North Korean cyber-espionage group ScarCruft adds ransomware in recent attack

The North Korean state-backed hacker group tracked as ScarCruft recently took the unusual step of infecting targets with ransomware alongside other malicious files, researchers said.

ScarCruft, primarily known for cyber-espionage campaigns against high-profile individuals and government entities, used “newly observed” ransomware as part of the operation, analysts at South Korean cybersecurity firm S2W said in a report on Thursday.

The researchers labeled the ransomware VCD after the extension it appends to the names of encrypted files. It drops two versions of its ransom note, one in English and the other in Korean, the researchers said.

ScarCruft’s use of ransomware “suggests a potential shift toward financially motivated operations, or an expansion of operational goals that now include disruptive or extortion-driven tactics,” S2W said.

ScarCruft previously has targeted entities in South Korea, Japan, Vietnam, Russia and Nepal. In a campaign aimed at South Koreans in July, S2W said, the hackers used phishing emails containing a malicious archive to gain access to targeted systems. The decoy file displayed a message about postal code updates tied to changes in street addresses. The report does not specify who received the emails.

Researchers identified more than nine types of malware in the campaign including the LightPeek and FadeStealer information stealers, as well as NubSpy, a backdoor that uses the legitimate PubNub real-time messaging platform for command-and-control (C2) communication. While PubNub is typically used for chat apps and notifications, ScarCruft exploited it to hide malicious traffic within normal network activity.

The researchers attributed the operation to a ScarCruft subgroup, ChinopuNK, which has previously distributed Chinotto malware capable of exfiltrating system information and supporting attacks on both Windows and Android systems. In the latest campaign, the hackers used a new variant of the malware that S2W dubbed ChillyChino.

The researchers said they were highly confident the campaign was carried out by ScarCruft, citing the use of PubNub for C2 communications and the deployment of FadeStealer — malware linked to the group since at least 2023 that can record audio, log keystrokes, and gather data on connected portable and removable devices.

Allegedly operating within North Korea’s Ministry of State Security, ScarCruft is one of the country’s most active hacking units, known for using social engineering tactics to trick victims into opening malicious files.

In a campaign in May, the hackers impersonated a North Korea-focused expert and a think tank to lure victims into opening phishing emails. Last year, the group targeted media organizations and high-profile academics to “gather strategic intelligence” that could “contribute to North Korea’s decision-making processes,” researchers said at the time.

While it is not clear what the recent deployment of ransomware means for ScarCruft’s overall strategy, North Korean state-linked hackers are often involved in financially motivated attacks intended to help fund the heavily sanctioned regime.

In a report last year, the United Nations said it was investigating nearly 60 cyberattacks allegedly conducted by North Korean hackers — including groups tracked as Kimsuky, Lazarus, Andariel and BlueNoroff — that enabled them to steal about $3 billion over a six-year span.

“The key tasks of these cyberthreat actors are to obtain information of value to the Democratic People’s Republic of Korea and to illicitly generate revenue for the country,” the U.N. experts said, echoing accusations by the U.S. government and other international authorities.