CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Scarcruft (APT37) Ransomware Campaign Targets South Korea

First reported
Last updated
5 unique sources, 18 articles

Summary

Hide ▲

North Korean threat actors have **expanded the Contagious Interview campaign** with a **new JavaScript-based backdoor** delivered via **malicious VS Code repositories**, marking the latest evolution in their multi-stage infection chain. When victims clone and open these repositories—framed as technical assignments or code reviews—they are prompted to trust the repository author. Upon granting trust, VS Code automatically executes a hidden **Node.js command** in the background, deploying the backdoor with **remote code execution capabilities**. The payload persists even after VS Code is closed, produces no visible output, and remains undetected while exfiltrating credentials and sensitive data. This tactic builds on earlier methods, such as **abusing `tasks.json` files** and **malicious npm dependencies (e.g., 'grayavatar')**, but introduces a **fully JavaScript-based payload** tailored for developers familiar with Node.js. The campaign, active since late 2023, continues to target **software developers, particularly in blockchain, cryptocurrency, and Web3 sectors**, blending **social engineering with technical deception**. Previous milestones include the **December 2025 deployment of EtherRAT**, which exploited **React2Shell (CVE-2025-55182)** and **Ethereum smart contracts for C2**, and the **January 2026 wave** using **BeaverTail and InvisibleFerret malware** via GitHub/GitLab/Bitbucket lures. The group collaborates with **North Korea’s fraudulent IT workers (WageMole)** to amplify credential theft and financial fraud, while consolidating hosting on **Vercel domains** and refining **AI-generated artifacts** to evade detection. The latest backdoor underscores the campaign’s **rapid adaptation**, combining **espionage-driven data theft** with **financial motives** through persistent, multi-layered infections.

Timeline

  1. 10.11.2025 22:29 4 articles · 2mo ago

    Konni Exploits Google's Find Hub for Remote Data Wiping

    North Korean threat actors, including Konni APT (APT37/Kimsuky), have weaponized Google’s Find Hub service to remotely reset Android devices in South Korea, marking the first confirmed instance of a nation-state APT abusing this feature for destructive operations. The campaign, discovered in November 2025, involves a two-stage attack: initial spear-phishing (since July 2024) targeting Android devices via spoofed entities (e.g., National Tax Service), followed by secondary malware distribution through compromised KakaoTalk PC sessions. Attackers compromised the account of a psychological counselor for North Korean defectors on September 5, 2025, using it to distribute a digitally signed MSI installer ('Stress Clear.msi') disguised as a stress-relief program. The installer deployed AutoIt loaders that established persistence via scheduled tasks and C2 communication, fetching RATs like RemcosRAT, QuasarRAT, and RftRAT. Using stolen Google credentials, attackers tracked victim locations via Find Hub and triggered remote wipes when targets were away, delaying discovery and severing communication channels. The attack chain also involved prolonged internal reconnaissance, exfiltration of PII and webcam captures, and exploitation of Find Hub’s location tracking to execute remote resets. This tactic combines device sabotage, credential theft, and social engineering to erase forensic evidence and amplify the campaign’s reach through trusted contacts. The MSI installer’s setup routine deleted traces to hinder analysis, while AutoIt scripts maintained continuous C2 communication.

