CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Scarcruft (APT37) Ransomware Campaign Targets South Korea

First reported
Last updated
5 unique sources, 14 articles

Summary

Hide ▲

North Korean threat actors, including the Konni APT (linked to Kimsuky and APT37), have escalated their abuse of Google’s Find Hub service to remotely reset Android devices in South Korea, marking the first confirmed instance of a nation-state APT exploiting this feature for destructive operations. The campaign, uncovered in November 2025, combines spear-phishing with social engineering via KakaoTalk messenger to distribute remote access trojans (RATs) like LilithRAT, RemcosRAT, and QuasarRAT, while leveraging compromised devices to amplify secondary infections. Attackers targeted high-value individuals, including psychological counselors for North Korean defectors, using their accounts to distribute malware disguised as legitimate files (e.g., 'Stress Clear.msi'). The remote wipe functionality was timed to block notifications and delay victim response, erasing forensic evidence and isolating targets. This development follows APT37’s broader 2025 campaigns, including the ChinopuNK ransomware operation and Operation HanKook Phantom, which deployed RokRAT, NubSpy, and ChillyChino malware against South Korean academics and government-linked figures. Parallel efforts by BlueNoroff (Lazarus subgroup) expanded to include blockchain-based malware distribution (EtherHiding) and fake recruitment campaigns (Contagious Interview), targeting global cryptocurrency developers. The integration of device sabotage, credential theft, and social engineering underscores a strategic shift toward multi-stage attacks that exploit trusted platforms for maximum disruption and data exfiltration.

Timeline

  1. 10.11.2025 22:29 4 articles · 1d ago

    Konni Exploits Google's Find Hub for Remote Data Wiping

    North Korean threat actors, including Konni APT (APT37/Kimsuky), have weaponized Google’s Find Hub service to remotely reset Android devices in South Korea, marking the first confirmed instance of a nation-state APT abusing this feature for destructive operations. The campaign, discovered in November 2025, involves a two-stage attack: initial spear-phishing (since July 2024) targeting Android devices via spoofed entities (e.g., National Tax Service), followed by secondary malware distribution through compromised KakaoTalk PC sessions. Attackers compromised the account of a psychological counselor for North Korean defectors on September 5, 2025, using it to distribute a digitally signed MSI installer ('Stress Clear.msi') disguised as a stress-relief program. The installer deployed AutoIt loaders that established persistence via scheduled tasks and C2 communication, fetching RATs like RemcosRAT, QuasarRAT, and RftRAT. Using stolen Google credentials, attackers tracked victim locations via Find Hub and triggered remote wipes when targets were away, delaying discovery and severing communication channels. The attack chain also involved prolonged internal reconnaissance, exfiltration of PII and webcam captures, and exploitation of Find Hub’s location tracking to execute remote resets. This tactic combines device sabotage, credential theft, and social engineering to erase forensic evidence and amplify the campaign’s reach through trusted contacts. The MSI installer’s setup routine deleted traces to hinder analysis, while AutoIt scripts maintained continuous C2 communication.

    Show sources
    Open in new tab
  2. 25.09.2025 16:14 6 articles · 1mo ago

    North Korean Threat Actors Launch Contagious Interview Campaign

    The GhostCall and GhostHire campaigns are part of a broader operation called SnatchCrypto, attributed to the BlueNoroff subgroup of the Lazarus Group. These campaigns target the Web3 and blockchain sectors, with GhostCall focusing on executives at tech companies and venture capital firms using fake Zoom calls to deliver malicious payloads. GhostHire targets Web3 developers with fake job offers on Telegram, luring them into executing malicious code. Both campaigns employ a variety of malware families, including CosmicDoor, RooTroy, RealTimeTroy, SneakMain, and SilentSiphon, designed to exfiltrate data from numerous services. The campaigns have been active since mid-2023, with GhostCall primarily targeting macOS devices and GhostHire targeting both Windows and macOS systems.

    Show sources
    Open in new tab
  3. 10.09.2025 16:04 1 articles · 2mo ago

    ZynorRAT RAT Targets Windows, Linux, and macOS Systems

    A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT is a Go-based remote access trojan that uses a Telegram bot for command and control. The malware supports a wide range of functions, including file exfiltration, system enumeration, screenshot capture, and arbitrary command execution. The Windows version of ZynorRAT is near-identical to its Linux counterpart, indicating ongoing development. ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin.

