In March 2025, the Ricochet Chollima advanced persistent threat group began a targeted campaign against North Korea-focused organizations and activists. The operation, which Genians Security Center has dubbed "Operation: ToyBox Story," uses a deft mix of malware delivery and social engineering techniques. Learn more about macOS security apps Software for preventing cyberattacks Courses for cybersecurity education Solutions for network security Managers of passwords Reports of security vulnerabilities Control of computer access Penetration testers for data security software Plugin for WordPress security Attackers pose as North Korea-focused security experts in spear-phishing emails that seem to be from reliable sources.

Dropbox links in these emails open compressed archives containing malicious Windows shortcut files. Unknowingly, the victims download files that, when opened, cause hidden code to be executed.

The attack shows a high level of skill in masking harmful content. Threat actors used culturally relevant content to craft emails with subject lines that mentioned North Korean troops stationed in Russia in order to boost user engagement. In order to trick recipients into believing they are opening standard documents rather than executable files, the email attachments imitate Hangul document icons, which are frequently connected to authentic Korean word processors.

action. ToyBox Tale (Source: Medium) Because users trust well-known file icons and companies they think are sending the messages, this social engineering strategy works. After examining the technical features and infection chain of the campaign, S3N4T0R, an offensive security engineer, identified the malware.

Learn more Solutions for data security Subscription to cybersecurity news Software for data security Consulting services for cybersecurity Training in security awareness Courses for cybersecurity education Apps for secure messaging Penetration testers for digital forensics tools Managers of passwords S3N4T0R discovered that the attack goes through several phases, each of which is intended to avoid security measures and continue to exist on compromised systems. The analysis showed that rather than writing files to disk, attackers purposefully designed the malware to remain hidden in system memory. Memory Injection for Fileless Execution The ability of this malware to run code without leaving any traces on the hard drive is its most dangerous feature.

When victims extract the ZIP archive and open the seemingly innocent document file, a hidden PowerShell command embedded within the shortcut executes silently.

This command loads a file called "toy02.dat" from the temporary folder after launching a batch file called "toy03.bat." Toy.bat (Source: Medium) Bypassing conventional file-based detection techniques, the loader decodes XOR-transformed data and inserts shellcode straight into memory. The malware launches a new executable thread to execute the injected code after it has been loaded into memory.

Find out more Hacking news notifications Solutions for data security Features of the security author LastPass security software for macOS Phishing defense service Tools for digital forensics Vulnerability reports for cloud-based security VPN services Because the malicious program leaves very little evidence on disk, this technique—known as fileless malware execution—presents significant challenges for security teams.

After that, the malware establishes communication via Dropbox API channels, enabling attackers to conceal their actions within legitimate cloud service traffic while sending commands and receiving stolen data. LinkedIn and X to Get More Instant Updates, Set CSN as a Preferred Source in Google This strategy is a major advancement in APT tactics, using trusted services to hide malicious operations and making detection much more challenging for defenders.