Talos published research on a Korean MalDoc a few weeks ago. We identified a new campaign, again leveraging a malicious Hangul Word Processor (HWP) document. The payload was a Remote Administration Tool, which we have named ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases.”]
Source: https://blog.talosintelligence.com/2017/04/introducing-rokrat.html