BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

North Korean APT37 Targets S. Korea With RokRAT in New Attacks

North Korean APT Groups Target South Korea with Sophisticated Phishing, Malware, and Crypto-Related Espionage Campaigns

  • Cybersecurity researchers identified a new phishing campaign by North Korea-linked group ScarCruft (APT37), targeting South Korean individuals.
  • The attack used fake newsletters and malicious links to deliver the Malware RokRAT for espionage and data theft.
  • A second campaign deployed decoy Word documents with scripts to steal sensitive data and hide network activity.
  • Other attacks by the Lazarus Group targeted job seekers, leading to the deployment of further malware and backdoors.
  • U.S. authorities imposed sanctions on individuals and entities involved in North Korea‘s IT worker scheme, including activity connected to cryptocurrency projects and blockchain games.

Cybersecurity teams have reported that the North Korean Hacking group ScarCruft (also called APT37) is behind a recent phishing campaign against South Koreans. The operation, identified as “Operation HanKook Phantom” by Seqrite Labs, targeted people linked to the National Intelligence Research Association, such as academic experts, ex-government officials, and researchers.

- Advertisement -

Researchers explained that the attackers’ main goals include stealing sensitive data, creating lasting access to systems, and conducting espionage. The attack started with spear-phishing emails posing as an issue of the “National Intelligence Research Society Newsletter,” sent to trick recipients into opening a harmful attachment.

The phishing email included a ZIP file containing a Windows shortcut file disguised as a PDF document. When opened, it showed the real newsletter as a decoy while installing the RokRAT malware. RokRAT can collect system info, take screenshots, run commands, explore files, and upload stolen data to services like Dropbox, Google Cloud, pCloud, and Yandex Cloud. Seqrite found a second attack using a similar file, which activated a PowerShell script launching a decoy Word document and then deployed malware that disguised its data theft as a normal Chrome upload.

One lure used in these campaigns was a statement from Kim Yo Jong, Deputy Director of the Workers’ Party of Korea, published on July 28, which rejected reconciliation with South Korea. “The analysis of this campaign highlights how APT37 (ScarCruft/InkySquid) continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms,” wrote researcher Dixit Panchal. “The attackers specifically target South Korean government sectors, research institutions, and academics with the objective of intelligence gathering and long-term espionage.”

At the same time, security firm QiAnXin described attacks from the Lazarus Group that deceived job seekers into downloading fake updates, leading to malware that could steal information or give remote control to attackers.

- Advertisement -

The U.S. Treasury’s Office of Foreign Assets Control also imposed new sanctions on individuals and businesses accused of helping North Korea earn illegal funds for weapons programs through overseas IT work. Chollima Group released findings linking a cluster of North Korean IT workers to the blockchain game DefiTankLand and a cryptocurrency project possibly fronted by a company called ICICB. Some digital identities were found to have connections to both the gaming and cybercrime markets. “This all means that the ‘legitimate’ game behind Moonstone Sleet’s DeTankZone was in fact developed by DPRK IT Workers, only to be later picked up and used by a North Korean APT Group,” said the group in their Dubai-crypto-moonstonesleet-pivot-odyssey”>report.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Ohio County Paid $1M After Data Heist

Union County, Ohio, paid roughly $1 million in Bitcoin to the cyber group Kairos...

Bitcoin’s 2026 Outlook: Sideways Trading Before Any Big Rally

Bitcoin is currently trading between $58,000 and $62,000, a steep drop from its October...

North Korean PolinRider Hackers Publish 108 Malicious Packages

North Korean-linked threat actors, known as Contagious Interview, have expanded their PolinRider supply-chain campaign...

FatFs Flaws Let Malicious Media Hijack Millions of Devices

Seven vulnerabilities (CVE-2026-6682 to CVE-2026- 6688) were found in the widely used FatFs filesystem library,...

Saylor Rage-Quits Channel 4 Over Bitcoin Grilling

Michael Saylor ended a Channel 4 interview by accusing the reporter of being offensive...

Must Read

What Is the Dencun Upgrade for Ethereum?

The Dencun Upgrade for Ethereum is poised to revolutionize the blockchain landscape, offering improved scalability, efficiency, and groundbreaking features. Set to launch at the...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading