Cybersecurity researchers have discovered a new phishing campaign run by a North Korean hacking group called Scarcruft (also known as APT37) to provide malware known as Rokrat.
The activity has been called Operation Hankook Phantom by Seqrite Labs, and says the attack appears to be targeted at individuals associated with the National Intelligence Research Association, including academic figures, former government officials and researchers.
“Attacks are likely aiming to steal sensitive information, establish persistence and carry out espionage,” security researcher Dixit Panchal said in a report released last week.
The starting point for the attack chain is a spear phishing email containing lures from the National Intelligence Research Society Newsletter — Issue 52, a regular newsletter published by a Korean research group focusing on issues of national intelligence, labor relations, security and energy.
Digital Missive includes a ZIP archive attachment that contains Windows shortcuts (LNKs) that pose as PDF documents. It launches a newsletter as a decoy when opened, dropping Rokrat to an infected host.
Rokrat is known malware associated with APT37 that can collect system information, execute any command, enumerate file systems, capture screenshots, and download additional payloads. The collected data is expanded through Dropbox, Google Cloud, PCloud, and Yandex Cloud.
Seqrite said it detected a second campaign where the LNK file acts as a conduit for PowerShell scripts. This runs an obfuscated Windows batch script responsible for the deployment of Dropper, besides deleting the Decoy Microsoft Word document. The binary then performs the next stage payload to steal sensitive data from the compromised host and hide network traffic as Chrome file uploads.
The lure document used in this example is a statement issued by Kim Yeo Jung, deputy director of the South Korean Workers’ Party’s propaganda and intelligence department and rejected efforts to reconcile Seoul on July 28th.
“Analysis of this campaign highlights that APT37 (Scarcruft/Inkysquid) continues to carry on highly customized spear phishing attacks, leveraging malicious LNK loaders, fireless powershell execution, and hidden keratin filtration mechanisms.
“The attackers specifically target the South Korean government sector, research institutions and academics, with the aim of intelligence newsletters and long-term espionage.”
The development uses Clickfix-style tactics to trick job seekers into addressing camera or microphone issues when providing video ratings, as a detailed attack on cybersecurity company Qianxin, which was fitted by the infamous Lazarus Group (aka Qianxin). Details of this activity were previously disclosed by Gen Digital in late July 2025.
The ClickFix attack runs a visual basic script that leads to the deployment of Beavertail, a JavaScript Stealer that can also deliver Python-based backdoors called VeasibleRret. Furthermore, the attack paves the way to a backdoor with command execution and file read/write capabilities.
The disclosure follows new sanctions imposed by the U.S. Treasury Department’s Office of Foreign Assets (OFAC) on two individuals and two entities in the North Korean Remote Information Technology (IT) Workers Scheme to generate illegal revenue for the administration’s mass destruction and ballistic missile programme.
In a report released last week, Chollima Group detailed an investigation into IT worker clusters related to Moonstone Sleet, which tracks as Babylonggroup in relation to a blockchain play aleen (P2E) game called Defitankland.
Logan King, CTO at Defitankland, is actually a North Korean IT worker and is being evaluated as a hypothesis strengthened by the fact that King’s GitHub account is being used as a reference by Ukrainian freelancers and blockchain developers named “Ivan Kovch.”
“Many members were working on a huge cryptocurrency project on behalf of a shady company previously called ICICB (we believe we are on the front line). One of the non-DPRK members of the cluster runs Fleeticity, a Chinese cybercrime market, running an interesting connection between Detank Zone, which previously operated in Tanzania and the old IT workers.
“Nabil Amrani, CEO of Defitankland, has previously worked with Logan on other blockchain projects, but he doesn’t think he will be responsible for the development. All this means that the “legal” game behind Moonstone Sleet’s Detankzone was actually developed by DPRK IT workers.
Source link
