South Korean researchers uncover another cyber-espionage campaign from the North

A hacker group known as APT37 has launched a new espionage campaign against organizations in South Korea with interests in national security, researchers have found.

The group, also known as ScarCruft, impersonated a North Korea-focused expert and a think tank to lure victims into opening phishing emails, reports South Korean cybersecurity firm Genians.

One email discovered by Genians offered information on North Korean troops deployed to Russia, while another contained a fake invitation to a national security conference. Both emails included Dropbox links, a tactic APT37 frequently employs to disguise its operations.

APT37 is generally considered to be state-sponsored by North Korea and has previously targeted high-profile individuals, as well as public and private entities, primarily in South Korea. Allegedly operating within North Korea’s Ministry of State Security, it is one of the country’s most active hacking units, known for using social engineering tactics to deceive victims into opening malicious files.

The group has a history of using Dropbox and other global cloud services, such as Yandex, OneDrive and Google Drive, to distribute malicious files, researchers said. In the latest attack, the group embedded malicious code that triggered PowerShell commands to deploy RoKRAT malware, a tool capable of collecting detailed system information, capturing real-time screenshots, and storing them for later analysis.

Genians researchers also discovered several Russian Yandex email accounts associated with the campaign. However, the connection to these accounts remains unclear, with researchers unable to determine if they were victims of identity theft or impersonation, or if the connection was coincidental.

Earlier this week, researchers reported that another North Korean group tracked as TA406 had targeted Ukrainian government entities in a similar espionage operation, using similar phishing tactics. 

Last December, APT37 also reportedly targeted South Korean academic experts and a North Korea-focused news outlet to better understand international perceptions of developments in North Korea.

A new analysis released in September said that the threat actor known as Konni, previously linked to the North Korean state-backed group Kimsuky, had ramped up its cyberattacks on South Korea and Russia. Since at least 2021, Konni has targeted the Russian Ministry of Foreign Affairs, the Russian Embassy in Indonesia, and several unnamed South Korean companies, including a tax law firm.