    Show sources
    Open in new tab
  2. 25.09.2025 16:14 10 articles · 3mo ago

    North Korean Threat Actors Launch Contagious Interview Campaign

    The **Contagious Interview campaign**, attributed to North Korean actors including **Lazarus/BlueNoroff**, has expanded with **new tactics observed in January 2026**, where malicious **VS Code projects** are used as lures to deliver **BeaverTail, InvisibleFerret, and a newly identified JavaScript-based backdoor**. Victims are instructed to clone repositories on GitHub, GitLab, or Bitbucket as part of fake job assessments, triggering automatic execution of obfuscated payloads via abused `tasks.json` files (configured with `runOn: folderOpen`) or **hidden Node.js commands** when repository trust is granted. The payloads, hosted on **Vercel domains**, deploy backdoors with **remote code execution (RCE) capabilities**, establish persistent C2 communication, and use **fallback mechanisms** such as malicious npm dependencies (e.g., 'grayavatar') or spell-check dictionary decoys. The **Node.js-based BeaverTail** component handles keystroke logging, screenshot capture, credential theft from browsers, and clipboard substitution of cryptocurrency wallet addresses. A parallel **Python environment (InvisibleFerret)** enables data exfiltration, XMRig cryptocurrency mining, and AnyDesk deployment for remote access. The **new JavaScript backdoor**, discovered in January 2026, runs invisibly in the background on macOS, persists after VS Code closure, and produces no visible output to evade detection. The campaign leverages **LinkedIn impersonation** (e.g., posing as the CTO of 'Meta2140') to distribute Notion.so links with technical assessments and malicious repositories. This evolution follows the **December 2025 deployment of EtherRAT**, which exploited **React2Shell (CVE-2025-55182)** to target Linux systems with **Ethereum smart contract-based C2** and **five persistence mechanisms**. The group continues to refine its **multi-stage infection chains**, consolidating hosting on **Vercel**, using **AI-generated script artifacts**, and collaborating with **North Korea’s fraudulent IT workers (WageMole)** to amplify credential theft and financial fraud. The campaign remains focused on **cryptocurrency/Web3 developers**, **global tech sectors**, and **espionage-driven financial theft**.

    Show sources
    Open in new tab
  3. 10.09.2025 16:04 1 articles · 4mo ago

    ZynorRAT RAT Targets Windows, Linux, and macOS Systems

    A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT is a Go-based remote access trojan that uses a Telegram bot for command and control. The malware supports a wide range of functions, including file exfiltration, system enumeration, screenshot capture, and arbitrary command execution. The Windows version of ZynorRAT is near-identical to its Linux counterpart, indicating ongoing development. ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin.

    Show sources
    Open in new tab
  4. 10.09.2025 14:59 2 articles · 4mo ago

    ChillyHell macOS Backdoor Resurfaces with New Version

    ChillyHell is written in C++ and developed for Intel architectures. The malware is attributed to an uncategorized threat cluster dubbed UNC4487, active since at least October 2022. UNC4487 is a suspected espionage actor that has compromised Ukrainian government websites to deploy ChillyHell. The malware establishes persistence using LaunchAgent, LaunchDaemon, and modifying the user's shell profile. It uses timestomping to modify file timestamps to evade detection. ChillyHell supports commands to launch a reverse shell, download new versions, fetch additional payloads, enumerate user accounts, and conduct brute-force attacks. The malware was notarized by Apple, highlighting that not all malicious code comes unsigned.

    Show sources
    Open in new tab
  5. 01.09.2025 11:26 1 articles · 4mo ago

    Scarcruft (APT37) Launches Operation HanKook Phantom Targeting South Korean Academics

    In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation.

    Show sources
    Open in new tab
  6. 14.08.2025 03:00 2 articles · 5mo ago

    Scarcruft (APT37) Launches Ransomware Campaign Targeting South Korea

    In July 2025, the North Korean threat group Scarcruft (APT37) initiated a new campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. The campaign is notable for its use of ransomware by a nation-state actor, combining espionage with financial and psychological pressure tactics.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Black Basta Leader Identified and Added to Interpol's Red Notice List

Law enforcement in Ukraine and Germany have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. Nefedov, known by multiple aliases, has been added to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Ukrainian police, in collaboration with German authorities, identified two additional individuals involved in initial network breaches and privilege escalation for ransomware attacks. These individuals were found to be 'hash crackers', specializing in extracting passwords from account databases. Raids in Ukraine seized digital storage devices and cryptocurrency assets. Black Basta has targeted over 500 companies globally and is estimated to have earned hundreds of millions of dollars in cryptocurrency. Nefedov is believed to have ties to Russian intelligence agencies and was arrested in Armenia but secured his freedom. The group's internal chat logs leaked, revealing its structure and key members, and its data leak site was taken down in February 2025. Former affiliates may have migrated to the CACTUS ransomware operation.

