Malicious actors combine PDF and LNK file types in an attack aimed at exploiting Windows systems.
In late August 2025, South Korean academic and government institutions found themselves under attack by a highly sophisticated cyber espionage campaign. The perpetrator, identified by analysts, was none other than the North Korean-backed hacker group known as Lazarus.
The attackers, disguising themselves as the "National Information Research Institute Newsletter," deployed a deceptive PDF-Newsletter and a malicious Windows shortcut (LNK) file to infiltrate enterprise environments. This layered infection chain, including decoy documents, embedded payloads, and fileless techniques, highlights the evolving sophistication of state-sponsored cyber espionage campaigns.
The infection process begins when a user double-clicks the deceptive file, triggering PowerShell. Upon execution, a PowerShell one-liner within the LNK file writes binary files to temporary locations and runs a batch script to decode and execute the loader.
The LNK file contains three binary payloads at specific offsets: a decoy PDF, a loader binary, and a final executable. The loader binary, embedded within the LNK file, uses a multi-stage PowerShell loader to deploy additional payloads entirely in memory, evading disk-based detection.
The batch loader executes a UTF-8 decoded script stored in , which orchestrates the XOR decryption and reflective injection of the final payload. The attackers use in-memory execution to bypass conventional endpoint protection platforms relying on disk-based scanning.
The script's execution environment is checked for VMware tools, and sandbox evasion routines are used to prevent execution in analysis environments. The final payload is injected directly into memory via Windows API calls, ensuring stealthy execution with minimal forensic artifacts.
Seqrite analysts identified the final payload after decryption with a single-byte XOR key. The reflective DLL injection technique used in the attack leaves minimal forensic artifacts, making it difficult to trace the attack's origin.
The decoy PDF, named "국가정보연구회 소식지 (52호)" in Korean, is displayed while the real payloads are staged. This fileless approach allows the attackers to bypass signature-based defenses by never writing the ultimate payload to disk.
The high sophistication of this threat actor, known as APT37, is evident in the complexity of the attack. The infection mechanism, the use of fileless techniques, and the sophisticated sandbox evasion routines demonstrate the ongoing efforts by state-sponsored hacker groups to stay one step ahead of cybersecurity defenses.
