VERY IMPORTANT

The 'Artemis' campaign, conducted by APT37, utilizes malicious HWP documents with embedded OLE objects to initiate attacks. The threat actor impersonates legitimate entities to gain trust before delivering the payload. The attack chain combines HWP execution with DLL side-loading techniques to evade detection. Steganography is employed to conceal malicious code, and legitimate processes are abused to load malicious DLLs. The campaign targets South Korean organizations, exploiting the widespread use of the HWP format. Multiple stages of encryption and decryption are used to obfuscate the final RoKRAT payload. The threat actor leverages cloud services like Yandex and pCloud for command and control infrastructure, complicating detection and attribution efforts.