Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0240: ROKRAT

ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.[1][2][3]

EnterpriseS0240MalwareObject v2.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

ROKRAT matters because it represents a Windows remote access tool with collection, discovery, command-and-control, exfiltration, and stealth behaviors tied in ATT&CK to APT37 activity against South Korean victims from 2016 through 2021. For leaders, the value is not just naming the malware; it is testing whether the organization can spot a compromised endpoint that is quietly surveying the user, files, applications, registry, clipboard, screen, audio, and then moving data over web or web-service-based channels.

Executive priority

Prioritize ROKRAT as a readiness scenario for espionage-style intrusion response: endpoint visibility, user-executed malicious file controls, web egress governance, cloud/web-service monitoring, and evidence preservation. Security leaders should ask whether SOC and IR teams can reconstruct what data was accessed or captured, what credentials may have been exposed through keylogging, and whether web-based C2 or exfiltration would blend into approved business traffic. This is especially relevant to business continuity, legal/compliance evidence, and executive decision-making where sensitive communications, documents, or credentials are at risk.

Technical view

ATT&CK lists ROKRAT as Windows malware and relates it to behaviors spanning malicious file execution, Visual Basic and Native API execution, registry query/modification, process and window discovery, system/user/file discovery, process injection, obfuscation/deobfuscation, file deletion, collection from local system, keylogging, screen/audio/clipboard capture, ingress tool transfer, web protocol C2, bidirectional web-service communication, and exfiltration over the C2 channel. Because official detection text is not provided, teams should validate coverage behaviorally rather than relying on a malware name: correlate suspicious user-opened files with child process activity, registry access, process injection indicators, discovery bursts, unusual capture-related API/activity, tool downloads, and outbound web traffic patterns consistent with C2 and data movement.

Likely telemetry

  • Windows endpoint process creation, command-line, parent/child process, and script execution telemetry
  • Registry query and modification events
  • File creation, deletion, directory enumeration, and local data access telemetry
  • Endpoint detection signals for process injection, obfuscated payloads, and decode/deobfuscation activity
  • Clipboard, screen capture, audio device, and keylogging-related endpoint signals where available and lawful to collect

Detection direction

  • Build detections around the ATT&CK technique cluster, not just static indicators, because no official ATT&CK detection guidance is supplied for this object.
  • Correlate malicious-file execution with Visual Basic or Native API activity, registry changes, and immediate discovery commands or API-driven enumeration.
  • Tune for sequences: discovery of user/system/process/window/file context followed by collection behaviors and outbound web traffic.
  • Review web traffic to legitimate external web services for abnormal bidirectional patterns, while accounting for high false-positive potential from normal SaaS and browser use.
  • Validate endpoint visibility for capture behaviors such as keylogging, screen capture, audio capture, and clipboard access; these may be privacy-sensitive and unevenly logged.

Mitigation priorities

  • Reduce user-executed malicious file risk through attachment handling, user awareness, application control, and least-privilege execution controls.
  • Harden Windows endpoints for script, Visual Basic, registry, and native API abuse where operationally feasible.
  • Limit and monitor outbound web access, especially unsanctioned cloud or web-service communication paths that could support C2 or exfiltration.
  • Ensure endpoint controls can observe or block process injection, suspicious capture behaviors, and unauthorized tool transfer.
  • Apply least privilege and credential hygiene to reduce the value of keylogging and user discovery if an endpoint is compromised.
Analyst notes and limits

This take is based on the official ATT&CK S0240 ROKRAT object, its external references, and supplied relationships. ATT&CK describes ROKRAT as a cloud-based RAT used by APT37 and lists multiple related techniques, but does not provide object-level tactics or detection guidance. Local validation should focus on whether the organization can observe the related behaviors on Windows systems and web egress paths.

No official detection text, aliases, labels, or object-level tactics were supplied. Technique relationships include platforms beyond Windows, but the malware object itself is supplied as Windows; this summary treats Windows as the supported platform for ROKRAT and uses broader technique platforms only as context. The supplied data does not support claims of current active exploitation, customer exposure, guaranteed detection, or attribution for any specific incident.

Official MITRE ATT&CK definition

ROKRAT

ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

30 rows
Domain ID Name Relationship / procedure
Enterprise T1112 Modify Registry

ROKRAT can modify the `HKEY_CURRENT_USER\Software\Microsoft\Office\` registry key so it can bypass the VB object model (VBOM) on a compromised host.CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1123 Audio Capture

ROKRAT has an audio capture and eavesdropping module.CitationSecurelist ScarCruft May 2019
Enterprise T1012 Query Registry

ROKRAT can access the HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.[2]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.[2]
Enterprise T1056.001 Keylogging Sub-technique

ROKRAT can use `SetWindowsHookEx` and `GetKeyNameText` to capture keystrokes.[1][3]
Enterprise T1106 Native API

ROKRAT can use a variety of API calls to execute shellcode.CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1622 Debugger Evasion

ROKRAT can check for debugging tools.[2]CitationNCCGroup RokRat Nov 2018CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1057 Process Discovery

ROKRAT can list the current running processes on the system.[1]CitationNCCGroup RokRat Nov 2018
Enterprise T1070.004 File Deletion Sub-technique

ROKRAT can request to delete files.CitationNCCGroup RokRat Nov 2018
Enterprise T1059.005 Visual Basic Sub-technique

ROKRAT has used Visual Basic for execution.CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1555.004 Windows Credential Manager Sub-technique

ROKRAT can steal credentials by leveraging the Windows Vault mechanism.[2]
Enterprise T1480.001 Environmental Keying Sub-technique

ROKRAT relies on a specific victim hostname to execute and decrypt important strings.[3]
Enterprise T1041 Exfiltration Over C2 Channel

ROKRAT can send collected files back over same C2 channel.[1]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document.CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1115 Clipboard Data

ROKRAT can extract clipboard data from a compromised host.[3]
Enterprise T1027 Obfuscated Files or Information

ROKRAT can encrypt data prior to exfiltration by using an RSA public key.[3]CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1497.001 System Checks Sub-technique

ROKRAT can check for VMware-related files and DLLs related to sandboxes.[2]CitationNCCGroup RokRat Nov 2018CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1083 File and Directory Discovery

ROKRAT has the ability to gather a list of files and directories on the infected system.CitationSecurelist ScarCruft May 2019CitationNCCGroup RokRat Nov 2018[3]
Enterprise T1105 Ingress Tool Transfer

ROKRAT can retrieve additional malicious payloads from its C2 server.[1]CitationNCCGroup RokRat Nov 2018[3]CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1140 Deobfuscate/Decode Files or Information

ROKRAT can decrypt strings using the victim's hostname as the key.[3]CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1102.002 Bidirectional Communication Sub-technique

ROKRAT has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications.[1]CitationSecurelist ScarCruft May 2019[3]
Enterprise T1113 Screen Capture

ROKRAT can capture screenshots of the infected system using the `gdi32` library.[1][4]CitationSecurelist ScarCruft May 2019CitationNCCGroup RokRat Nov 2018CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1033 System Owner/User Discovery

ROKRAT can collect the username from a compromised host.CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1055 Process Injection

ROKRAT can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`.CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1082 System Information Discovery

ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.[1][4]CitationSecurelist ScarCruft May 2019CitationNCCGroup RokRat Nov 2018[3]CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1010 Application Window Discovery

ROKRAT can use the `GetForegroundWindow` and `GetWindowText` APIs to discover where the user is typing.[1]
Enterprise T1005 Data from Local System

ROKRAT can collect host data and specific file types.CitationNCCGroup RokRat Nov 2018[3]CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1204.002 Malicious File Sub-technique

ROKRAT has relied upon users clicking on a malicious attachment delivered through spearphishing.CitationMalwarebytes RokRAT VBA January 2021
Enterprise T1567.002 Exfiltration to Cloud Storage Sub-technique

ROKRAT can send collected data to cloud storage services such as PCloud.CitationMalwarebytes RokRAT VBA January 2021[3]
Enterprise T1071.001 Web Protocols Sub-technique

ROKRAT can use HTTP and HTTPS for command and control communication.[1]CitationNCCGroup RokRat Nov 2018CitationMalwarebytes RokRAT VBA January 2021
Associated objects

Groups, software, and campaigns

Group Enterprise

G0067: APT37

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Relationship explorer

All related ATT&CK context

uses · Technique T1112: Modify Registry Enterprise uses · Technique T1123: Audio Capture Enterprise uses · Technique T1012: Query Registry Enterprise uses · Technique T1555.003: Credentials from Web Browsers Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1622: Debugger Evasion Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1555.004: Windows Credential Manager Enterprise uses · Technique T1480.001: Environmental Keying Enterprise uses · Group G0067: APT37 Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1115: Clipboard Data Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1497.001: System Checks Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1102.002: Bidirectional Communication Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.3
Created
Modified
Raw hash
887050d01d7f5f20...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.3 Current bundle 887050d01d7f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Talos ROKRAT

    Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.

    Open source URL
  2. [2]
    Talos Group123

    Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

    Open source URL
  3. [3]
    Volexity InkySquid RokRAT August 2021

    Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.

    Open source URL
  4. [4]
    Talos ROKRAT 2

    Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.

    Open source URL
  5. [5]
    ROKRAT

    (Citation: Talos ROKRAT 2) (Citation: Talos Group123)

  6. [6]
    mitre-attack S0240
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use