A North Korea-linked hacker group has apparently launched a new malware campaign that infects computers using highly deceptive emails that tricks targets into opening infected Hangul Word Processor(HWP) documents to steal data.

The Genians Security Center(GSC), a South Korea-based cybersecurity company, released a report on Monday that detected the operation, code-named “Artemis,” conducted by APT37, known as a North Korean cyber espionage group, from August to November.

According to the center’s findings, the threat actors used spear phishing, sending emails posing as a writer for Korean TV programs, reaching out to targets for casting or interview arrangements.

Attached to the emails are embedded malicious object linking and embedding (OLE) code inside a HWP file, disguised as a pre-interview questionnaire or event guide document.

When the target opens the document and clicks a hyperlink in the file, an attack chain is triggered.

After infection, a combination of techniques, including steganography and DLL side loading, were used to evade detection and conceal delivery of RoKRAT malware for information theft.

The findings follow a report in October by 38 North, a U.S. media outlet specializing in North Korea, which stated that the HWP document format, which is widely used as a standard in South Korea, has effectively become a “durable attack vector.”

GSC said this attack case serves as a strong indicator that state-backed threat actors continue to evolve their tactics to evade detection, and similar multi-layered concealment strategies are highly likely to be applied more extensively in future attacks.