Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)
Contents
◈ Executive Summary
- Disguised the content as an academic forum invitation from a South Korean national security think tank to attract attention
- Lured targets by referencing an actual event titled “Trump 2.0 Era: Prospects and South Korea’s Response”
- Delivered malicious LNK files via the Dropbox cloud platform
- APT37 used Dropbox as a C2 server, following earlier use of pCloud and Yandex
- EDR-based anomaly hunting required to improve detection of fileless threats
1. Overview
○ In March 2025, the APT37 threat actor launched a spear phishing campaign targeting several activists focused on North Korea. The email contained a Dropbox link leading to a compressed archive that included a malicious shortcut (LNK) file. When extracted and executed, the LNK file activated additional malware containing the keyword “toy.”
○ Based on the characteristics of the threat, Genians Security Center (GSC) named the campaign “Operation: ToyBox Story” and began in-depth analysis.
[Figure 1] Flowchart of the APT37 Attack
2. …
- Disguised the content as an academic forum invitation from a South Korean national security think tank to attract attention
- Lured targets by referencing an actual event titled “Trump 2.0 Era: Prospects and South Korea’s Response”
- Delivered malicious LNK files via the Dropbox cloud platform
- APT37 used Dropbox as a C2 server, following earlier use of pCloud and Yandex
- EDR-based anomaly hunting required to improve detection of fileless threats
1. Overview
○ In March 2025, the APT37 threat actor launched a spear phishing campaign targeting several activists focused on North Korea. The email contained a Dropbox link leading to a compressed archive that included a malicious shortcut (LNK) file. When extracted and executed, the LNK file activated additional malware containing the keyword “toy.”
○ Based on the characteristics of the threat, Genians Security Center (GSC) named the campaign “Operation: ToyBox Story” and began in-depth analysis.
[Figure 1] Flowchart of the APT37 Attack
2. …
IoC
https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1
https://content.dropboxapi.com/2/files/upload
https://cloud-api.yandex.net/v1/disk/resources?path=%s&limit=500
https://api.pcloud.com/listfolder?path=%s
http://cloud-api.yandex.net
https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
http://89.147.101.71
http://api.dropboxapi.com
http://37.120.210.2
https://content.dropboxapi.com/2/files/download
http://api.pcloud.com
https://api.dropboxapi.com/2/files/delete
https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
https://api.dropboxapi.com/2/files/list_folder
https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
https://api.pcloud.com/deletefile?path=%s
http://89.147.101.65
https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s
89.147.101.65
37.120.210.2
89.147.101.71
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
723f80d1843315717bc56e9e58e89be5
d77c8449f1efc4bfb9ebff496442bbbc
7822e53536c1cf86c3e44e31e77bd088
8f339a09f0d0202cfaffbd38469490ec
81c08366ea7fc0f933f368b120104384
46ca088d5c052738d42bbd6231cc0ed5
7cc8ce5374ff9eacd38491b75cbedf89
2f431c4e65af9908d2182c6a093bf262
112ba70f4e2d696b6b0110218d8bcfc3
beeaca6a34fb05e73a6d8b7d2b8c2ee3
1e9ce53a18e24ebc01b539ba7ba6bedd
d5d48f044ff16ef6a4d5bde060ed5cee
324688238c42d7190a2b50303cbc6a3c
a635bd019674b25038cd8f02e15eebd2
https://content.dropboxapi.com/2/files/upload
https://cloud-api.yandex.net/v1/disk/resources?path=%s&limit=500
https://api.pcloud.com/listfolder?path=%s
http://cloud-api.yandex.net
https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
http://89.147.101.71
http://api.dropboxapi.com
http://37.120.210.2
https://content.dropboxapi.com/2/files/download
http://api.pcloud.com
https://api.dropboxapi.com/2/files/delete
https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
https://api.dropboxapi.com/2/files/list_folder
https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
https://api.pcloud.com/deletefile?path=%s
http://89.147.101.65
https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s
89.147.101.65
37.120.210.2
89.147.101.71
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
723f80d1843315717bc56e9e58e89be5
d77c8449f1efc4bfb9ebff496442bbbc
7822e53536c1cf86c3e44e31e77bd088
8f339a09f0d0202cfaffbd38469490ec
81c08366ea7fc0f933f368b120104384
46ca088d5c052738d42bbd6231cc0ed5
7cc8ce5374ff9eacd38491b75cbedf89
2f431c4e65af9908d2182c6a093bf262
112ba70f4e2d696b6b0110218d8bcfc3
beeaca6a34fb05e73a6d8b7d2b8c2ee3
1e9ce53a18e24ebc01b539ba7ba6bedd
d5d48f044ff16ef6a4d5bde060ed5cee
324688238c42d7190a2b50303cbc6a3c
a635bd019674b25038cd8f02e15eebd2