ℹ️ Researchers have identified a new variant of RoKRAT, the malware associated with North Korea’s APT37 group. This version employs two-stage encrypted shellcode execution and steganography to conceal malicious code inside image files, enabling evasion from traditional detection methods.

📍 INFECTION VECTOR
■ The intrusion begins with a ZIP archive containing a large .lnk shortcut file, often masquerading as legitimate documents.
■ Once opened, PowerShell commands embedded within the shortcut unpack multiple hidden components, such as shellcode, batch files, noscripts, and decoy documents, and launch the infection chain.

📍TWO-STAGE SHELLCODE DECODING
■ The initial embedded shellcode is decoded using a single-byte XOR, then injected into a trusted Windows process like mspaint.exe or notepad[.]exe.
■ A second stage of XOR-based decoding (e.g. key 0xD6) reveals the full RoKRAT payload, which is executed entirely in memory without writing to disk.

📍 STEGANOGRAPHIC PAYLOAD DELIVERY
■ The standout feature of this variant is the use of steganography: a JPEG image (e.g. "Father.jpg") is downloaded from cloud services (Dropbox, Yandex, pCloud) and contains encrypted shellcode starting at a non-standard offset.
■ A dual XOR decoding process transforms this hidden data into an executable loader, which initiates RoKRAT in-memory execution without leaving disk artifacts

📍 C2 COMMUNICATION & TARGETS
■ RoKRAT communicates with C2 infrastructure via legitimate cloud APIs using expired or stolen tokens tied to Dropbox, pCloud, and Yandex.
■ The malware collects system info, documents, screenshots, and exfiltrates data in encrypted form, disguised within normal traffic to bypass inspection.

Key Features:

🤖 300+ AI Models: Support for OpenAI, Anthropic, DeepSeek, Ollama, and more
🔧 Built-in Security Tools: Ready-to-use tools for reconnaissance, exploitation, and privilege escalation
🏆 Battle-tested: Proven in HackTheBox CTFs, bug bounties, and real-world security case studies
🎯 Agent-based Architecture: Modular design with specialized agents for different security tasks

Syrian troops (former Al-Qaeda) had found Israeli listening and spying devices there. The troops were in the process of dismantling the devices when they were killed (6 of them) by Israeli air strikes, and then Israeli forces came in 4 helicopters and stayed for 2 hours to take the equipment.

Israeli warplanes and drones prevented Syrian forces from entering the area until late on Wednesday night, after Israeli forces had left the site. A Syrian military source told Al Jazeera that dozens of Israeli troops travelled to the site in four helicopters and spent more than two hours there, though it is unclear what exactly they did.

The Israeli defence minister, Israel Katz, posted on 𝕏 that forces were “operating in all combat zones day and night for the security of Israel”, but otherwise offered no explanation.

Organizations like Meta / Yandex have stopped this intrusive privacy breaching activity.

Think of it as a playbook for advanced AI agent design.