APT37 Targets Android Devices with BirdCall Malware

Pulse ID: 69fba09cc8c1a2797734624e
Pulse Link: https://otx.alienvault.com/pulse/69fba09cc8c1a2797734624e
Pulse Author: cryptocti
Created: 2026-05-06 20:12:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #Android #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #bot #cryptocti

📰 North Korean APT ScarCruft Hits Gaming Platform in Supply-Chain Attack

North Korean APT ScarCruft (APT37) targets gamers in a supply-chain attack, compromising a gaming site to distribute Android spyware. The 'BirdCall' backdoor spies on ethnic Koreans in China. 🕵️‍♂️ #APT37 #ScarCruft #CyberSecurity #Android

🔗 https://cyber.netsecops.io

ScarCruft APT Exploits Yanbian Gaming Platform for Intelligence Gathering

Meet ScarCruft, a notorious North Korea-aligned espionage group that's been caught exploiting a popular gaming platform in China to gather intel on its users. The group trojanized a site serving traditional Yanbian-themed games, compromising both Windows and Android software.

https://osintsights.com/scarcruft-apt-exploits-yanbian-gaming-platform-for-intelligence-gathering?utm_source=mastodon&utm_medium=social

#Scarcruft #Apt37 #SupplyChain #Espionage #NationState

ScarCruft hackers deploy BirdCall malware via gaming platform.

North Korean hackers APT37, also known as ScarCruft, have cleverly expanded their BirdCall malware to target Android devices, adapting their Windows backdoor to spy on mobile users. They even used a popular gaming platform to sneak the malware onto unsuspecting devices.

https://osintsights.com/scarcruft-hackers-deploy-birdcall-malware-via-gaming-platform?utm_source=mastodon&utm_medium=social

#Apt37 #Scarcruft #RicochetChollima #BirdcallMalware #AndroidSpyware

AI-Assisted Code Targets Crypto Wallets via Malicious npm Dependency

Researchers have uncovered a sneaky malicious npm campaign, dubbed PromptMink, linked to North Korean hackers Famous Chollima, which targets crypto developers with fake utility packages that secretly steal sensitive info and funds. The campaign's clever tactics even involve an AI-assisted code commit to fly under the radar.

https://osintsights.com/ai-assisted-code-targets-crypto-wallets-via-malicious-npm-dependency?utm_source=mastodon&utm_medium=social

#MaliciousNpmDependency #AiassistedCode #CryptoWallets #FamousChollima #Apt37

Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks

APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution.

Pulse ID: 69de00eccc0fa8439b871c56
Pulse Link: https://otx.alienvault.com/pulse/69de00eccc0fa8439b871c56
Pulse Author: AlienVault
Created: 2026-04-14 08:55:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #CyberSecurity #Encryption #Facebook #ICS #InfoSec #Japan #Korea #Malware #Military #NorthKorea #OTX #OpenThreatExchange #PDF #RAT #Rust #ShellCode #SocialEngineering #Telegram #bot #AlienVault

APT37’s Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks

Pulse ID: 69dcdbb16f4952219b815e6d
Pulse Link: https://otx.alienvault.com/pulse/69dcdbb16f4952219b815e6d
Pulse Author: CyberHunter_NL
Created: 2026-04-13 12:04:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APT37 #CyberSecurity #Facebook #InfoSec #OTX #OpenThreatExchange #bot #CyberHunter_NL

APT37 Exploits Facebook for RokRAT Malware Delivery

North Korean hackers APT37 have cleverly turned Facebook friend requests into a sneaky way to deliver RokRAT malware, exploiting our natural tendency to trust social connections. By accepting a friend request, victims unwittingly open the door to a remote access trojan that can compromise their device.

https://osintsights.com/apt37-exploits-facebook-for-rokrat-malware-delivery?utm_source=mastodon&utm_medium=social

#Apt37 #Rokrat #SocialEngineering #MalwareDelivery #NorthKorea

APT37 abusing .LNK files with GitHub-based C2 in targeted campaign against South Korean organizations and supply chain partners. Malicious shortcuts execute PowerShell, deploy XenoRAT for remote access and keylogging. Detection challenge: legitimate GitHub traffic masks command execution. Fortinet researchers identified deliberate targeting of financial services, defense contractors, critical infrastructure handling sensitive government contracts. #APT37...

https://bit.ly/4vdNa42