- Cybersecurity researchers identified a new phishing campaign by North Korea-linked group ScarCruft (APT37), targeting South Korean individuals.
- The attack used fake newsletters and malicious links to deliver the Malware RokRAT for espionage and data theft.
- A second campaign deployed decoy Word documents with scripts to steal sensitive data and hide network activity.
- Other attacks by the Lazarus Group targeted job seekers, leading to the deployment of further malware and backdoors.
- U.S. authorities imposed sanctions on individuals and entities involved in North Korea‘s IT worker scheme, including activity connected to cryptocurrency projects and blockchain games.
Cybersecurity teams have reported that the North Korean Hacking group ScarCruft (also called APT37) is behind a recent phishing campaign against South Koreans. The operation, identified as “Operation HanKook Phantom” by Seqrite Labs, targeted people linked to the National Intelligence Research Association, such as academic experts, ex-government officials, and researchers.
Researchers explained that the attackers’ main goals include stealing sensitive data, creating lasting access to systems, and conducting espionage. The attack started with spear-phishing emails posing as an issue of the “National Intelligence Research Society Newsletter,” sent to trick recipients into opening a harmful attachment.
The phishing email included a ZIP file containing a Windows shortcut file disguised as a PDF document. When opened, it showed the real newsletter as a decoy while installing the RokRAT malware. RokRAT can collect system info, take screenshots, run commands, explore files, and upload stolen data to services like Dropbox, Google Cloud, pCloud, and Yandex Cloud. Seqrite found a second attack using a similar file, which activated a PowerShell script launching a decoy Word document and then deployed malware that disguised its data theft as a normal Chrome upload.
One lure used in these campaigns was a statement from Kim Yo Jong, Deputy Director of the Workers’ Party of Korea, published on July 28, which rejected reconciliation with South Korea. “The analysis of this campaign highlights how APT37 (ScarCruft/InkySquid) continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms,” wrote researcher Dixit Panchal. “The attackers specifically target South Korean government sectors, research institutions, and academics with the objective of intelligence gathering and long-term espionage.”
At the same time, security firm QiAnXin described attacks from the Lazarus Group that deceived job seekers into downloading fake updates, leading to malware that could steal information or give remote control to attackers.
The U.S. Treasury’s Office of Foreign Assets Control also imposed new sanctions on individuals and businesses accused of helping North Korea earn illegal funds for weapons programs through overseas IT work. Chollima Group released findings linking a cluster of North Korean IT workers to the blockchain game DefiTankLand and a cryptocurrency project possibly fronted by a company called ICICB. Some digital identities were found to have connections to both the gaming and cybercrime markets. “This all means that the ‘legitimate’ game behind Moonstone Sleet’s DeTankZone was in fact developed by DPRK IT Workers, only to be later picked up and used by a North Korean APT Group,” said the group in their Dubai-crypto-moonstonesleet-pivot-odyssey”>report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Avino Silver & Gold Mines (ASM) Soars 360% YTD, Bullish Outlook
- Solv Protocol Integrates Chainlink for Real-Time BTC Reserve Proof
- XRP Turns Bearish: September 2025 Price Prediction Signals Slump
- Bitcoin Drops 6%, Fed Decision Looms as August Jobs Data Awaited
- Businesses, ETFs Absorbing Bitcoin 4x Faster Than New Supply
