Scarcruft’s ROKRAT Malware: Recent Changes
Contents
Scarcruft’s ROKRAT Malware: Recent Changes
2026.02.06
✅ Report Title: Scarcruft’s ROKRAT Malware: Recent Changes
✅ Executive Summary:
- Recently, ScarCruft has been employing a new attack method to distribute ROKRAT using an HWP OLE-based Dropper/Loader structure, deviating from their traditional LNK-based attack chain.
- All three cases mentioned in the report share the same signature characteristics identified in previous ScarCruft campaigns, such as ROR13-based API resolving, XOR-based payload decryption, and the abuse of legitimate cloud services (pCloud, Yandex) for C2 communication.
- While the Droppers and Downloaders exhibit functional differences—such as file dropping, environment checks, and memory loading—they all ultimately share the common goal of executing ROKRAT directly in memory.
📌 What is ROKRAT malware?
- ROKRAT, a malware utilized by the North Korean-backed APT group ScarCruft, was first discovered in 2017 and has been continuously distributed up to the present day.
- ScarCruft has historically utilized an attack chain that drops BAT scripts and shellcode via LNK files …
2026.02.06
✅ Report Title: Scarcruft’s ROKRAT Malware: Recent Changes
✅ Executive Summary:
- Recently, ScarCruft has been employing a new attack method to distribute ROKRAT using an HWP OLE-based Dropper/Loader structure, deviating from their traditional LNK-based attack chain.
- All three cases mentioned in the report share the same signature characteristics identified in previous ScarCruft campaigns, such as ROR13-based API resolving, XOR-based payload decryption, and the abuse of legitimate cloud services (pCloud, Yandex) for C2 communication.
- While the Droppers and Downloaders exhibit functional differences—such as file dropping, environment checks, and memory loading—they all ultimately share the common goal of executing ROKRAT directly in memory.
📌 What is ROKRAT malware?
- ROKRAT, a malware utilized by the North Korean-backed APT group ScarCruft, was first discovered in 2017 and has been continuously distributed up to the present day.
- ScarCruft has historically utilized an attack chain that drops BAT scripts and shellcode via LNK files …