Chollima hackers expand phishing with stealth LNK malware

A coordinated cyber-espionage campaign attributed to the Chollima advanced persistent threat group has drawn attention from security researchers after attackers used malicious Windows shortcut files to deliver a multi-stage malware payload aimed at activists and analysts tracking North Korea.

Investigations show the operation unfolded in March 2025 and targeted individuals engaged in policy research, human rights advocacy and security analysis related to the Korean peninsula. The attackers initiated contact through carefully crafted spear-phishing emails that impersonated a well-known South Korea-based security expert specialising in North Korean affairs. Messages were personalised, referenced credible policy discussions and appeared consistent with professional correspondence common in that research community, increasing the likelihood of engagement.

At the centre of the campaign was the use of weaponised LNK files, a Windows shortcut format that can execute commands when opened. While LNK abuse has appeared in past intrusions, analysts noted a higher level of sophistication in this operation. The malicious shortcuts were embedded in compressed attachments or linked through cloud-hosted storage, reducing suspicion and helping the emails bypass standard filtering controls.

Once a recipient opened the LNK file, the shortcut triggered a hidden command sequence that launched PowerShell scripts without displaying visible windows. These scripts established the next stage of the infection chain by downloading additional components from attacker-controlled infrastructure disguised as benign web resources. Obfuscation techniques, including string encryption and delayed execution, were employed to evade detection by endpoint security tools.

Researchers tracking the activity linked the operation to the Chollima cluster, also known in cybersecurity circles as APT37. The group has been widely associated with state-aligned intelligence collection linked to Pyongyang and has a documented history of targeting diplomats, academics and civil society groups involved in peninsula-related issues. The tactics observed in this campaign align with that pattern, particularly the emphasis on social engineering and long-term surveillance rather than immediate financial gain.

Technical analysis of the malware revealed capabilities focused on information theft and system reconnaissance. Once persistence was established, the payload harvested system metadata, browser credentials and selected documents before transmitting them to command-and-control servers. The malware also included modules that allowed operators to deploy additional tools on demand, suggesting an intent to maintain access over extended periods rather than execute a single data grab.

Security professionals noted that the impersonation element was central to the campaign’s effectiveness. By posing as a recognised expert and referencing legitimate conferences and reports, the attackers exploited trust networks within a relatively small community of specialists. Such targeting reduces the scale of an operation but increases its success rate, a trade-off often favoured in intelligence-driven cyber activity.

The campaign also highlighted a shift in delivery methods. Many organisations have strengthened defences against macro-laden documents and executable attachments, prompting threat actors to revive file types that attract less scrutiny. LNK files, which are commonly used in corporate environments, can appear harmless and are sometimes overlooked by automated scanning systems, particularly when compressed or renamed.

Cybersecurity firms observing the activity reported overlaps in infrastructure and tooling with earlier Chollima operations, including shared command-and-control patterns and similar code fragments. At the same time, analysts stressed that the malware showed incremental evolution, reflecting ongoing investment in refining tradecraft rather than a wholesale change in strategy.

The broader context underscores a sustained focus by Pyongyang-linked actors on information gathering related to sanctions, diplomacy and human rights. Activists and researchers working on these themes often operate outside government networks and may lack the layered defences available to state institutions, making them attractive targets. The campaign serves as a reminder that non-profit organisations and independent analysts are increasingly exposed to nation-state cyber risks.