The advanced persistent threat (APT) group known as Chollima APT, also referred to as Ricochet, has initiated a sophisticated cyber campaign targeting activists and organizations focused on North Korea. This campaign, dubbed “Operation: ToyBox Story,” commenced in March 2025 and leverages a combination of social engineering and advanced malware delivery techniques. Threat actors are employing spear-phishing emails designed to mimic communications from credible sources, specifically impersonating security experts with expertise in North Korean affairs. These emails contain links to Dropbox, which in turn lead to compressed archives housing malicious Windows shortcut files.
Upon opening these seemingly harmless files, victims unknowingly trigger hidden code execution. The attackers have demonstrated significant sophistication in disguising their malicious payload. The emails feature subject lines referencing culturally relevant topics, such as North Korean troops deployed to Russia, aiming to increase user engagement and trust. Furthermore, the attached files are designed to resemble Hangul document icons, a common association with legitimate Korean word processing software, thereby deceiving recipients into believing they are downloading standard documents rather than executable malware.
This tactic of social engineering proves effective due to the inherent trust users place in familiar file icons and the perceived credibility of the sending organizations. An Offensive Security Engineer, identified as S3N4T0R, brought attention to this malware after conducting an in-depth analysis of the campaign’s technical characteristics and infection chain. S3N4T0R’s investigation revealed a multi-stage attack progression, each phase meticulously designed to evade security tools and establish a persistent presence on compromised systems, a hallmark of sophisticated APT operations.
Fileless Execution Through Memory Injection in Chollima APT Campaign
A critical and concerning aspect of this malware is its capability for fileless execution, meaning it operates within a system’s memory without leaving tangible traces on the hard drive. When a victim extracts the ZIP archive and subsequently opens the disguised document file from the downloaded shortcut, an embedded PowerShell command executes silently. This command initiates a batch file, named “toy03.bat,” which then proceeds to load a file identified as “toy02.dat” from the system’s temporary folder. The loader component then decodes XOR-transformed data and injects shellcode directly into the system’s memory.
This fileless malware execution technique presents a significant challenge for cybersecurity professionals because it dramatically reduces the forensic evidence available for detection and analysis. Once loaded into memory, the malware establishes a new executable thread to run the injected code. This method of operating within system memory allows the malicious program to remain largely undetected by traditional file-based security solutions. The malware subsequently establishes communication channels utilizing Dropbox API, enabling the attackers to issue commands and exfiltrate stolen data. This strategy cleverly masks their malicious activities within the legitimate traffic of a widely used cloud storage service, making detection substantially more challenging. This evolution in attack vectors highlights the growing sophistication of APT groups in leveraging trusted services to conceal their operations. The ongoing analysis of Operation: ToyBox Story will likely reveal further details about the specific data targeted and the full scope of Chollima APT’s objectives. Security researchers continue to monitor for new indicators of compromise and evolving tactics employed by this threat actor.