Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox

    Thursday, November 13, 2025 In: Threat Research Print

    Date: 11/13/2025

    Severity: High

    Summary

    APT37, a North Korea–linked threat group, conducted a social engineering campaign masquerading as an academic forum invitation from a South Korean national security think tank. The lure referenced a real event titled “Trump 2.0 Era: Prospects and South Korea’s Response” to gain credibility. Attackers delivered malicious LNK files via Dropbox, which also served as the command-and-control (C2) channel, continuing APT37’s past pattern of leveraging pCloud and Yandex for C2 operations. The campaign highlights the need for EDR-based anomaly detection to identify and mitigate fileless attack techniques.

    Indicators of Compromise (IOC) List

    IP Address

    89.147.101.65

    89.147.101.71

    37.120.210.2

    Hash

    81c08366ea7fc0f933f368b120104384

    723f80d1843315717bc56e9e58e89be5

    7822e53536c1cf86c3e44e31e77bd088

    324688238c42d7190a2b50303cbc6a3c

    a635bd019674b25038cd8f02e15eebd2

    beeaca6a34fb05e73a6d8b7d2b8c2ee3

    d5d48f044ff16ef6a4d5bde060ed5cee

    d77c8449f1efc4bfb9ebff496442bbbc

    2f431c4e65af9908d2182c6a093bf262

    7cc8ce5374ff9eacd38491b75cbedf89

    8f339a09f0d0202cfaffbd38469490ec

    46ca088d5c052738d42bbd6231cc0ed5

    92ab3a9040f5e620bc4b76295239c5240130d968c6cbeaa7dc555d2cf19bfae1

    f538ca6ef15a18d02358d93d0d4493e594550c681f771b86d75dba19d1ef5e92

    49749efacb2542c33ce824b3f75444dac17a30f3e5746e0b7e8541ae93e3e1bb

    d182834a984c9f5b44ea0aca5786223a78138ff23d33362ab699c76bf6987261

    9b8218774c3abc0a449cfc490f12e81155af00ec90c2e1d630a61c29f70a98cb

    Emails

    rolf.gehrung@yandex.com

    ekta.sahasi@yandex.com

    gursimran.bindra@yandex.com

    sneha.geethakrishnan@yandex.com

    tanessha.samuel@gmail.com

    tianling0315@gmail.com

    w.sarah0808@gmail.com

    softpower21cs@gmail.com

    sandozmessi@gmail.com

    tiger.man.1999@mail.ru

    navermail_noreply@mail.ru

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("89.147.101.71","89.147.101.65","37.120.210.2") or srcipaddress IN ("89.147.101.71","89.147.101.65","37.120.210.2")

    Detection Query 2 :

    md5hash IN ("2f431c4e65af9908d2182c6a093bf262","46ca088d5c052738d42bbd6231cc0ed5","7822e53536c1cf86c3e44e31e77bd088","723f80d1843315717bc56e9e58e89be5","81c08366ea7fc0f933f368b120104384","324688238c42d7190a2b50303cbc6a3c","a635bd019674b25038cd8f02e15eebd2","beeaca6a34fb05e73a6d8b7d2b8c2ee3","d5d48f044ff16ef6a4d5bde060ed5cee","d77c8449f1efc4bfb9ebff496442bbbc","7cc8ce5374ff9eacd38491b75cbedf89","8f339a09f0d0202cfaffbd38469490ec")

    Detection Query 3 :

    sha256hash IN ("92ab3a9040f5e620bc4b76295239c5240130d968c6cbeaa7dc555d2cf19bfae1","f538ca6ef15a18d02358d93d0d4493e594550c681f771b86d75dba19d1ef5e92","49749efacb2542c33ce824b3f75444dac17a30f3e5746e0b7e8541ae93e3e1bb","d182834a984c9f5b44ea0aca5786223a78138ff23d33362ab699c76bf6987261","9b8218774c3abc0a449cfc490f12e81155af00ec90c2e1d630a61c29f70a98cb")

    Detection Query 4 :

    sender IN ("rolf.gehrung@yandex.com","ekta.sahasi@yandex.com","gursimran.bindra@yandex.com","sneha.geethakrishnan@yandex.com","tanessha.samuel@gmail.com","tianling0315@gmail.com","w.sarah0808@gmail.com","softpower21cs@gmail.com","sandozmessi@gmail.com","tiger.man.1999@mail.ru","navermail_noreply@mail.ru") OR recipients IN ("rolf.gehrung@yandex.com","ekta.sahasi@yandex.com","gursimran.bindra@yandex.com","sneha.geethakrishnan@yandex.com","tanessha.samuel@gmail.com","tianling0315@gmail.com","w.sarah0808@gmail.com","softpower21cs@gmail.com","sandozmessi@gmail.com","tiger.man.1999@mail.ru","navermail_noreply@mail.ru") OR from IN ("rolf.gehrung@yandex.com","ekta.sahasi@yandex.com","gursimran.bindra@yandex.com","sneha.geethakrishnan@yandex.com","tanessha.samuel@gmail.com","tianling0315@gmail.com","w.sarah0808@gmail.com","softpower21cs@gmail.com","sandozmessi@gmail.com","tiger.man.1999@mail.ru","navermail_noreply@mail.ru")

    Reference: 

    https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story


    Tags

    Threat ActorAPT37North KoreaSouth KoreaSocial EngineeringToyBox StoryTrump 2.0 EraPCloud and Yandex

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.