CVE-2025-7783: Critical Vulnerability in JavaScript Library Exposes Millions of Apps to Code Execution Attacks.

⤷ $150K funneled from North Korea’s Lazarus hacking group 💻
⤷ Facilitating romance scams, human trafficking, and money laundering
⤷ Monthly inflows up 51% since July 2024 📈

ℹ️ Researchers have identified a new variant of RoKRAT, the malware associated with North Korea’s APT37 group. This version employs two-stage encrypted shellcode execution and steganography to conceal malicious code inside image files, enabling evasion from traditional detection methods.

📍 INFECTION VECTOR
■ The intrusion begins with a ZIP archive containing a large .lnk shortcut file, often masquerading as legitimate documents.
■ Once opened, PowerShell commands embedded within the shortcut unpack multiple hidden components, such as shellcode, batch files, noscripts, and decoy documents, and launch the infection chain.

📍TWO-STAGE SHELLCODE DECODING
■ The initial embedded shellcode is decoded using a single-byte XOR, then injected into a trusted Windows process like mspaint.exe or notepad[.]exe.
■ A second stage of XOR-based decoding (e.g. key 0xD6) reveals the full RoKRAT payload, which is executed entirely in memory without writing to disk.

📍 STEGANOGRAPHIC PAYLOAD DELIVERY
■ The standout feature of this variant is the use of steganography: a JPEG image (e.g. "Father.jpg") is downloaded from cloud services (Dropbox, Yandex, pCloud) and contains encrypted shellcode starting at a non-standard offset.
■ A dual XOR decoding process transforms this hidden data into an executable loader, which initiates RoKRAT in-memory execution without leaving disk artifacts

📍 C2 COMMUNICATION & TARGETS
■ RoKRAT communicates with C2 infrastructure via legitimate cloud APIs using expired or stolen tokens tied to Dropbox, pCloud, and Yandex.
■ The malware collects system info, documents, screenshots, and exfiltrates data in encrypted form, disguised within normal traffic to bypass inspection.