Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

North Korean Hackers Use VeilShell Backdoor

October 4, 2024
Reading Time: 2 mins read
in Alerts
North Korean Hackers Use VeilShell Backdoor

Threat actors linked to North Korea have been identified using a new backdoor and remote access trojan (RAT) named VeilShell in a sophisticated cyber attack campaign targeting Southeast Asia, specifically Cambodia. Dubbed SHROUDED#SLEEP by Securonix, this operation is attributed to APT37, a group that has been active since at least 2012 and is believed to be connected to North Korea’s Ministry of State Security (MSS). APT37 is known for its adaptability and varied tactics, which are aligned with the shifting objectives of the North Korean regime. Their malware arsenal includes well-known tools like RokRAT (also referred to as Goldbackdoor), but the emergence of VeilShell signifies a new phase in their cyber operations.

The initial stage of this campaign remains somewhat unclear, but researchers suspect that the first payload is delivered through spear-phishing emails containing a ZIP archive with a Windows shortcut (LNK) file. When the LNK file is launched, it acts as a dropper, executing PowerShell code that decodes and extracts additional malicious components. This process involves the opening of a seemingly innocuous document—either a Microsoft Excel file or a PDF—that serves to distract users while malicious files, including a configuration file and a DLL, are written to the Windows startup folder. Among these files is a legitimate executable called dfsvc.exe, which is disguised as d.exe to avoid detection.

What distinguishes this attack is the use of a lesser-known technique known as AppDomainManager injection. This method allows the DomainManager.dll file to execute when d.exe is launched at startup, enhancing the malware’s ability to remain hidden from traditional security measures. The DLL file functions as a simple loader, retrieving JavaScript code from a remote server that ultimately leads to the deployment of the VeilShell backdoor. Once installed, VeilShell connects to a command-and-control (C2) server, enabling attackers to gather information about files, compress specific folders into ZIP archives for exfiltration, and perform various file management tasks.

Researchers have noted that the threat actors involved in this campaign demonstrate patience and meticulous planning. Each stage of the attack incorporates long sleep intervals, which are intended to evade traditional heuristic detection methods. This calculated approach suggests that the SHROUDED#SLEEP campaign is part of a broader strategy aimed at maintaining long-term control over compromised systems in Southeast Asia. As cybersecurity professionals continue to monitor these developments, the emergence of VeilShell underscores the ongoing sophistication of state-aligned cyber threats and the need for heightened vigilance against such persistent attacks.

Reference:
  • North Korean Hackers Target Southeast Asia with New VeilShell Backdoor
Tags: APT37AsiaBackdoorCyber AlertsCyber Alerts 2024Cyber threatsMalwareNorth KoreaOctober 2024RATRemote Access TrojanRokRatSecuronixSHROUDED#SLEEPThreatThreat ActorsVeilShell
ADVERTISEMENT

Related Posts

New Malware Uses Prompts To Trick AI Tools

Fake Job Offers Hide North Korean Malware

June 26, 2025
New Malware Uses Prompts To Trick AI Tools

New Malware Uses Prompts To Trick AI Tools

June 26, 2025
New Malware Uses Prompts To Trick AI Tools

New Zero Day Flaw Hits Citrix NetScaler

June 26, 2025
OneClik Malware Attacks Energy Sector Firms

Hackers Abuse Trezor Support For Phishing

June 25, 2025
OneClik Malware Attacks Energy Sector Firms

FileFix Attack Turns Explorer Into Weapon

June 25, 2025
OneClik Malware Attacks Energy Sector Firms

OneClik Malware Attacks Energy Sector Firms

June 25, 2025

Latest Alerts

Fake Job Offers Hide North Korean Malware

New Malware Uses Prompts To Trick AI Tools

New Zero Day Flaw Hits Citrix NetScaler

Hackers Abuse Trezor Support For Phishing

FileFix Attack Turns Explorer Into Weapon

OneClik Malware Attacks Energy Sector Firms

Subscribe to our newsletter

    Latest Incidents

    Resupply DeFi Protocol Hacked For $9.6M

    Cyberattack Hits South Tyrol Emergency Ops

    UK’s Glasgow City Council Hit By Cyberattack

    Columbia University Probes Major IT Outage

    Mainline Health Breach Hits 101,000 Patients

    Porto Nacional City Hall Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial