Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ScarCruft Operation HanKook Phantom phishing campaign targeting South Korean researchers

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

A ScarCruft (APT37) phishing operation called Operation HanKook Phantom is targeting South Korean academics, former officials, and researchers with a RokRAT infection chain. The operation uses a ZIP/LNK loader and cloud-based exfiltration to support espionage and data theft. A second delivery chain adds PowerShell and an obfuscated batch script to steal data while blending in as a Chrome file upload.

Related Happenings

PowMix phishing campaign targeting Czech workforce

Campaign
First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...

Open Happening

UnsolicitedBooker Central Asian telecom phishing campaign

Campaign
First: 24.02.2026 11:54 Last: 24.02.2026 11:54 Sources 1

About this happening: The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...

Open Happening

STAC6565 spear-phishing campaign targeting Canadian organizations

Campaign
First: 09.12.2025 11:35 Last: 09.12.2025 11:35 Sources 1

About this happening: The **STAC6565** campaign has driven **almost 40 intrusions** against **Canadian organizations**, making it a sustained operation with a sharply focused target set. Attackers use...

Open Happening

QWCrypt and RedLoader multi-stage ransomware activity

Malware Activity
First: 09.12.2025 11:35 Last: 09.12.2025 11:35 Sources 1

About this happening: The **QWCrypt** ransomware chain now matters because it has reached **successful deployment** in at least **three attacks**, using **RedLoader** and a customized **Terminator** to...

Open Happening

Tomiris 2025 government-targeting campaign

Campaign
First: 01.12.2025 07:07 Last: 01.12.2025 07:07 Sources 1

About this happening: The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...

Open Happening

Timeline

  1. 01.09.2025 11:26 2 articles · 8mo ago

    ScarCruft targets National Intelligence Research Association-linked individuals with RokRAT phishing

    Initial Disclosure

    ScarCruft (APT37) is assessed to have run Operation HanKook Phantom against individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers in South Korea. The spear-phishing chain uses a ZIP archive that contains a Windows shortcut (LNK) masquerading as a PDF to open a decoy newsletter and drop RokRAT, which can collect system information, execute commands, enumerate files, capture screenshots, and download additional payloads. A second chain uses a PowerShell script, an obfuscated Windows batch script, and a dropper to steal data while masking network traffic as a Chrome file upload, with exfiltration via Dropbox, Google Cloud, pCloud, and Yandex Cloud.

    Show sources
    Open in new tab