Back to Intelligence

ASO RAT, Warlock LockBit, & APT37 ROKRAT: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 15, 2026
6 min read

Recent OTX pulses reveal a convergence of sophisticated threat activities targeting Government, Technology, and Media sectors globally. The intelligence highlights three distinct campaigns:

  1. ASO RAT: A tailored, Arabic-language Android surveillance platform specifically targeting entities in Syria with ties to the government and media. It utilizes DDNS infrastructure and masquerades as legitimate government applications.
  2. Warlock (LockBit): An evolution of the LockBit ransomware operations by the "Warlock" group. They have enhanced their attack chain with BYOVD (Bring Your Own Vulnerable Driver) techniques using the NSec driver, along with tools like TightVNC and Yuze for persistence and lateral movement.
  3. APT37 (ROKRAT): A North Korean state-sponsored actor employing pretexting via Facebook and Telegram to distribute ROKRAT. They use Zoho WorkDrive for C2 and employ shellcode injection and process hollowing to evade detection.

Collectively, these threats demonstrate a shift towards complex initial access vectors (social engineering, trojanized apps), robust C2 infrastructure (DDNS, Cloud services), and advanced evasion techniques (BYOVD, process hollowing).

Threat Actor / Malware Profile

ASO RAT

  • Type: Android Remote Access Trojan (Surveillance)
  • Distribution: Disguised as PDF readers and Syrian government applications.
  • Capabilities: SMS interception, camera/mic access, GPS tracking, call logging, file exfiltration, and DDoS functionality.
  • C2 Infrastructure: Utilizes DDNS (aso.ddns.net) resolving to Frankfurt-based IPs.

Warlock (LockBit)

  • Type: Ransomware-as-a-Service / Affiliate Operations
  • Tools: TightVNC (remote control), Yuze (tunneling), custom NSec driver exploit.
  • Persistence: BYOVD technique exploiting the NSec driver to terminate security processes and maintain kernel-level access.
  • Targets: Broad focus on Technology, Manufacturing, and Government in the US, Germany, and Russia.

APT37 (ROKRAT)

  • Type: State-Sponsored Espionage (North Korea)
  • Distribution: Social engineering (Pretexting) via Facebook Messenger, moving to Telegram to deliver malicious "encrypted PDF" installers.
  • Techniques: Process hollowing, shellcode injection, installer tampering.
  • C2: Abuse of legitimate cloud storage (Zoho WorkDrive) for command and control, making network detection difficult.

IOC Analysis

The provided IOCs include a mix of network and file-based indicators:

  • Network: aso.ddns.net, IPv4 addresses (e.g., 45.74.4.179, 88.3.137.237, 38.32.68.195). SOC teams should immediately block these at the perimeter and firewalls.
  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes for ASO RAT samples, Warlock tools (LockBin, TightVNC), and ROKRAT payloads.
  • Operationalization:
    • EDR: Query for file hashes (SHA256: 206f27ae..., 34b2a6c3...) and process names (tightvnc.exe).
    • SIEM: Correlate outbound connections to aso.ddns.net or zohoworkdrive domains with non-corporate user-agents or unusual process paths.
    • Mobile Security: Scan app repositories for the specific ASO RAT MD5 hashes (31514358...).

Detection Engineering

YAML
---
title: Potential ASO RAT C2 Communication
id: 8a7b6c5d-4e3f-2a1b-9c8d-7e6f5a4b3c2d
status: experimental
description: Detects network connections to known ASO RAT DDNS infrastructure observed in active campaigns targeting Syria.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/04/15
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        dst_domain:
            - 'aso.ddns.net'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Warlock Ransomware Tooling Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects execution of TightVNC or loading of the NSec driver associated with Warlock ransomware persistence.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/04/15
logsource:
    category: process_creation
    product: windows
detection:
    selection_tightvnc:
        Image|contains:
            - 'tightvnc.exe'
    selection_driver:
        EventID: 6 # Driver loaded
        ImageLoaded|contains:
            - 'nsec.sys'
    condition: 1 of selection*
falsepositives:
    - Legitimate administrative use of TightVNC
level: medium
---
title: APT37 ROKRAT Suspicious Zoho WorkDrive Activity
id: 9f8e7d6c-5b4a-3f2e-1d0c-9b8a7f6e5d4c
status: experimental
description: Detects potential C2 traffic to Zoho WorkDrive used by APT37, excluding common browser processes.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/04/15
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        dst_domain|contains:
            - 'zohoworkdrive'
    filter_legit:
        Image|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate Zoho WorkDrive desktop client
level: low


