APT Group 123 Delivering Malicious Payloads while Attacking Windows Systems

APT Group 123 Delivering Malicious Payloads while Attacking Windows Systems

“Windows has once again come into the spotlight due to a malicious payload attack done by APT Group, which is sponsored by North Korea.”

APT Group 123, a state-sponsored threat actor from North Korea, has stepped up its cyber espionage efforts, focusing on Windows computers in various industries around the world.

The gang has been active since at least 2012 and has been tracked under identities like APT37, Reaper, and ScarCruft. Historically, the group has targeted South Koreans, but in recent years, it has also moved to Japan, Vietnam, the Middle East, and other areas.

Sensitive data from vital industries, such as the government, aerospace, manufacturing, and high-tech sectors, is the main target of sophisticated attacks.

Highly targeted spear phishing emails with malicious attachments that take advantage of flaws in widely used word processors, such as Microsoft Office products, are the threat actor’s main method of infection.

The gang also uses drive-by downloads and watering hole assaults to strategically compromise websites by taking advantage of flaws in web browsers and plugins when users visit infected sites.

These diverse attack methods show how adaptable APT Group 123 is at gaining first access to target networks.

Researchers at Cyfirma found that the gang is now using ransomware assaults for financial gain in addition to their espionage activities, demonstrating that the impact of these attacks goes beyond information theft.

Given that the financial gains seem to directly serve their larger intelligence-gathering purpose, this dual motivation represents a shift in their strategies.

Organizations in at least thirteen countries have been impacted by the group’s ongoing activities, with an emphasis on those that hold strategic information or valuable intellectual property.

According to recent data, APT Group 123 is reportedly constantly improving its methods and quickly adding recently discovered vulnerabilities to its toolkit.

The group uses proprietary malware, such as Freenki Loader, PoohMilk, and ROKRAT, to get ongoing access to infiltrated systems.

The attackers cause major operational and security repercussions for the targeted businesses by moving laterally, elevating privileges, and exfiltrating critical data to their command and control infrastructure once they have gained access to a network.

Advanced Strategies for Defense Evasion

The defense evasion tactics used by APT Group 123 are a clear indication of how clever their operations are.

For command and control communications, the gang uses encryption—HTTPS in particular—to mix harmful traffic with authentic network activity.

Traditional security systems find detection far more difficult using this method. To make analysis and detection more difficult, their malware usually uses a multi-stage design with payloads distributed across multiple components.

By including security and analysis tool tests in their malware, the attackers show a high level of operational security knowledge.

The malicious code may change its behavior to prevent notifications when such tools are found.

Advanced tactics, including DLL sideloading, which involves manipulating normal Windows processes to load malicious code, DLL hollowing, and call stack spoofing, are commonly used by APT Group 123 to further avoid detection.

The group’s changing infrastructure approach is arguably the most worrisome. According to Cyfirma analysts, APT Group 123 is using cloud-based platforms and compromised genuine web servers more frequently for its command and control activities.

They previously used sites like Mediafire, Yandex, and X, but new data points to the possibility of expanding to more widely used services like Google Drive.

Because it further obfuscates hostile network communications behind ostensibly regular traffic patterns, this tactical move poses a serious challenge to defenders.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

READ MORE HERE

“Operation Prahaar” An Uttarakhand Police Operation on Nationwide Cybercriminals Crackdown

At GISEC 2025, India Shines by making Strong cybersecurity connections with the UAE

About Author

Tahir

See author's posts