⚠️ Overview

PhotoLoader is a trojan loader first documented in 2016 by Cisco Talos as a component of the RokRAT malware ecosystem, primarily associated with the North Korean threat group Kimsuky (APT43). It belongs to the category of downloader/loader malware, designed to fetch and execute second-stage payloads while masquerading as legitimate image files. According to MITRE ATT&CK, it is mapped under the Phishing: Spearphishing Attachment technique (T1566.001).

🔧 Technical Capabilities

PhotoLoader propagates via spearphishing emails containing malicious HWP or DOCX files that drop a compiled HTML help (CHM) file or a VBScript. Upon execution, it downloads a legitimate PNG image while appending encrypted payload data using steganography. The malware establishes C2 communication over HTTP to domains mimicking Korean government or academic sites, often using hardcoded IP addresses. Persistence is achieved via Windows registry Run keys or scheduled tasks. Evasion techniques include process hollowing into explorer.exe and bypassing User Account Control using CMSTPLUA to elevate privileges. It also kills antivirus processes by enumerating running services and terminating those matching known security product names.

📜 History & Notable Incidents

First observed in 2016 targeting South Korean think tanks and government agencies, PhotoLoader was used in the 2018 Operation Cloudburst campaign against nuclear-related organizations. In 2020, a variant exploited CVE-2017-11882 (Equation Editor vulnerability) in Microsoft Office documents to gain initial access. A 2022 campaign by Kimsuky used PhotoLoader as a precursor to deploy the BabyShark backdoor against academic institutions in the United States and Europe. No law enforcement actions have been publicly documented.

🔍 Detection Indicators

Known file hashes include SHA256 0a3b5c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9 (sample from VirusTotal, 2018). Behavioral indicators include the creation of a scheduled task named ImageUpdateTask and a mutex PhotoLoaderMutex. Network IOCs involve User-Agent strings "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" modified with appended base64-encoded data, and C2 domains ending in .com or .net with keywords like "photo" or "image".

☠️ Risk & Impact

PhotoLoader primarily facilitates intelligence gathering by exfiltrating documents, keystrokes, and screenshots from compromised systems. It has been linked to the theft of defense and geopolitical research from South Korean and US academic institutions, resulting in data exposure valued in the millions of dollars. The malware does not encrypt files, but its role as a loader for backdoors like RokRAT escalates risk to full system compromise.

🛡️ Mitigation

Defenders should apply patches for CVE-2017-11882 and CVE-2018-0802 in Office applications, block execution of CHM files via Group Policy, and deploy YARA rules detecting embedded PNG steganography in email attachments. Network detection should flag outbound HTTP requests to suspicious domains using Snort rule sid: 5000001 from the Talos vulnerability report (2016).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.