CybserSecurity News

Tag: ScarCruft

  • Rigged Game: How North Korea’s ScarCruft Group Infiltrated a Gaming Platform to Deploy BirdCall Spyware

    The seemingly innocuous download of a mobile game could culminate in a smartphone being compromised by sophisticated spyware. Researchers at ESET have revealed that the ScarCruft group, widely associated with North Korea, infiltrated a gaming platform catering to ethnic Koreans in the Yanbian region of China, embedding the BirdCall backdoor within its infrastructure. The breach targeted the service sqgame[.]net, which hosted various locally themed titles.

    The selection of this specific platform appears calculated. For years, ScarCruft has maintained a persistent interest in North Korean defectors, human rights activists, and academic professionals. Furthermore, Yanbian is recognized as a perilous transit point for individuals crossing the Tumen River while fleeing North Korea.

    The offensive likely commenced in late 2024. The adversaries compromised platform components for both Android and Windows; however, the malicious APK files were exclusively disseminated through the download pages of several Android-based games. Conversely, the iOS versions remained untainted. On Windows, at least since November 2024, an update to a platform component delivered a subverted DLL library, though this specific package no longer distributes malicious code.

    Historically, BirdCall has been predominantly identified on Windows systems. ESET specialists characterize the backdoor as an evolution of RokRAT, an instrument long utilized by ScarCruft in espionage campaigns. In recent years, this malware family has been adapted for macOS and Android, and this latest operation demonstrates that the group is continuously refining its malicious architecture and broadening its target demographic.

    On Windows, BirdCall is capable of capturing screenshots, logging keystrokes, exfiltrating clipboard contents, executing arbitrary commands, and harvesting sensitive data from the host. To communicate with its operators, the backdoor leverages legitimate cloud storage providers, including Dropbox and pCloud, effectively obfuscating its malicious traffic.

    The Android iteration, while lacking the full feature set of its Windows counterpart, remains a potent tool for surreptitious surveillance. The backdoor aggregates contacts, SMS messages, call logs, media files, documents, and screenshots, and is even capable of recording ambient audio. For command-and-control communication, the mobile variant of BirdCall utilizes the pCloud and Zoho WorkDrive services.

    ESET has identified seven distinct versions of the Android backdoor, with the earliest iteration dating back to October 2024. The firm assesses that ScarCruft is actively enhancing this utility, and the campaign is designed not for the mass infection of gamers, but for the targeted monitoring of specific individuals.

  • Jumping the Gap: APT37’s “Ruby Jumper” Campaign Weaponizes Cloud Storage and USBs to Breach Isolated Networks

    The DPRK-affiliated syndicate APT37 has augmented its arsenal dedicated to breaching air-gapped networks. The Zscaler ThreatLabz vanguard has unmasked a novel campaign, christened Ruby Jumper, wherein malicious actors have synergized cloud service exploitation with the infection of removable media to infiltrate systems entirely devoid of direct internet connectivity.

    Operating under aliases such as ScarCruft and Velvet Chollima, APT37 initiates its infection cascade via pernicious LNK files. Upon the execution of this shortcut, PowerShell extracts an array of embedded components; this payload includes an Arabic-language decoy article detailing the Palestinian-Israeli conflict, alongside clandestine loaders and shellcode. The culmination of this initial phase is the deployment of the RESTLEAF implant.

    RESTLEAF leverages Zoho WorkDrive to establish communion with its command-and-control infrastructure. The malware secures an access token via hardcoded credentials, subsequently downloading ancillary code that it seamlessly injects into a benign system process. Upon execution, RESTLEAF materializes specialized beacon files within the cloud repository, serving as a clandestine signal of a successful compromise.

    The subsequent phase is heralded by SNAKEDROPPER. This loader instantiates a comprehensive Ruby 3.3.0 environment within the ProgramData directory, masterfully cloaking the interpreter as the usbspeed.exe utility. SNAKEDROPPER then overwrites the systemic Ruby file, operating_system.rb, and integrates tasks into the Windows Task Scheduler, ensuring the relentless execution of its malicious payload at five-minute intervals. It is through this forged environment that two paramount modules—THUMBSBD and VIRUSTASK—are awakened.

    THUMBSBD assumes dominion over data exfiltration and exchange between internet-facing hosts and sequestered network segments. The malware harvests comprehensive system telemetry, active processes, network configurations, and file topographies. It subsequently encrypts this intelligence utilizing a rudimentary XOR cipher, archiving the harvest within designated working directories. Upon the insertion of a USB flash drive, THUMBSBD conjures a concealed $RECYCLE.BIN directory, translocating commands or exfiltrated data files therein, effectively transmuting the physical media into a bidirectional command conduit.

    VIRUSTASK is engineered to orchestrate lateral propagation across the air gap. The module surveys the available capacity upon the removable media, generates a clandestine $RECYCLE.BIN.USER directory, and insidiously replaces the victim’s legitimate files with malicious shortcuts bearing identical nomenclature. The invocation of such a shortcut triggers the counterfeit Ruby interpreter, which instantaneously executes the payload shellcode, thereby compromising the newly exposed machine.

