods of ROKRAT Malware?


- Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed Dropper and Downloader malware to deliver shellcode and the ROKRAT payload.



1. Case 1


- The malware utilizes the filename mpr.dll. While its distribution path was not initially identified, subsequent disclosures confirmed that it was embedded as an OLE object within an HWP document and executed via DLL side-loading into a legitimate application.


- In the first case, the Dropper drops a payload included in its resource area as a file, while the Loader checks the analysis environment and infection status before executing the shellcode in memory.



2. Case 2


- This malware was also confirmed to have been distributed via an OLE object in an HWP document; as a Downloader-type malware, it downloads and executes an additional payload through a URL hardcoded within the file.

  - Notably, given the malicious DLL filename (credui.dll), it is highly likely that it was executed via DLL side-loading using a legitimate program such as ShellRunas.exe.


- In the second case, the Downloader distributes ROKRAT by downloading shellcode hidden via steganography from an attacker-controlled Dropbox link.



3. Case 3


- The execution and distribution method for the version.dll file has not been definitively identified; however, based on the malware's PDB path and publicly available information, it is highly probable that it was included as an OLE object within a malicious Hangul (HWP) document and executed via side-loading into a legitimate program.


- In the third case, the Dropper and Loader restore the internal payload using a 1-byte XOR key and execute ROKRAT directly in memory.



📌 Common Technical Characteristics


- All three cases exhibit common patterns, such as ROR13-based API Resolving and the use of a 0x29 XOR key for ROKRAT decryption.


- Furthermore, ROKRAT—a signature info-stealer of the ScarCruft group—demonstrates its typical characteristic of abusing legitimate cloud services as C2 servers in these instances as well.



📌 Relativity to the ScarCruft Group


- The API hashing algorithm (based on ROR13) and the XOR key used during the shellcode stage, along with the pCloud and Yandex API token strings utilized within ROKRAT, are identical to those found in previous ScarCruft attack campaigns.


- Consequently, this attack can be identified as a recent attack vector from the ScarCruft group, confirming it as an evolved form based on their existing Tactics, Techniques, and Procedures (TTPs).



✅ Recommended Threat Detection and Mitigation Actions:


- The Droppers and Loaders identified in recent attacks are being distributed as OLE objects embedded within Hangul (HWP) documents; therefore, extreme caution is required when opening HWP files received via phishing emails.


- Particularly, since executing documents containing OLE objects can lead to arbitrary code execution, it is recommended to refrain from opening documents from unclear sources and to strengthen the detection of abnormal OLE objects embedded in HWP files.




🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


R&D Columns
Ontology-Driven Problem Solving: 5-Step Strategy for Successful AI Adoption
2026.02.05
Previous
News Highlights
Weekly Darkweb: February 2026, Week 1
2026.02.11
Next
List