North Korean BLUELIGHT Special: InkySquid Deploys RokRAT

Volexity investigated a targeted intrusion against a frequent North Korea target by the InkySquid/APT37 actor that deployed a custom BLUELIGHT loader (via a Python-based scheduled task) and a bespoke RokRAT backdoor (deployed via a Ruby-based loader). Both families use multi-stage, host-specific decryption and cloud-based command-and-control services to evade detection and exfiltrate encrypted data; the report includes technical analysis, IOC hashes, YARA rules, and mitigation recommendations.