CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Scarcruft (APT37) Ransomware Campaign Targets South Korea

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

The North Korean threat group Scarcruft (APT37) has launched a campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, began in July 2025 and includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation. Additionally, a modular backdoor malware for the macOS platform, ChillyHell, has resurfaced with a new version. This malware gives attackers remote access and allows them to drop payloads or brute-force passwords. The new ChillyHell sample was uploaded to VirusTotal on May 2, 2025, and was notarized by Apple in 2021. The malware has multiple persistence mechanisms and can exfiltrate data, drop additional payloads, enumerate user accounts, and perform local password cracking. Apple revoked notarization of the developer certificates associated with the malware once notified by Jamf. A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration, system enumeration, and arbitrary command execution. The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor. The campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. The campaign involves impersonated recruiters offering lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. The attacks deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost. WeaselStore's functionality is similar to BeaverTail and InvisibleFerret, focusing on exfiltration of sensitive data from browsers and cryptocurrency wallets. TsunamiKit is a malware toolkit designed for information and cryptocurrency theft, first discovered in November 2024. TsunamiKit comprises several components, including TsunamiLoader, TsunamiInjector, TsunamiInstaller, TsunamiHardener, and TsunamiClient. TsunamiClient incorporates a .NET spyware and drops cryptocurrency miners like XMRig and NBMiner. Tropidoor is a sophisticated payload linked to the DeceptiveDevelopment group, sharing code with PostNapTea and LightlessCan. AkdoorTea is a remote access trojan delivered by a Windows batch script, sharing commonalities with Akdoor and NukeSped (Manuscrypt). The DeceptiveDevelopment campaign targets developers associated with cryptocurrency and decentralized finance projects with fake job offers aimed at information theft and malware infection. The campaign supplies stolen developer information to North Korea’s fraudulent IT workers, who use it to pose as job seekers and land remote work at unsuspecting companies. The campaign involves tight collaboration with North Korea’s network of fraudulent IT workers, tracked as WageMole. The North Korean IT workers operate in teams, focusing on obtaining work in Western countries, particularly the US, and in Europe, targeting France, Poland, Ukraine, and Albania. The North Korean IT workers impersonate real companies and engineers, producing engineering drawings with falsified approval stamps, and focus on self-education in web programming, blockchain, English, and AI integration.

Timeline

  1. 25.09.2025 16:14 2 articles · 4d ago

    North Korean Threat Actors Launch Contagious Interview Campaign

    The DeceptiveDevelopment campaign targets developers associated with cryptocurrency and decentralized finance projects with fake job offers aimed at information theft and malware infection. The campaign supplies stolen developer information to North Korea’s fraudulent IT workers, who use it to pose as job seekers and land remote work at unsuspecting companies. The campaign involves tight collaboration with North Korea’s network of fraudulent IT workers, tracked as WageMole. The North Korean IT workers operate in teams, focusing on obtaining work in Western countries, particularly the US, and in Europe, targeting France, Poland, Ukraine, and Albania. The North Korean IT workers impersonate real companies and engineers, producing engineering drawings with falsified approval stamps, and focus on self-education in web programming, blockchain, English, and AI integration.

    Show sources
    Open in new tab
  2. 10.09.2025 16:04 1 articles · 19d ago

    ZynorRAT RAT Targets Windows, Linux, and macOS Systems

    A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT is a Go-based remote access trojan that uses a Telegram bot for command and control. The malware supports a wide range of functions, including file exfiltration, system enumeration, screenshot capture, and arbitrary command execution. The Windows version of ZynorRAT is near-identical to its Linux counterpart, indicating ongoing development. ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin.

    Show sources
    Open in new tab
  3. 10.09.2025 14:59 2 articles · 19d ago

    ChillyHell macOS Backdoor Resurfaces with New Version

    ChillyHell is written in C++ and developed for Intel architectures. The malware is attributed to an uncategorized threat cluster dubbed UNC4487, active since at least October 2022. UNC4487 is a suspected espionage actor that has compromised Ukrainian government websites to deploy ChillyHell. The malware establishes persistence using LaunchAgent, LaunchDaemon, and modifying the user's shell profile. It uses timestomping to modify file timestamps to evade detection. ChillyHell supports commands to launch a reverse shell, download new versions, fetch additional payloads, enumerate user accounts, and conduct brute-force attacks. The malware was notarized by Apple, highlighting that not all malicious code comes unsigned.

    Show sources
    Open in new tab
  4. 01.09.2025 11:26 1 articles · 28d ago

    Scarcruft (APT37) Launches Operation HanKook Phantom Targeting South Korean Academics

    In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation.

    Show sources
    Open in new tab
  5. 14.08.2025 03:00 2 articles · 1mo ago

    Scarcruft (APT37) Launches Ransomware Campaign Targeting South Korea

    In July 2025, the North Korean threat group Scarcruft (APT37) initiated a new campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. The campaign is notable for its use of ransomware by a nation-state actor, combining espionage with financial and psychological pressure tactics.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Open in new tab

ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection

A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

GitHub notifications exploited to impersonate Y Combinator in crypto theft campaign

A phishing campaign impersonated Y Combinator to target GitHub users with cryptocurrency drainers. The attackers exploited GitHub's notification system to send fraudulent invitations to the YC W2026 program. The campaign aimed to steal cryptocurrency by prompting users to verify their wallets on a fake site. The attackers created issues across multiple repositories and tagged targeted users, leveraging GitHub's automatic notifications. The fake invitations promised $15 million in funding, directing users to a misspelled domain that mimicked the legitimate YC site. The fraudulent site ran obfuscated JavaScript to authorize malicious transactions, draining users' crypto assets. The campaign was reported to GitHub, IC3, and Google Safe Browsing, leading to the removal of the fraudulent repositories.

Open in new tab