    In due course, THUMBSBD delivers the FOOTWINE backdoor, deceptively masquerading as a file bearing an APK extension. This formidable component boasts keystroke logging, screen capture capabilities, covert audio and video recording, as well as robust remote command execution and file manipulation faculties. To cloak its communications, FOOTWINE employs a proprietary, XOR-based cryptographic key exchange mechanism. This intricate chain of infection also integrates the historically documented BLUELIGHT malware, which maliciously co-opts Google Drive, Microsoft OneDrive, and myriad other cloud ecosystems for its command-and-control operations.

    Zscaler’s analysts attribute the Ruby Jumper campaign to APT37 predicated upon a convergence of distinctive hallmarks: the deployment of a signature two-stage shellcode loader, the utilization of BLUELIGHT, and the aggressive exploitation of cloud-based platforms. This campaign unequivocally demonstrates that the North Korean syndicate is purposefully cultivating sophisticated armaments to circumvent network isolation, strategically pivoting toward physical media as a sovereign and formidable channel for remote command and control.

  • Phishing for Fortunes: APT-C-28 Unveils “MiradorShell” in Surgical Strikes on Web3 Teams

    The adversarial collective APT-C-28, recognized alternatively as ScarCruft or Konni, has broadened its operational horizons by orchestrating surgical strikes against cryptocurrency enterprises and Web3 development teams. This nascent surge in activity was identified by the 360 Advanced Threat Research Institute during routine surveillance of targeted threats. The campaign elegantly weaves together spear-phishing, multi-tiered malware deployment, and a previously undocumented remote administration tool.

    During the initial phase of the assault, the perpetrators disseminate ZIP archives containing “lures” predicated on investment proposals ranging from one to three million dollars. Concealed within is a document alongside a deceptive LNK shortcut, masquerading as a PDF file containing an investor profile. The nomenclature of these files is meticulously chosen to mirror legitimate corporate correspondence regarding startup financing. Executing the shortcut triggers a clandestine sequence of commands that locate PowerShell within the system, decrypt embedded logic, and instantiate the primary malicious module directly into the volatile memory.

    This initial stage conducts a rigorous environment audit to identify the presence of sandboxes or cloud-based virtualization. Should the system detect a virtual infrastructure, the deployment process is summarily terminated to evade analysis. Conversely, if the environment is deemed authentic, the module harvests telemetry regarding system processes and user files before exfiltrating the data to a remote repository. Subsequently, a secondary component is retrieved, leveraging a legitimate AutoIt interpreter to execute a concealed script.

    The terminal instrument in this arsenal is MiradorShell version 2.0, a sophisticated backdoor. It facilitates remote command execution, bidirectional file transfers, directory enumeration, and the clandestine deletion of data or instantiation of programs. Orchestration is managed via a reverse TCP connection to a command-and-control server. To ensure persistence, the malware utilizes a mutual exclusion (mutex) mechanism and establishes a scheduled task configured to execute every five minutes. The unique identifier for each compromised machine is synthesized from specific hardware parameters.

    The command infrastructure is particularly noteworthy; in several instances, module retrieval was traced to the domain of a South Korean technology firm, Techcross-WNE. Based on the directory structure and the libraries utilized, researchers posit that the site was compromised to host malicious payloads within its plugin directory. Such a stratagem effectively camouflages adversarial network traffic as legitimate communication with a trusted resource.

    Drawing upon a confluence of indicators—including coding style, the utilization of LNK-based infection chains, network request formatting, and persistence mechanisms—the operation has been confidently attributed to APT-C-28. While this group has been active since 2014 with a traditional focus on the public sector within the Korean Peninsula, its strategic interests are increasingly gravitating toward the burgeoning cryptocurrency sector.

  • Operation Artemis: North Korean ScarCruft Hijacks HWP Files to Deploy RoKRAT

    As part of a large-scale malware campaign dubbed Operation Artemis, the North Korean hacking group APT37—also known as ScarCruft—employed sophisticated attack techniques leveraging South Korea’s HWP word processor and DLL side-loading. The operation targeted South Korean professionals, primarily those working in politics, media, and international affairs. Initial access was achieved through phishing emails masquerading as interview requests or invitations to events.

    According to South Korean security firm Genians, the attackers posed as television journalists and academics, sending victims HWP documents disguised as questionnaires or formal invitations. Embedded within these files was an OLE object that triggered a multi-stage execution chain, ultimately loading a malicious library via DLL substitution within the context of a legitimate process. This technique enabled the attackers to evade signature-based defenses and significantly complicated analysis.

    The Genians report places particular emphasis on the use of steganography, with malicious data concealed within image files—including previously unseen portrait photographs—providing an additional layer of stealth. Investigators also identified the reuse of attack scripts employed in earlier campaigns, down to identical paths in Program Database (PDB) debug strings, pointing to the systematic activity of the same threat actor.

