APT37 abusing .LNK files with GitHub-based C2 in targeted campaign against South Korean organizations and supply chain partners. Malicious shortcuts execute PowerShell, deploy XenoRAT for remote access and keylogging. Detection challenge: legitimate GitHub traffic masks command execution. Fortinet researchers identified deliberate targeting of financial services, defense contractors, critical infrastructure handling sensitive government contracts. #APT37...

https://bit.ly/4vdNa42

#APT37 hackers use new #malware to breach air-gapped networks

https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

#NorthKorea #cybersecurity #AirGap

APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.

Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.

The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.

Are critical infrastructure operators prepared for USB-mediated C2 relays?

Source: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

Engage below.

Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.

#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture

South Korean researchers (Genians) report that APT37 is abusing Google Find Hub to track victims and remotely wipe Android devices.

The attackers use phished Google credentials to access legitimate Find Hub functions - no exploit involved.

Google has confirmed this and advises enabling 2-Step Verification or passkeys.

Credential security remains the weakest link in most modern attacks.

#CyberSecurity #APT37 #GoogleFindHub #ThreatIntel #AndroidSecurity #InfoSec #MalwareAnalysis #Kimsuky #TechNadu

North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.

https://thedefendopsdiaries.com/konni-activity-cluster-north-korean-apts-exploit-google-find-hub-for-advanced-cyber-espionage/

#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec

ScarCruft (APT37) is running Operation HanKook Phantom → phishing South Korean academics w/ RokRAT malware.
🔹 LNK loaders + fileless PowerShell
🔹 Exfil via Dropbox & GDrive
🔹 Goal: espionage & persistence
💬 Should academia ramp up defenses to enterprise SOC levels, or is that unrealistic?
Follow @technadu for more threat intel.

#CyberSecurity #APT37 #ScarCruft #RokRAT #Phishing #ThreatIntel