Mastodawn

#ESETresearch uncovered a multiplatform supply-chain attack by the 🇰🇵 #ScarCruft APT group targeting the Yanbian region via backdoor-laced Windows and Android games. https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
In the attack, likely ongoing since late 2024, ScarCruft compromised sqgame, a video game platform used by ethnic Koreans living in the #Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors.
The sqgame Windows client was compromised through a malicious update serving the #RokRAT backdoor, which deployed ScarCruft’s more advanced #BirdCall backdoor. Android games were trojanized with the Android version of BirdCall – a new tool in ScarCruft’s arsenal.
The Android version of BirdCall implements a subset of the capabilities of its Windows counterpart – it collects contacts, SMS messages, call logs, and various documents, media files, and private keys. It can also take screenshots and record surrounding audio.
We believe that this campaign is probably aimed at collecting information on individuals in the Yanbian region and deemed of interest to the 🇰🇵 regime.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/scarcruft

Read the full analysis on WeLiveSecurity: https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/#article-2

Analyst207 Apr 13

APT37 Exploits Facebook for RokRAT Malware Delivery

North Korean hackers APT37 have cleverly turned Facebook friend requests into a sneaky way to deliver RokRAT malware, exploiting our natural tendency to trust social connections. By accepting a friend request, victims unwittingly open the door to a remote access trojan that can compromise their device.

https://osintsights.com/apt37-exploits-facebook-for-rokrat-malware-delivery?utm_source=mastodon&utm_medium=social

#Apt37 #Rokrat #SocialEngineering #MalwareDelivery #NorthKorea

APT37 Exploits Facebook for RokRAT Malware Delivery

APT37 uses Facebook to deliver RokRAT malware via friend requests. Learn how this North Korean group's social engineering campaign works and protect yourself now.

OSINTSights

Hackread.com Sep 1, 2025

North Korea-linked ScarCruft is using spear-phishing with RokRAT malware to spy on academics, dubbed the #HanKookPhantom campaign.

Read: https://hackread.com/north-korea-scarcruft-target-academics-rokrat-malware/

#CyberSecurity #NorthKorea #ScarCruft #RokRAT #Malware

North Korea’s ScarCruft Targets Academics With RokRAT Malware

Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto

TechNadu Sep 1, 2025

ScarCruft (APT37) is running Operation HanKook Phantom → phishing South Korean academics w/ RokRAT malware.
🔹 LNK loaders + fileless PowerShell
🔹 Exfil via Dropbox & GDrive
🔹 Goal: espionage & persistence
💬 Should academia ramp up defenses to enterprise SOC levels, or is that unrealistic?
Follow @technadu for more threat intel.

#CyberSecurity #APT37 #ScarCruft #RokRAT #Phishing #ThreatIntel

securityaffairs Sep 1, 2025

#North #Korea’s #APT37 deploys #RokRAT in new phishing campaign against academics
https://securityaffairs.com/181782/hacking/north-koreas-apt37-deploys-rokrat-in-new-phishing-campaign-against-academics.html
#securityaffairs #hacking #malware

North Korea’s APT37 deploys RokRAT in new phishing campaign against academics

ScarCruft (APT37) launches Operation HanKook Phantom, a phishing campaign using RokRAT to target academics, ex-officials, and researchers.

Security Affairs

The Threat Codex Aug 4, 2025

RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies
#RoKRAT
https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic

RoKRAT Shellcode and Steganographic Threats: Analysis and EDR Response Strategies

A new RoKRAT variant used by APT37 was found hiding malware in image files via steganography and using two-layer encrypted shellcode to evade analysis.

lazarusholic Jul 23, 2025

"RokRAT Malware Using Malicious Hangul (.HWP) Documents" published by Ahnlab. #RokRAT, #DPRK, #CTI https://asec.ahnlab.com/en/89130/

RokRAT Malware Using Malicious Hangul (.HWP) Documents - ASEC

RokRAT Malware Using Malicious Hangul (.HWP) Documents ASEC

ASEC

lazarusholic Jul 22, 2025

"악성 한글(.HWP) 문서를 이용한 RokRAT 악성코드 유포 주의" published by Ahnlab. #RokRAT, #DPRK, #CTI https://asec.ahnlab.com/ko/89116/

악성 한글(.HWP) 문서를 이용한 RokRAT 악성코드 유포 주의 - ASEC

악성 한글(.HWP) 문서를 이용한 RokRAT 악성코드 유포 주의 ASEC

ASEC

lazarusholic Jun 9, 2025

"대북관계자를 노리는 북한 해킹 단체 리퍼(Reaper)에서 만든 악성코드-국가정보와 방첩 원고.lnk(2025.6.3)" published by Sakai. #APT37, #LNK, #RokRAT, #DPRK, #CTI https://wezard4u.tistory.com/429506

대북관계자를 노리는 북한 해킹 단체 리퍼(Reaper)에서 만든 악성코드-국가정보와 방첩 원고.lnk(2025.6.3)

오늘은 오래간만에 북한 해킹 단체 리퍼(Reaper,APT 37) 에서 만든 악성코드인 국가정보와 방첩 원고.lnk에 대해 알아보겠습니다.RoKRAT은 대한민국에서 대북관계자 분들을 대상으로 하는 것이 특징이 있으며 대북 인권단체, 북한 취재 기자,탈북민,대북 관한 대학교수도 포함이 됩니다.파일명:국가정보와 방첩 원고.lnk사이즈:52 MBMD5:f6d72abf9ca654a20bbaf23ea1c10a55SHA-1:543e3b4b74257c3ffcd45dcdd8c842489a82bc07SHA-256:90bf1f20f962d04f8ae3f936d0f9046da28a75fa2fb37f267ff0453f272c60a0입니다.악성코드 PowerShell 코드StringData{ namestring: ..

꿈을꾸는 파랑새

lazarusholic May 12, 2025

"Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)" published by Genians. #APT37, #LNK, #ToyBoxStory, #RokRAT, #DPRK, #CTI https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)

APT37 used Dropbox to spread ZIP files with malicious LNK files that filelessly executed RoKRAT and triggered extra malware with the keyword ‘toy’.