    Show sources
    Open in new tab
  4. 10.09.2025 14:59 2 articles · 2mo ago

    ChillyHell macOS Backdoor Resurfaces with New Version

    ChillyHell is written in C++ and developed for Intel architectures. The malware is attributed to an uncategorized threat cluster dubbed UNC4487, active since at least October 2022. UNC4487 is a suspected espionage actor that has compromised Ukrainian government websites to deploy ChillyHell. The malware establishes persistence using LaunchAgent, LaunchDaemon, and modifying the user's shell profile. It uses timestomping to modify file timestamps to evade detection. ChillyHell supports commands to launch a reverse shell, download new versions, fetch additional payloads, enumerate user accounts, and conduct brute-force attacks. The malware was notarized by Apple, highlighting that not all malicious code comes unsigned.

    Show sources
    Open in new tab
  5. 01.09.2025 11:26 1 articles · 2mo ago

    Scarcruft (APT37) Launches Operation HanKook Phantom Targeting South Korean Academics

    In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation.

    Show sources
    Open in new tab
  6. 14.08.2025 03:00 2 articles · 3mo ago

    Scarcruft (APT37) Launches Ransomware Campaign Targeting South Korea

    In July 2025, the North Korean threat group Scarcruft (APT37) initiated a new campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. The campaign is notable for its use of ransomware by a nation-state actor, combining espionage with financial and psychological pressure tactics.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Landfall Android Spyware Exploits Samsung Zero-Day via WhatsApp

The Landfall Android spyware targeted Samsung devices through a zero-day vulnerability (CVE-2025-21042) in a Samsung image processing library. The exploit was delivered via a malicious DNG image sent through WhatsApp, affecting Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. The spyware enables microphone recording, location tracking, and data exfiltration. The attacks have been ongoing since at least July 2024, and the vulnerability was patched by Samsung in April. The threat actor, tracked as CL-UNK-1054, remains unidentified, with potential links to the Stealth Falcon group and other surveillance vendors. The attacks primarily targeted individuals in the Middle East and North Africa. The exploit involved a zero-click approach, and the malicious DNG files contained an embedded ZIP file with a shared object library to run the spyware. The spyware manipulated the device's SELinux policy to gain elevated permissions and facilitate persistence, and communicated with a command-and-control (C2) server over HTTPS for beaconing and receiving next-stage payloads. The spyware can fingerprint devices based on hardware and SIM IDs and targets a broad range of Samsung’s latest flagship models, excluding the latest S25 series devices. Unit 42 identified six C2 servers linked to the LandFall campaign, with some flagged by Turkey’s CERT. C2 domain registration and infrastructure patterns share similarities with those seen in Stealth Falcon operations, originating from the United Arab Emirates. CISA has added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch within three weeks.

Open in new tab

AI-Powered Malware Families Deployed in the Wild

Google's Threat Intelligence Group (GTIG) has identified new malware families that leverage artificial intelligence (AI) and large language models (LLMs) for dynamic self-modification during execution. These malware families, including PromptFlux, PromptSteal, FruitShell, QuietVault, and PromptLock, demonstrate advanced capabilities for evading detection and maintaining persistence. PromptFlux, an experimental VBScript dropper, uses Google's LLM Gemini to generate obfuscated VBScript variants and evade antivirus software. It attempts persistence via Startup folder entries and spreads laterally on removable drives and mapped network shares. The malware is under development or testing phase and is assessed to be financially motivated. PromptSteal is a data miner written in Python that queries the LLM Qwen2.5-Coder-32B-Instruct to generate one-line Windows commands to collect information and documents in specific folders and send the data to a command-and-control (C2) server. It is used by the Russian state-sponsored actor APT28 in attacks targeting Ukraine. The use of AI in malware enables adversaries to create more versatile and adaptive threats, posing significant challenges for cybersecurity defenses. Various threat actors, including those from China, Iran, and North Korea, have been observed abusing AI models like Gemini across different stages of the attack lifecycle. The underground market for AI-powered cybercrime tools is also growing, with offerings ranging from deepfake generation to malware development and vulnerability exploitation.

