S0240: ROKRAT
Analyst context for executives and security teams
ROKRAT matters because it represents a Windows remote access tool with collection, discovery, command-and-control, exfiltration, and stealth behaviors tied in ATT&CK to APT37 activity against South Korean victims from 2016 through 2021. For leaders, the value is not just naming the malware; it is testing whether the organization can spot a compromised endpoint that is quietly surveying the user, files, applications, registry, clipboard, screen, audio, and then moving data over web or web-service-based channels.
Executive priority
Prioritize ROKRAT as a readiness scenario for espionage-style intrusion response: endpoint visibility, user-executed malicious file controls, web egress governance, cloud/web-service monitoring, and evidence preservation. Security leaders should ask whether SOC and IR teams can reconstruct what data was accessed or captured, what credentials may have been exposed through keylogging, and whether web-based C2 or exfiltration would blend into approved business traffic. This is especially relevant to business continuity, legal/compliance evidence, and executive decision-making where sensitive communications, documents, or credentials are at risk.
Technical view
ATT&CK lists ROKRAT as Windows malware and relates it to behaviors spanning malicious file execution, Visual Basic and Native API execution, registry query/modification, process and window discovery, system/user/file discovery, process injection, obfuscation/deobfuscation, file deletion, collection from local system, keylogging, screen/audio/clipboard capture, ingress tool transfer, web protocol C2, bidirectional web-service communication, and exfiltration over the C2 channel. Because official detection text is not provided, teams should validate coverage behaviorally rather than relying on a malware name: correlate suspicious user-opened files with child process activity, registry access, process injection indicators, discovery bursts, unusual capture-related API/activity, tool downloads, and outbound web traffic patterns consistent with C2 and data movement.
Likely telemetry
- Windows endpoint process creation, command-line, parent/child process, and script execution telemetry
- Registry query and modification events
- File creation, deletion, directory enumeration, and local data access telemetry
- Endpoint detection signals for process injection, obfuscated payloads, and decode/deobfuscation activity
- Clipboard, screen capture, audio device, and keylogging-related endpoint signals where available and lawful to collect
Detection direction
- Build detections around the ATT&CK technique cluster, not just static indicators, because no official ATT&CK detection guidance is supplied for this object.
- Correlate malicious-file execution with Visual Basic or Native API activity, registry changes, and immediate discovery commands or API-driven enumeration.
- Tune for sequences: discovery of user/system/process/window/file context followed by collection behaviors and outbound web traffic.
- Review web traffic to legitimate external web services for abnormal bidirectional patterns, while accounting for high false-positive potential from normal SaaS and browser use.
- Validate endpoint visibility for capture behaviors such as keylogging, screen capture, audio capture, and clipboard access; these may be privacy-sensitive and unevenly logged.
Mitigation priorities
- Reduce user-executed malicious file risk through attachment handling, user awareness, application control, and least-privilege execution controls.
- Harden Windows endpoints for script, Visual Basic, registry, and native API abuse where operationally feasible.
- Limit and monitor outbound web access, especially unsanctioned cloud or web-service communication paths that could support C2 or exfiltration.
- Ensure endpoint controls can observe or block process injection, suspicious capture behaviors, and unauthorized tool transfer.
- Apply least privilege and credential hygiene to reduce the value of keylogging and user discovery if an endpoint is compromised.
Analyst notes and limits
This take is based on the official ATT&CK S0240 ROKRAT object, its external references, and supplied relationships. ATT&CK describes ROKRAT as a cloud-based RAT used by APT37 and lists multiple related techniques, but does not provide object-level tactics or detection guidance. Local validation should focus on whether the organization can observe the related behaviors on Windows systems and web egress paths.
No official detection text, aliases, labels, or object-level tactics were supplied. Technique relationships include platforms beyond Windows, but the malware object itself is supplied as Windows; this summary treats Windows as the supported platform for ROKRAT and uses broader technique platforms only as context. The supplied data does not support claims of current active exploitation, customer exposure, guaranteed detection, or attribution for any specific incident.
ROKRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1112 | Modify Registry | ROKRAT can modify the `HKEY_CURRENT_USER\Software\Microsoft\Office\` registry key so it can bypass the VB object model (VBOM) on a compromised host.CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1123 | Audio Capture | ROKRAT has an audio capture and eavesdropping module.CitationSecurelist ScarCruft May 2019 |
| Enterprise | T1012 | Query Registry | ROKRAT can access the |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.CitationTalos Group123 |
| Enterprise | T1056.001 | Keylogging Sub-technique | ROKRAT can use `SetWindowsHookEx` and `GetKeyNameText` to capture keystrokes.CitationTalos ROKRATCitationVolexity InkySquid RokRAT August 2021 |
| Enterprise | T1106 | Native API | ROKRAT can use a variety of API calls to execute shellcode.CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1622 | Debugger Evasion | ROKRAT can check for debugging tools.CitationTalos Group123CitationNCCGroup RokRat Nov 2018CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1057 | Process Discovery | ROKRAT can list the current running processes on the system.CitationTalos ROKRATCitationNCCGroup RokRat Nov 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | ROKRAT can request to delete files.CitationNCCGroup RokRat Nov 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | ROKRAT has used Visual Basic for execution.CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | ROKRAT can steal credentials by leveraging the Windows Vault mechanism.CitationTalos Group123 |
| Enterprise | T1480.001 | Environmental Keying Sub-technique | ROKRAT relies on a specific victim hostname to execute and decrypt important strings.CitationVolexity InkySquid RokRAT August 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | ROKRAT can send collected files back over same C2 channel.CitationTalos ROKRAT |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document.CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1115 | Clipboard Data | ROKRAT can extract clipboard data from a compromised host.CitationVolexity InkySquid RokRAT August 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | ROKRAT can encrypt data prior to exfiltration by using an RSA public key.CitationVolexity InkySquid RokRAT August 2021CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | ROKRAT can check for VMware-related files and DLLs related to sandboxes.CitationTalos Group123CitationNCCGroup RokRat Nov 2018CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1083 | File and Directory Discovery | ROKRAT has the ability to gather a list of files and directories on the infected system.CitationSecurelist ScarCruft May 2019CitationNCCGroup RokRat Nov 2018CitationVolexity InkySquid RokRAT August 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | ROKRAT can retrieve additional malicious payloads from its C2 server.CitationTalos ROKRATCitationNCCGroup RokRat Nov 2018CitationVolexity InkySquid RokRAT August 2021CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ROKRAT can decrypt strings using the victim's hostname as the key.CitationVolexity InkySquid RokRAT August 2021CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | ROKRAT has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications.CitationTalos ROKRATCitationSecurelist ScarCruft May 2019CitationVolexity InkySquid RokRAT August 2021 |
| Enterprise | T1113 | Screen Capture | ROKRAT can capture screenshots of the infected system using the `gdi32` library.CitationTalos ROKRATCitationTalos ROKRAT 2CitationSecurelist ScarCruft May 2019CitationNCCGroup RokRat Nov 2018CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1033 | System Owner/User Discovery | ROKRAT can collect the username from a compromised host.CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1055 | Process Injection | ROKRAT can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`.CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1082 | System Information Discovery | ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.CitationTalos ROKRATCitationTalos ROKRAT 2CitationSecurelist ScarCruft May 2019CitationNCCGroup RokRat Nov 2018CitationVolexity InkySquid RokRAT August 2021CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1010 | Application Window Discovery | ROKRAT can use the `GetForegroundWindow` and `GetWindowText` APIs to discover where the user is typing.CitationTalos ROKRAT |
| Enterprise | T1005 | Data from Local System | ROKRAT can collect host data and specific file types.CitationNCCGroup RokRat Nov 2018CitationVolexity InkySquid RokRAT August 2021CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | ROKRAT has relied upon users clicking on a malicious attachment delivered through spearphishing.CitationMalwarebytes RokRAT VBA January 2021 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | ROKRAT can send collected data to cloud storage services such as PCloud.CitationMalwarebytes RokRAT VBA January 2021CitationVolexity InkySquid RokRAT August 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ROKRAT can use HTTP and HTTPS for command and control communication.CitationTalos ROKRATCitationNCCGroup RokRat Nov 2018CitationMalwarebytes RokRAT VBA January 2021 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.3 | Current bundle | 887050d01d7f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos ROKRAT
Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
Open source URL -
[2]
Talos Group123
Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
Open source URL -
[3]
Volexity InkySquid RokRAT August 2021
Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
Open source URL -
[4]
ROKRAT
(Citation: Talos ROKRAT 2) (Citation: Talos Group123)
-
[5]
Talos ROKRAT 2
Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
Open source URL -
[6]
mitre-attack S0240Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.