securityonline.info 7/17/2026, 2:11:20 PM · external

North Korean APT37 uses Dropbox phishing to deliver RokRAT malware

North Korean APT37 uses Dropbox phishing to deliver RokRAT malware
CyberSIXT Evidence Panel
Primary Source genians.co.kr
Threat Actor

A recent report from Genians Security Center highlights a new malware campaign named Operation Capsule Vault, attributed to the North Korean APT37 group. The campaign involves using spear-phishing emails with links to Dropbox disguised as PDF materials for an academic conference. The delivered files contain a PIF executable masquerading as a PDF, which leads to the execution of the RokRAT malware without detection.

This malware is capable of screen capture, file theft, and command execution via cloud services like pCloud, Dropbox, and Yandex Cloud. The analysis suggests defensive measures including vigilance for ISO and PIF execution and updated EDR rules.

View Primary Source Via securityonline.info

Article by CyberSIXT