Open in new tab

RMM Software Exploited in Logistics and Freight Network Intrusions

Cybercriminals have been targeting trucking and logistics companies since at least January 2025, using remote monitoring and management (RMM) software to infiltrate networks and steal cargo freight. The primary targets are food and beverage products, which are often sold online or shipped overseas. The attackers collaborate with organized crime groups and use various methods to gain access, including compromised email accounts, spear-phishing emails, and fraudulent freight listings. They leverage legitimate RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve to maintain persistence and evade detection. Once inside, they conduct reconnaissance, harvest credentials, and manipulate dispatch systems to steal cargo. The use of RMM software allows them to operate undetected, as these tools are commonly used in enterprise environments and are often not flagged as malicious. The attackers have conducted nearly two dozen campaigns targeting North American freight companies in September and October 2025, with volumes ranging from less than 10 to over 1000 messages per campaign. The attackers have been active since at least June 2025, with evidence suggesting campaigns began as early as January 2025. Similar activity has been observed in Brazil, Mexico, India, Germany, Chile, and South Africa. The National Insurance Crime Bureau (NICB) estimates cargo theft losses in the U.S. to $35 billion annually. The attackers use compromised accounts on load boards to post fraudulent freight listings and hijack email threads to lead victims to malicious URLs. They send direct phishing emails to asset-based carriers, freight brokerage firms, and integrated supply-chain providers, targeting a wide range of carriers from small businesses to large transport firms. The attackers aim to compromise any carrier that responds to fake load postings and identify and bid on profitable loads to steal. They use various methods to steal cargo, including direct collaboration with truckers and double brokering, which disrupts the supply chain, leading to increased costs, delays, and insurance claims, and erodes trust within the supply chain.

Open in new tab

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky distributed a new backdoor named HttpTroy in a targeted spear-phishing attack against a South Korean entity. The attack involved a ZIP file disguised as a VPN invoice, which contained a multi-stage malware chain. HttpTroy enables file transfers, screenshot capture, command execution, and other malicious activities. The malware uses advanced obfuscation techniques to evade detection. The attack was detected by Gen Digital, which did not specify the exact timeline of the incident. The initial vector is suspected to be a phishing email, as no known vulnerabilities were exploited. The malware communicates with a command-and-control server over HTTP POST requests. The attack chain includes a dropper, a loader (MemLoad), and the final backdoor (HttpTroy). The ZIP file contained a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. HttpTroy supports a wide range of remote actions and increases stealth by encrypting its communications, obfuscating payloads, and executing code in memory. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection.

Open in new tab

Memento Labs linked to Chrome zero-day exploitation in Operation ForumTroll

Operation ForumTroll, discovered in March 2025, targeted Russian organizations using a zero-day vulnerability in Google Chrome (CVE-2025-2783). The campaign, also tracked as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE, delivered malware linked to the Italian spyware vendor Memento Labs. The attacks used phishing emails with malicious links to infect victims, targeting media outlets, universities, research centers, government organizations, financial institutions, and other organizations in Russia and Belarus. The malware, identified as LeetAgent and Dante, was used to steal data and maintain persistence on compromised systems. Memento Labs, formed after InTheCyber Group acquired Hacking Team, presented its Dante spyware at a conference in 2023. The malware was used in attacks dating back to at least 2022. The attacks involved sophisticated techniques to ensure only targeted victims were compromised. The zero-day vulnerability (CVE-2025-2783) was discovered and reported to Google by researchers at Kaspersky Lab earlier in 2025. The exploit bypassed Chrome's sandbox protections by exploiting a logic vulnerability in Chrome caused by an obscure quirk in the Windows OS. The exploit used pseudo handles to disable sandbox functionality, allowing unauthorized access to privileged processes. The exploit represents a new class of vulnerabilities that could affect other applications and Windows services. The group known as Mem3nt0 mori, also referred to as ForumTroll APT, is linked to Operation ForumTroll. The attacks began in March 2025 with highly personalized phishing emails inviting victims to the Primakov Readings forum. The flaw in Chrome stemmed from a logical oversight in Windows' handling of pseudo handles, allowing attackers to execute code in Chrome's browser process. Google patched the issue in version 134.0.6998.177/.178. Firefox developers found a related issue in their browser, addressed as CVE-2025-2857. Kaspersky's researchers concluded that Mem3nt0 mori leveraged Dante-based components in the ForumTroll campaign, marking the first observed use of this commercial spyware in the wild. The discovery underscores ongoing risks from state-aligned and commercial surveillance vendors. Kaspersky urged security researchers to examine other software and Windows services for similar pseudo-handle vulnerabilities.

Open in new tab