DarkSamural APT Group Deploys LNK/PDF Malware to Steal Critical Information

DarkSamural, a newly identified subspecies of the notorious OceanLotus APT, has launched a sophisticated campaign targeting high-value organizations in Pakistan.

Leveraging malicious LNK files masquerading as PDF documents and sophisticated MSC containers empowered by GrimResource technology, the group delivered a multi-stage payload designed to exfiltrate critical data.

After in-depth sample and correlation analysis, cybersecurity researchers have addressed DarkSamural’s operations as a false-flag undertaking orchestrated by Patchwork.

Patchwork, also known as APT Group 72, surfaced around 2009 but only gained international prominence in 2015 when Cymmetria revealed its extensive espionage operations.

Its primary targets include military, diplomatic, educational, and scientific research institutions across China, Pakistan, and Bangladesh.

Patchwork’s hallmark is spear-phishing: crafting emails with attachments that appear innocuous but conceal malicious executables. In this campaign, the attackers exploited Windows MSC files, disguising them with PDF icons to mislead victims.

Upon opening, these containers invoke mmc.exe to load an ActiveX object, enabling embedded JavaScript to fetch and execute subsequent payloads from remote command-and-control servers.

Patchwork maintains an arsenal of proprietary and open-source tools. Their lineup includes the BADNEWS RAT for stealthy remote access, QuasarRAT and AsyncRAT for straightforward C2 communication, Mythic as a modular penetration-testing framework, commercial Remcos RAT, and NorthStarC2.

By cycling through these tools, the group ensures persistent control over compromised environments and evades signature-based defenses.

Tactics, Techniques, and Procedures

Initial compromise hinges on deceptive emails containing a compressed archive labeled as “Drone_Information.pdf.msc.” When executed, the .msc file leverages GrimResource to decrypt and run obfuscated JScript, which then downloads a second-stage HTML file named Unit-942-Drone-Info-MAK3.html.

This file contains two layers of obfuscated JavaScript. The first layer triggers an XSLT transformation via CLSID2933BF90-7B36-11D2-B20E-00C04F983E60, fetching additional script from a remote URL. The second layer downloads the real payload—Drone_Information.pdf—to C:\Users\Public.

To evade detection, the JavaScript is heavily obfuscated across multiple layers, while legitimate Windows utilities such as dism.exe are repurposed to sideload a malicious DLL renamed DismCore.dll.

Persistence is achieved by registering scheduled tasks named MicrosoftEdgeUpdateTaskMachineCoreXUI and creating startup entries.

Once resident, the implant writes log data to C:\ProgramData\6092E833-F189-4160-951D.log before renaming it to DismCore.dll and invoking its exported DllRegisterServer, which dynamically resolves API addresses and spawns the Mythic agent.

Correlation Findings

The Mythic agent, compiled on May 29, 2025, communicates with its C2 at https://d11d6t6zp1jvtm.cloudfront.net/data using AES-HMAC encryption.

It crafts POST requests via WinHTTP APIs, appending IV values to payloads encrypted with a shared 256-bit key. During each check-in, the implant reports host details—IP, OS, user, hostname, PID, and UUID—mirroring legitimate Mythic traffic patterns.

The checkin flag in the action field of this sample, the online packet data structure, and the encryption method ( AES-128-GCM ).

Notably, the HTML lure page contains Vietnamese-language branding claiming affiliation to Dark Samurai, suggesting a deliberate misdirection.

Correlation analysis of these domains and additional Protego samples led researchers to attribute the entire operation to Patchwork, marking DarkSamural as a purposeful false-flag designed to sow confusion among threat intelligence communities.

As the campaign unfolds, organizations in South Asia and beyond must reinforce email filtering, scrutinize seemingly benign document files, and employ behavioral detection capable of parsing multi-layered scripts.

With Patchwork’s evolving toolkit, defenders face a formidable adversary adept at deception and rapid toolchain rotation.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.