kql
// Hunt for Warlock and APT37 File Hashes
DeviceProcessEvents
| where SHA256 in ("206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261", "34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4") or MD5 in ("085128b4e96633c82beb2101f5c525e4", "28d0143718153bf04c1919a26bb70c2d")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FolderPath, MD5, SHA256
| summarize count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by DeviceName, InitiatingProcessFileName, SHA256

// Hunt for ASO RAT and APT37 Network Connections
DeviceNetworkEvents
| where RemoteUrl has "aso.ddns.net" or RemoteIP in ("45.74.4.179", "88.3.137.237", "38.32.68.195", "222.122.49.15") or RemoteUrl has "zohoworkdrive"
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine
| summarize count() by DeviceName, RemoteUrl, InitiatingProcessFileName


powershell
# IOC Hunt Script for ASO RAT, Warlock, and APT37
# Requires Admin Privileges

Write-Host "[*] Starting Hunt for ASO RAT, Warlock, and APT37 Indicators..." -ForegroundColor Cyan

# Define IOCs
$TargetHashes = @(
    "31514358bf684a1e466a9e8069c11031", # ASO RAT
    "b3e706ba673cfeb9d205fb97b0ac624c", # ASO RAT
    "085128b4e96633c82beb2101f5c525e4", # ROKRAT
    "80961850786d6531f075b8a6f9a756ad"  # Warlock Component
)

$TargetDomains = @("aso.ddns.net", "zohoworkdrive")

# 1. Check for file hashes on disk
Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0 } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

# 2. Check for running processes matching TightVNC (Warlock)
Write-Host "[+] Checking for TightVNC execution (Warlock)..." -ForegroundColor Yellow
$tightvnc = Get-Process -Name *tightvnc* -ErrorAction SilentlyContinue
if ($tightvnc) {
    Write-Host "[!] TightVNC process detected: " $tightvnc.ProcessName -ForegroundColor Red
} else {
    Write-Host "[-] No TightVNC processes found." -ForegroundColor Green
}

# 3. DNS Resolution Check for ASO RAT
Write-Host "[+] Resolving ASO RAT C2 Domain..." -ForegroundColor Yellow
try {
    $result = Resolve-DnsName -Name "aso.ddns.net" -ErrorAction Stop
    Write-Host "[!] Resolution successful for aso.ddns.net - Infrastructure reachable!" -ForegroundColor Red
} catch {
    Write-Host "[-] Resolution failed or blocked. Good." -ForegroundColor Green
}

Write-Host "[*] Hunt Complete." -ForegroundColor Cyan

Response Priorities

  • Immediate: Block all listed IP addresses (45.74.4.179, 88.3.137.237, 38.32.68.195, 222.122.49.15) and the domain aso.ddns.net at the perimeter. Initiate IOC scans for the specific LockBit/Warlock and ROKRAT file hashes.
  • 24h: Investigate systems with TightVNC or unusual driver loads (NSec). For users interacting with Zoho WorkDrive, verify legitimacy of files given the APT37 pretexting campaigns. Review mobile device management (MDM) logs for the ASO RAT MD5 hashes.
  • 1 Week: Implement stricter controls regarding BYOVD (Block the NSec driver via Microsoft Driver Block List). Enforce application allow-listing for remote administration tools. Conduct security awareness training focused on pretexting and social engineering via Facebook/Telegram.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareaso-ratlockbitapt37rokratransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action