Phishing for Fortunes: APT-C-28 Unveils “MiradorShell” in Surgical Strikes on Web3 Teams

The adversarial collective APT-C-28, recognized alternatively as ScarCruft or Konni, has broadened its operational horizons by orchestrating surgical strikes against cryptocurrency enterprises and Web3 development teams. This nascent surge in activity was identified by the 360 Advanced Threat Research Institute during routine surveillance of targeted threats. The campaign elegantly weaves together spear-phishing, multi-tiered malware deployment, and a previously undocumented remote administration tool.

During the initial phase of the assault, the perpetrators disseminate ZIP archives containing “lures” predicated on investment proposals ranging from one to three million dollars. Concealed within is a document alongside a deceptive LNK shortcut, masquerading as a PDF file containing an investor profile. The nomenclature of these files is meticulously chosen to mirror legitimate corporate correspondence regarding startup financing. Executing the shortcut triggers a clandestine sequence of commands that locate PowerShell within the system, decrypt embedded logic, and instantiate the primary malicious module directly into the volatile memory.

This initial stage conducts a rigorous environment audit to identify the presence of sandboxes or cloud-based virtualization. Should the system detect a virtual infrastructure, the deployment process is summarily terminated to evade analysis. Conversely, if the environment is deemed authentic, the module harvests telemetry regarding system processes and user files before exfiltrating the data to a remote repository. Subsequently, a secondary component is retrieved, leveraging a legitimate AutoIt interpreter to execute a concealed script.

The terminal instrument in this arsenal is MiradorShell version 2.0, a sophisticated backdoor. It facilitates remote command execution, bidirectional file transfers, directory enumeration, and the clandestine deletion of data or instantiation of programs. Orchestration is managed via a reverse TCP connection to a command-and-control server. To ensure persistence, the malware utilizes a mutual exclusion (mutex) mechanism and establishes a scheduled task configured to execute every five minutes. The unique identifier for each compromised machine is synthesized from specific hardware parameters.

The command infrastructure is particularly noteworthy; in several instances, module retrieval was traced to the domain of a South Korean technology firm, Techcross-WNE. Based on the directory structure and the libraries utilized, researchers posit that the site was compromised to host malicious payloads within its plugin directory. Such a stratagem effectively camouflages adversarial network traffic as legitimate communication with a trusted resource.

Drawing upon a confluence of indicators—including coding style, the utilization of LNK-based infection chains, network request formatting, and persistence mechanisms—the operation has been confidently attributed to APT-C-28. While this group has been active since 2014 with a traditional focus on the public sector within the Korean Peninsula, its strategic interests are increasingly gravitating toward the burgeoning cryptocurrency sector.