North Korean-linked threat actors have been spotted deploying a previously unknown backdoor and remote access trojan (RAT) called VeilShell in a cyber campaign primarily targeting Cambodia and likely other countries in Southeast Asia.
The campaign, identified as SHROUDED#SLEEP by Securonix, is attributed to APT37, also referred to as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft.
Operating since at least 2012, APT37 is thought to be associated with North Korea’s Ministry of State Security (MSS). Like other North Korean groups such as Lazarus Group and Kimsuky, APT37’s tactics and objectives seem to shift in alignment with state interests.
One of its known tools is RokRAT (also known as Goldbackdoor), but the group has developed other custom malware to carry out secret intelligence operations.
Although it’s not yet clear how the initial payload, a ZIP file containing a Windows shortcut (LNK), reaches its targets, it’s suspected that spear-phishing emails may be involved.
According to researchers Den Iuzvyk and Tim Peck, the VeilShell backdoor provides attackers with full control over compromised systems, enabling data theft, registry and task manipulation, and more.
When launched, the LNK file executes PowerShell commands that extract embedded components, including a lure document (Excel or PDF), while deploying a configuration file (“d.exe.config”) and a malicious DLL (“DomainManager.dll”) into the Windows startup folder.
This attack is notable for using AppDomainManager injection, a less common technique, to run DomainManager.dll during startup. This method was also recently observed in attacks by the China-affiliated Earth Baxia group, signaling growing adoption of the technique among threat actors as an alternative to DLL side-loading.
The malicious DLL serves as a loader that fetches JavaScript from a remote server, which subsequently pulls the VeilShell backdoor. VeilShell is a PowerShell-based malware that communicates with a command-and-control (C2) server, enabling it to perform actions such as gathering files, uploading ZIP archives, downloading files, and modifying or deleting data.
Researchers emphasized the attackers’ patient and methodical approach, noting that each phase of the attack included lengthy sleep intervals to evade detection. VeilShell remains dormant until the system is rebooted.
This campaign demonstrates a sophisticated and stealthy attack strategy targeting Southeast Asia, utilizing multiple execution stages, persistence methods, and a versatile PowerShell RAT for long-term control over compromised machines.
Securonix’s findings follow a report from Symantec, which revealed that another North Korean threat actor, Andariel, launched financially motivated attacks against three U.S. organizations in August 2024.
