Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

North Korean Hackers Use VeilShell Backdoor

October 4, 2024
Reading Time: 2 mins read
in Alerts
North Korean Hackers Use VeilShell Backdoor

Threat actors linked to North Korea have been identified using a new backdoor and remote access trojan (RAT) named VeilShell in a sophisticated cyber attack campaign targeting Southeast Asia, specifically Cambodia. Dubbed SHROUDED#SLEEP by Securonix, this operation is attributed to APT37, a group that has been active since at least 2012 and is believed to be connected to North Korea’s Ministry of State Security (MSS). APT37 is known for its adaptability and varied tactics, which are aligned with the shifting objectives of the North Korean regime. Their malware arsenal includes well-known tools like RokRAT (also referred to as Goldbackdoor), but the emergence of VeilShell signifies a new phase in their cyber operations.

The initial stage of this campaign remains somewhat unclear, but researchers suspect that the first payload is delivered through spear-phishing emails containing a ZIP archive with a Windows shortcut (LNK) file. When the LNK file is launched, it acts as a dropper, executing PowerShell code that decodes and extracts additional malicious components. This process involves the opening of a seemingly innocuous document—either a Microsoft Excel file or a PDF—that serves to distract users while malicious files, including a configuration file and a DLL, are written to the Windows startup folder. Among these files is a legitimate executable called dfsvc.exe, which is disguised as d.exe to avoid detection.

What distinguishes this attack is the use of a lesser-known technique known as AppDomainManager injection. This method allows the DomainManager.dll file to execute when d.exe is launched at startup, enhancing the malware’s ability to remain hidden from traditional security measures. The DLL file functions as a simple loader, retrieving JavaScript code from a remote server that ultimately leads to the deployment of the VeilShell backdoor. Once installed, VeilShell connects to a command-and-control (C2) server, enabling attackers to gather information about files, compress specific folders into ZIP archives for exfiltration, and perform various file management tasks.

Researchers have noted that the threat actors involved in this campaign demonstrate patience and meticulous planning. Each stage of the attack incorporates long sleep intervals, which are intended to evade traditional heuristic detection methods. This calculated approach suggests that the SHROUDED#SLEEP campaign is part of a broader strategy aimed at maintaining long-term control over compromised systems in Southeast Asia. As cybersecurity professionals continue to monitor these developments, the emergence of VeilShell underscores the ongoing sophistication of state-aligned cyber threats and the need for heightened vigilance against such persistent attacks.

Reference:
  • North Korean Hackers Target Southeast Asia with New VeilShell Backdoor
Tags: APT37AsiaBackdoorCyber AlertsCyber Alerts 2024Cyber threatsMalwareNorth KoreaOctober 2024RATRemote Access TrojanRokRatSecuronixSHROUDED#SLEEPThreatThreat ActorsVeilShell
ADVERTISEMENT

Related Posts

PyPI Malware Steals AWS, CI/CD, macOS Data

PyPI Malware Steals AWS, CI/CD, macOS Data

June 16, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

Image Hiding in DNS TXT Records

June 16, 2025
PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

June 16, 2025
VexTrio TDS Uses Adtech To Spread Malware

Simple Typo Breaks AI Safety Via TokenBreak

June 13, 2025
VexTrio TDS Uses Adtech To Spread Malware

VexTrio TDS Uses Adtech To Spread Malware

June 13, 2025
VexTrio TDS Uses Adtech To Spread Malware

Old Discord Links Now Lead To Malware

June 13, 2025

Latest Alerts

PyPI Malware Steals AWS, CI/CD, macOS Data

IBM Backup Service Flaw Allows Elevated Access

Image Hiding in DNS TXT Records

Old Discord Links Now Lead To Malware

VexTrio TDS Uses Adtech To Spread Malware

Simple Typo Breaks AI Safety Via TokenBreak

Subscribe to our newsletter

    Latest Incidents

    Canada WestJet Airline Contains Cyberattack

    Hackers Leak 10K VirtualMacOSX Customer Data

    Washington Post Investigates Cyberattack on Emails

    Cyberattack On Brussels Parliament Continues

    Swedish Broadcaster SVT Hit By DDoS

    Major Google Cloud Outage Disrupts Web

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial