Dark Hotel APT Group

Zscaler ThreatLabz identified activities from the South Korea based Dark Hotel APT group. The group in the attack due utilizing a multi-layer malicious document, artifacts dropping the compromised system, the same C2 used in previous attacks and payload timestamps aligned with previously documented Dark Hotel activity. The malicious document dropped a RTF file that released OLE objects in the %temp$ directory. Additionally, a five-stage attack was observed involving the creation of a zone identifier ADS, creating a registry key for persistence that executes a VBScript code using MSHTA, PowerShell execution with an encoded command leading to C2.