DPRKs APT37 Targets Cambodia With Khmer, VeilShell Backdoor

Its North Korea versus Cambodia, with Windows default settings and sheer patience allowing the bad guys to avoid easy detection.

The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed VeilShell. Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting organizations in South Korea or Japan, but APT37s latest campaign seems to be directed at a nation Kim Jong-Un has more complex relations with: Cambodia.
While Pyongyang still maintains an embassy in Phnom Penh and the two nations share a history of Soviet ties in the region, the modern-day relationship between the two is far from cozy. The DPRKs nuclear weapons program, ongoing missile tests, cyber activities, and general aggression towards its neighbors contradicts Cambodias stance on weapons of mass destruction (WMDs) and its call for meaningful diplomatic dialogue between all countries in the region, observers in the region
have noted
.
That wariness has drawn the attention of the North Korean regime, according to Securonix, which has flagged a new campaign called
Shrouded#Sleep
circulating against Cambodian organizations.
Securonix did not share detailed victimology, but to lure in targets,
APT37
(aka InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima) has been spreading malicious emails relating to Cambodian affairs, and in Cambodias primary language, Khmer. One lure for instance offers recipients access to a spreadsheet related to annual income in US dollars across various sectors in the country, such as social work, education, health, and agriculture.
Hidden in these emails are maliciously crafted shortcut files concealing the backdoor, used to establish quiet persistence in targeted networks.
In terms of the infection routine, a Shrouded#Sleep infection begins, like many others do, with a .ZIP archive containing a Windows shortcut (.LNK) file.
Its incredibly common — if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit, says Tim Peck, senior threat researcher at Securonix. Its easy, its effective. It pairs really well with phishing emails. And its easy to mask.
Windows hides the .LNK file extension by default, substituting it with a little arrow in the bottom left hand corner of a files icon, making for an overall cleaner user interface. The upshot is that attackers like APT37 can swap a .LNKs default icon with another of their choosing, and use double extensions to hide the true nature of the file.
APT37 gives its shortcut files PDF and Excel icons, and assigned them double extensions like .pdf.lnk, or .xls.lnk, so that only the .PDF and .XLS parts of the extension show up for users.
In the end, Peck notes, Unless youre looking for the little arrow that Microsoft adds on shortcut files, odds are you might miss that. An unreasonably eagle-eyed victim might also have noticed that unlike typical shortcut files — which tend to be just a few kilobytes in size — these were anywhere from 60 to 600 kilobytes.
Contained within those kilobytes was APT37s malicious payload, which Securonix has named VeilShell.
The SHROUDED#SLEEP campaign is notable for its state-of-the-art blend of living-off-the-land and proprietary tools, plus impressive persistence and stealth mechanism.
It represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems, according to the Securonix analysis. Throughout this investigation, we have shown how the threat actors methodically crafted their payloads and made use of an interesting combination of legitimate tools and techniques to bypass defenses and maintain access to their targets.
VeilShell for instance is a multifunctional, PowerShell-based backdoor-plus-remote-access-trojan (RAT). Its capable of all the things RATs tend to do: download and upload files, modify and delete existing files on the system, modify system settings, create scheduled tasks for persistence, etc.
Notably, APT37 also achieves persistence via
AppDomainManager injection
, a rarer technique involving the injection of malicious code into .NET applications.
All of these malicious functions and techniques might otherwise make a lot of noise on targeted systems, so APT37 uses some tricks to provide counterbalance. For example, it implements long sleep timers to break up different stages of the attack chain, ensuring that malicious activities dont occur in obvious succession.
As Peck tells it, The threat actors were incredibly patient, slow, and methodical. They used a lot of long sleep timers — were talking, like, 6,000 seconds in between different attack stages. And the main goal [of the shortcut file] was to set the stage. It didnt actually execute any malware. It dropped the files into a location that would allow them to execute on their own on the next system reboot. That reboot could be the same day, or a week from now, depending on how the user uses their PC.
It was emblematic, perhaps, of a threat actor with confidence and patience to spare. A lot of times we see these dive in, dive out types of campaigns. But this was definitely designed with stealth in mind, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
DPRKs APT37 Targets Cambodia With Khmer, VeilShell Backdoor