Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.

Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault

APT37 Targets Android Devices with BirdCall Malware

Pulse ID: 69fba09cc8c1a2797734624e
Pulse Link: https://otx.alienvault.com/pulse/69fba09cc8c1a2797734624e
Pulse Author: cryptocti
Created: 2026-05-06 20:12:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #Android #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #bot #cryptocti

📰 North Korean APT ScarCruft Hits Gaming Platform in Supply-Chain Attack

North Korean APT ScarCruft (APT37) targets gamers in a supply-chain attack, compromising a gaming site to distribute Android spyware. The 'BirdCall' backdoor spies on ethnic Koreans in China. 🕵️‍♂️ #APT37 #ScarCruft #CyberSecurity #Android

🔗 https://cyber.netsecops.io

ScarCruft APT Exploits Yanbian Gaming Platform for Intelligence Gathering

Meet ScarCruft, a notorious North Korea-aligned espionage group that's been caught exploiting a popular gaming platform in China to gather intel on its users. The group trojanized a site serving traditional Yanbian-themed games, compromising both Windows and Android software.

https://osintsights.com/scarcruft-apt-exploits-yanbian-gaming-platform-for-intelligence-gathering?utm_source=mastodon&utm_medium=social

#Scarcruft #Apt37 #SupplyChain #Espionage #NationState

ScarCruft hackers deploy BirdCall malware via gaming platform.

North Korean hackers APT37, also known as ScarCruft, have cleverly expanded their BirdCall malware to target Android devices, adapting their Windows backdoor to spy on mobile users. They even used a popular gaming platform to sneak the malware onto unsuspecting devices.

https://osintsights.com/scarcruft-hackers-deploy-birdcall-malware-via-gaming-platform?utm_source=mastodon&utm_medium=social

#Apt37 #Scarcruft #RicochetChollima #BirdcallMalware #AndroidSpyware

AI-Assisted Code Targets Crypto Wallets via Malicious npm Dependency

Researchers have uncovered a sneaky malicious npm campaign, dubbed PromptMink, linked to North Korean hackers Famous Chollima, which targets crypto developers with fake utility packages that secretly steal sensitive info and funds. The campaign's clever tactics even involve an AI-assisted code commit to fly under the radar.

https://osintsights.com/ai-assisted-code-targets-crypto-wallets-via-malicious-npm-dependency?utm_source=mastodon&utm_medium=social

#MaliciousNpmDependency #AiassistedCode #CryptoWallets #FamousChollima #Apt37

APT37 Exploits Facebook for RokRAT Malware Delivery

North Korean hackers APT37 have cleverly turned Facebook friend requests into a sneaky way to deliver RokRAT malware, exploiting our natural tendency to trust social connections. By accepting a friend request, victims unwittingly open the door to a remote access trojan that can compromise their device.

https://osintsights.com/apt37-exploits-facebook-for-rokrat-malware-delivery?utm_source=mastodon&utm_medium=social

#Apt37 #Rokrat #SocialEngineering #MalwareDelivery #NorthKorea

APT37 abusing .LNK files with GitHub-based C2 in targeted campaign against South Korean organizations and supply chain partners. Malicious shortcuts execute PowerShell, deploy XenoRAT for remote access and keylogging. Detection challenge: legitimate GitHub traffic masks command execution. Fortinet researchers identified deliberate targeting of financial services, defense contractors, critical infrastructure handling sensitive government contracts. #APT37...

https://bit.ly/4vdNa42