ChinopuNK / Scarcruft (APT37) South Korea summer phishing-led campaign
Campaign
Summary
Hide ▲
Show ▼
A North Korea-linked operation has launched a new phishing-led campaign that deploys infostealers, backdoors, and ransomware against targets in South Korea. The activity matters because it combines espionage with targeted encryption, widening the group’s impact beyond surveillance alone. The operation has been traced back to July, with some malware samples dated to February. Initial access appears to rely on postal code update lures and decoy documents.
Related Happenings
South Korean financial-sector data leak in Qilin's Korean Leaks operation
Data Leak
First: 26.11.2025 16:31
Last: 26.11.2025 16:31
Sources 1
About this happening:
The **Qilin** leak site published stolen data from **28 victims** in **South Korea's financial sector**, exposing more than **1 million files** and **2 TB** of data. The disclosur...
South Korean financial-sector data leak in Qilin's Korean Leaks operation
Data LeakAbout this happening: The **Qilin** leak site published stolen data from **28 victims** in **South Korea's financial sector**, exposing more than **1 million files** and **2 TB** of data. The disclosur...
Konni APT KakaoTalk spear-phishing campaign targeting Android users in South Korea
Campaign
First: 11.11.2025 13:40
Last: 11.11.2025 13:40
Sources 1
About this happening:
A **Konni APT** operation is using **spear-phishing** and **KakaoTalk** to compromise **Android users in South Korea**, enabling device compromise and malware spread. The multi-st...
Konni APT KakaoTalk spear-phishing campaign targeting Android users in South Korea
CampaignAbout this happening: A **Konni APT** operation is using **spear-phishing** and **KakaoTalk** to compromise **Android users in South Korea**, enabling device compromise and malware spread. The multi-st...
KONNI KakaoTalk and Google Find Hub Android-wiping campaign
Campaign
First: 11.11.2025 02:46
Last: 11.11.2025 02:46
Sources 1
About this happening:
The **KONNI** operation is actively combining **KakaoTalk spear-phishing** with **Google Find Hub** abuse to track targets and remotely wipe **Android devices**, raising data-loss...
KONNI KakaoTalk and Google Find Hub Android-wiping campaign
CampaignAbout this happening: The **KONNI** operation is actively combining **KakaoTalk spear-phishing** with **Google Find Hub** abuse to track targets and remotely wipe **Android devices**, raising data-loss...
Kimsuky HttpTroy backdoor activity against South Korean users
Malware Activity
First: 05.11.2025 04:00
Last: 05.11.2025 04:00
Sources 1
About this happening:
**Kimsuky** has deployed the **HttpTroy** backdoor against **South Korean users**, expanding a multi-stage infection chain that is designed to evade detection. The malware gives o...
Kimsuky HttpTroy backdoor activity against South Korean users
Malware ActivityAbout this happening: **Kimsuky** has deployed the **HttpTroy** backdoor against **South Korean users**, expanding a multi-stage infection chain that is designed to evade detection. The malware gives o...
Contagious Interview ClickFix BeaverTail campaign targeting crypto and retail roles
Campaign
First: 21.09.2025 13:56
Last: 21.09.2025 13:56
Sources 1
About this happening:
**North Korean operatives** expanded **Contagious Interview** with **ClickFix** lures and a **fake hiring platform** to deliver **BeaverTail** and **InvisibleFerret**, shifting th...
Contagious Interview ClickFix BeaverTail campaign targeting crypto and retail roles
CampaignAbout this happening: **North Korean operatives** expanded **Contagious Interview** with **ClickFix** lures and a **fake hiring platform** to deliver **BeaverTail** and **InvisibleFerret**, shifting th...
Timeline
-
14.08.2025 03:00 1 articles · 9mo ago
Scarcruft / ChinopuNK campaign disclosed
Initial DisclosureS2W reports that Scarcruft / ChinopuNK (APT37) has launched a new campaign against targets in South Korea since July, using phishing emails disguised as postal code update notices and decoy documents. The observed toolchain includes NubSpy with PubNub command-and-control, a Rust-based ChillyChino backdoor variant, and VCD ransomware that appends .vcd to locked files.
Show sources
- North Korea Attacks South Koreans With Ransomware — www.darkreading.com — 14.08.2025 03:00