Threat actors linked to North Korea have been identified using a new backdoor and remote access trojan (RAT) named VeilShell in a sophisticated cyber attack campaign targeting Southeast Asia, specifically Cambodia. Dubbed SHROUDED#SLEEP by Securonix, this operation is attributed to APT37, a group that has been active since at least 2012 and is believed to be connected to North Korea’s Ministry of State Security (MSS). APT37 is known for its adaptability and varied tactics, which are aligned with the shifting objectives of the North Korean regime. Their malware arsenal includes well-known tools like RokRAT (also referred to as Goldbackdoor), but the emergence of VeilShell signifies a new phase in their cyber operations.
The initial stage of this campaign remains somewhat unclear, but researchers suspect that the first payload is delivered through spear-phishing emails containing a ZIP archive with a Windows shortcut (LNK) file. When the LNK file is launched, it acts as a dropper, executing PowerShell code that decodes and extracts additional malicious components. This process involves the opening of a seemingly innocuous document—either a Microsoft Excel file or a PDF—that serves to distract users while malicious files, including a configuration file and a DLL, are written to the Windows startup folder. Among these files is a legitimate executable called dfsvc.exe, which is disguised as d.exe to avoid detection.
What distinguishes this attack is the use of a lesser-known technique known as AppDomainManager injection. This method allows the DomainManager.dll file to execute when d.exe is launched at startup, enhancing the malware’s ability to remain hidden from traditional security measures. The DLL file functions as a simple loader, retrieving JavaScript code from a remote server that ultimately leads to the deployment of the VeilShell backdoor. Once installed, VeilShell connects to a command-and-control (C2) server, enabling attackers to gather information about files, compress specific folders into ZIP archives for exfiltration, and perform various file management tasks.
Researchers have noted that the threat actors involved in this campaign demonstrate patience and meticulous planning. Each stage of the attack incorporates long sleep intervals, which are intended to evade traditional heuristic detection methods. This calculated approach suggests that the SHROUDED#SLEEP campaign is part of a broader strategy aimed at maintaining long-term control over compromised systems in Southeast Asia. As cybersecurity professionals continue to monitor these developments, the emergence of VeilShell underscores the ongoing sophistication of state-aligned cyber threats and the need for heightened vigilance against such persistent attacks.
