⚠️ Overview

Pillowmint is a custom remote access trojan (RAT) and backdoor attributed to the North Korean threat group APT37 (also tracked as Reaper, ScarCruft, and Group 123). First identified publicly in early 2018 by Mandiant and Trend Micro, Pillowmint has been used exclusively in espionage campaigns targeting South Korean government agencies, defense contractors, and research institutions involved in unification policy.

🔧 Technical Capabilities

Pillowmint is delivered via spear-phishing emails containing malicious Hangul Word Processor (HWP) documents that exploit vulnerabilities such as CVE-2018-8174 (VBScript Engine) and CVE-2017-11882 (Microsoft Office Equation Editor) to execute shellcode. Once installed, the backdoor collects system metadata, logs keystrokes, captures screenshots, and exfiltrates documents to attacker-controlled C2 servers using HTTP with RC2 encryption. Persistence is achieved through registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, Pillowmint uses DLL side-loading techniques (MITRE T1574.002) and packers to obfuscate its payload, and it can check for sandbox environments before executing malicious routines.

📜 History & Notable Incidents

Pillowmint was first observed in a campaign by APT37 in January 2018 targeting South Korean defense industry personnel, as documented in the Mandiant M-Trends 2019 report. A notable incident involved the compromise of a South Korean aerospace research institute in May 2018, where Pillowmint exfiltrated classified defense plans. In 2019, CISA released alert AA19-224A detailing APT37's use of Pillowmint alongside BLUELIGHT and SHARPKNOT, linking the malware to the North Korean Reconnaissance General Bureau.

🔍 Detection Indicators

Behavioral indicators include suspicious execution of rundll32.exe with a DLL named "pillowmint.dll" and outbound HTTP requests to domains mimicking legitimate South Korean news sites. Network indicators feature a user-agent string "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)" and RC2-encrypted cookies. Registry artifacts include the key HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdateJ pointing to the malicious DLL. Yara rules for Pillowmint are available in the Mandiant GitHub repository.

☠️ Risk & Impact

Pillowmint enables state-sponsored espionage, leading to the exfiltration of sensitive defense and diplomatic documents. Affected sectors include South Korean government, military, and think tanks focused on North Korea unification. The FBI assessed that APT37 operations using Pillowmint resulted in the loss of classified information on military strategy and defense technology, potentially impacting regional security.

🛡️ Mitigation

Defenders should apply patches for CVE-2018-8174 and CVE-2017-11882, block execution of untrusted HWP documents, and deploy endpoint detection rules that monitor for DLL side-loading via rundll32.exe from user-writable directories. Organizations should enable network traffic inspection for RC2-encrypted HTTP sessions and implement application whitelisting to prevent unauthorized executables.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.