Threat actors linked to North Korea have been spotted delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and possibly other Southeast Asian countries.
Activity, duplicate COVERED#SLEEP by Securonix, is considered handiwork APT37who is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet and ScarCruft.
Active since at least 2012, the controversial outfit is believed to be part of North Korea’s Ministry of State Security (MSS). Like other North Korea-linked state groups, including the Lazarus Group and Kimsuky, they vary in their modus operandi and likely have evolving goals based on state interests.
The key malware in the toolkit is HandRAT (aka Goldbackdoor), although the group also developed special tools to facilitate covert intelligence gathering.
It is currently unknown how the first stage payload, a ZIP archive with a Windows shortcut (LNK) file, is delivered to targets. However, there are suspicions that this is probably related to the sending of phishing emails.
“The backdoor Trojan (VeilShell) allows an attacker to gain full access to a compromised machine,” researchers Dan Yuzwick and Tim Peck said in a technical the report shared with The Hacker News. “Some features include data theft, registry and creating scheduled tasks or manipulation.”
Once launched, the LNK file acts as a dropper in the sense that it triggers the execution of PowerShell code to decode and extract the next-stage components embedded within it.
This includes a harmless attractive document, a Microsoft Excel document or a PDF that opens automatically, distracting the user, while a configuration file (“d.exe.config”) and a DLL file (“DomainManager.dll”) are written in the background for the Windows startup folder.
Also copied into the same folder is a legitimate executable named “dfsvc.exe” that is related to ClickOnce technology in the Microsoft .NET Framework. The file is copied as “d.exe”.
What makes the attack chain stand out is the use of a lesser-known technique called AppDomainManager injection to execute DomainManager.dll when “d.exe” is run at startup and the binary reads the accompanying “d.exe.config” file. is in the same autoload folder.
It should be noted that this approach has also recently been used by pro-China countries The land of Baxia actor, indicating that it is slowly gaining traction among threat actors as an alternative to sideloading DLLs.
The DLL, for its part, acts as a simple loader to retrieve JavaScript code from a remote server, which in turn contacts another server to retrieve the VeilShell backdoor.
VeilShell is a PowerShell-based malware designed to communicate with the Command and Control (C2) server to await further instructions to collect file information, compress a specific folder into a ZIP archive, and upload it back to the C2 server. , download files from a specified URL, rename and delete files, and extract ZIP archives.
“In general, the threat actors were quite patient and methodical,” the researchers noted. “Each stage of the attack has a very long sleep time to avoid traditional heuristic detections. Once VeilShell is deployed, it doesn’t actually run until the next system reboot.”
“Campaign SHROUDED#SLEEP is a sophisticated and covert operation targeting Southeast Asia, using multiple levels of execution, persistence mechanisms, and a versatile PowerShell-based RAT backdoor to achieve long-term control over compromised systems.”
Securonix’s report comes a day after Broadcom-owned Symantec revealed that a North Korean threat actor tracked Andariel targeting three different organizations in the US in August 2024 as part of a financially motivated campaign.