    Malicious modules such as version.dll were executed through Sysinternals utilities, allowing the payload to be loaded under the guise of standard administrative tools. This approach effectively bypassed static checks for suspicious executables. Once loaded, the library decrypted the payload in stages, using XOR operations with multiple keys—including SSE-based routines—to accelerate execution and increase resistance to reverse engineering.

    The campaign’s ultimate objective was the deployment and activation of a remote access tool from the RoKRAT family, a well-known component of APT37’s arsenal. This tool enabled covert communication with command-and-control servers, data exfiltration, and remote command execution on compromised systems.

    Commercial cloud platforms were used as communication channels. Leveraging such services not only disguised malicious traffic as legitimate but also made network-level blocking more challenging. Analysis revealed that the attackers had pre-registered accounts across multiple cloud services using identical identifiers, underscoring the strategic coherence of their infrastructure.

    The report stresses that APT37 operates with discipline and continues to refine its evasion techniques. These methods are designed not merely to avoid detection, but to withstand in-depth analysis and forensic scrutiny. As a result, organizations are urged to reassess their defensive strategies—particularly through the adoption of EDR solutions capable of behavioral analysis and real-time activity monitoring.

    Detecting attacks of this nature requires tools that can correlate not isolated events, but the entire attack chain—from document execution to outbound communication with cloud infrastructure. Only through such holistic visibility can hidden activity be identified in time, infections contained, and data exfiltration prevented.

  • North Korean Hackers Launch Widespread Cyberespionage Campaign

    The North Korean threat group APT37 (also known as ScarCruft, InkySquid, Reaper, and Ricochet Chollima) has launched a sweeping espionage campaign under the codename Operation HanKook Phantom, targeting government and research organizations in South Korea and across the wider region.

    Researchers at Seqrite uncovered that the attackers distribute counterfeit documents disguised as bulletins from the research community National Intelligence Society. One such file is a malicious .LNK shortcut, which triggers a multi-stage chain to download and execute embedded payloads.

    The victims of this campaign include academics, former officials, staff at specialized research institutes, and others named in the targeted distribution lists. The operation’s goals are data theft, persistence, and cyberespionage. APT37’s reach extends far beyond South Korea, with confirmed victims in Japan, Vietnam, Nepal, China, India, Romania, Kuwait, Russia, and several Middle Eastern countries.

    Upon execution, the LNK file’s PowerShell script extracts embedded components: a decoy PDF, an executable loader (.dat), and the final payload. These elements are stored in a temporary directory, where the script launches a BAT file and injects code directly into memory. An encrypted DLL is decrypted using XOR with the key 0x35 and injected via WinAPI calls such as GlobalAlloc, VirtualProtect, and CreateThread.

    The final binary exhibits hallmarks of the ROKRAT malware family, performing system reconnaissance, screen capture, disk structure analysis, command execution, and the retrieval of additional malicious modules from C2 servers via cloud platforms including Dropbox, pCloud, and Yandex Disk.

    A second wave of the operation weaponized a document masquerading as an official statement by Kim Yo-jong, Deputy Department Director of North Korea’s Workers’ Party, dated July 28 and published by KCNA. The statement expressed vehement opposition to South Korean government initiatives, declaring the era of national unity over and framing future relations in terms of confrontation.

    Targets of this phase included entities tied to President Lee Jae-myung’s administration, the Ministry of Unification, KCNA, the ROK–US alliance, and APEC.

    The infection chain began with a malicious LNK launching PowerShell through the tony33.bat script. This script decoded base64 content from tony32.dat, executed it in memory, and then loaded an additional encrypted binary (tony31.dat) using XOR with the key 0x37. The decrypted payload was executed entirely through WinAPI calls, bypassing the file system.

    Functions sub_401360 and sub_4021F0 implement the algorithm for covert data collection and exfiltration. Files from temporary directories are archived, disguised as PDFs, and transmitted to attacker-controlled servers. Exfiltrated data includes computer names and timestamps, packed in multipart/form-data structures to mimic uploads via Chrome. Once transmission is complete, the original files are deleted, complicating forensic recovery.

    Subsequent stages involve downloading fresh payloads from C2 servers, spawning new PowerShell processes, invoking Sleep, and removing temporary artifacts such as abs.tmp with DeleteFileW.

    Operation HanKook Phantom represents a continuation of APT37’s aggressive cyberespionage efforts, marked by defense evasion, in-memory execution of malicious code, and sophisticated data exfiltration techniques. The group skillfully leverages trusted documents, cloud infrastructure, and native Windows utilities to avoid reliance on conventional malware files.

    Experts recommend strengthening defenses against malicious LNK files, monitoring for anomalous PowerShell activity, and scrutinizing traffic to cloud APIs and HTTP requests containing suspicious MIME parameters.