Open in new tab

VoidLink Malware Framework Targets Cloud and Container Environments

A new advanced Linux malware framework, codenamed VoidLink, has been discovered targeting cloud and container environments. Developed by a single person with the help of an artificial intelligence model, VoidLink is a highly modular and flexible framework designed for long-term, stealthy access to Linux-based systems. It includes custom loaders, implants, rootkits, and over 30 plugins, enabling operators to adapt its capabilities over time. The malware is engineered to detect major cloud environments and adapt its behavior when running within Docker containers or Kubernetes pods. It also gathers credentials associated with cloud environments and source code version control systems like Git. VoidLink's capabilities include anti-forensics, reconnaissance, credential harvesting, lateral movement, and persistence, making it a full-fledged post-exploitation framework. The framework is written primarily in the Zig programming language and includes plans to extend its detection capabilities to additional cloud environments such as Huawei, DigitalOcean, and Vultr. VoidLink's documentation suggests it is intended for commercial purposes, and its development environment includes debug symbols and other development artifacts, indicating in-progress builds. VoidLink uses a custom encrypted messaging layer called 'VoidStream' to camouflage traffic and includes 35 plugins in the default configuration. The framework employs rootkit modules to hide processes, files, network sockets, or the rootkit itself, and includes advanced anti-analysis mechanisms to detect debuggers, perform runtime code encryption, and integrity checks. VoidLink's anti-forensic modules erase logs, shell history, login records, and securely overwrite all files dropped on the host, minimizing exposure to forensic investigations. VoidLink was developed with the help of an artificial intelligence model, reaching a functional iteration in under a week. The developer used Spec-Driven Development (SDD) to define the project's goals and set constraints, with the AI generating a multi-team development plan. VoidLink reached 88,000 lines of code by early December 2025, and researchers successfully reproduced the workflow, confirming that an AI agent can generate code similar to VoidLink's. The developer utilized regular checkpoints to check in on the AI-generated code to ensure that the model was developing it as instructed and that the code worked.

Open in new tab

CyberVolk's VolkLocker ransomware flaw allows free decryption

CyberVolk, a pro-Russia hacktivist group, launched VolkLocker ransomware-as-a-service (RaaS) with a critical cryptographic flaw. The ransomware uses a hardcoded master key stored in plaintext, enabling victims to decrypt files without paying the ransom. VolkLocker targets both Linux/VMware ESXi and Windows systems and includes a timer function that wipes user folders if the ransom is not paid. The group also offers a remote access trojan and a keylogger for sale. The flaw in VolkLocker's cryptography was discovered by SentinelOne researchers, who noted that the master key is written to a plaintext file in the %TEMP% folder, allowing victims to recover their files. This weakness undermines the ransomware's effectiveness and highlights the group's inexperience in cybercrime operations. VolkLocker is written in Golang and attempts to escalate privileges and perform reconnaissance and system enumeration. It makes Windows Registry modifications to thwart recovery and analysis, deletes volume shadow copies, and terminates processes associated with Microsoft Defender Antivirus and other common analysis tools. The ransomware uses an enforcement timer that wipes the content of user folders if victims fail to pay within 48 hours or enter the wrong decryption key three times. VolkLocker payloads come with built-in Telegram automation for command-and-control, allowing users to message victims, initiate file decryption, list active victims, and get system information.

Open in new tab

Chinese Hackers Exploit React2Shell Vulnerability (CVE-2025-55182) in Targeted Campaigns

Two China-linked hacking groups, Earth Lamia and Jackpot Panda, have begun exploiting the newly disclosed React2Shell vulnerability (CVE-2025-55182) in React Server Components, which allows unauthenticated remote code execution. The vulnerability was addressed in React versions 19.0.1, 19.1.2, and 19.2.1. The groups have targeted various sectors, including financial services, logistics, retail, IT, universities, and government organizations across Latin America, the Middle East, and Southeast Asia. The attacks involve running discovery commands, writing files, and reading sensitive information, demonstrating a systematic approach to exploit multiple vulnerabilities simultaneously.

Open in new tab

React2Shell vulnerability exploited by China-linked threat actors

Multiple China-linked threat actors, including Earth Lamia and Jackpot Panda, have begun exploiting the critical React2Shell vulnerability (CVE-2025-55182) in React and Next.js. This insecure deserialization flaw allows unauthenticated remote execution of JavaScript code in the server's context. The vulnerability affects multiple versions of the widely used libraries, potentially exposing thousands of dependent projects. AWS reports active exploitation attempts within hours of the public disclosure, with attackers using a mix of public exploits and manual testing to refine their techniques.

Open in new tab