Ethical Hacking News
ScarCruft's Operation HanKook Phantom: A Cyber Warfare Campaign Targeting South Korean Academics. A recent phishing campaign by North Korea-linked hacking group ScarCruft has been identified, targeting individuals associated with the National Intelligence Research Association. The operation utilizes spear-phishing tactics, fileless malware execution, and covert exfiltration mechanisms to steal sensitive information and conduct espionage.
Risk alert: Researchers from Seqrite Labs have identified a sophisticated phishing campaign by North Korea-linked hacking group ScarCruft (APT37) targeting South Korean academics, researchers, and former government officials. The operation, codenamed Operation HanKook Phantom, uses spear-phishing tactics with customized emails that appear to be from legitimate sources. The attackers aim to steal sensitive information, establish persistence, or conduct espionage using RokRAT malware. The malware collects system info, executes arbitrary commands, and captures screenshots before exfiltrating data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. A second campaign uses a PowerShell script to deploy a dropper that steals sensitive data while concealing network traffic as a Chrome file upload.
In a recent development that has sent shockwaves throughout the cybersecurity community, researchers from Seqrite Labs have identified a sophisticated phishing campaign undertaken by North Korea-linked hacking group ScarCruft (also known as APT37). The operation, codenamed Operation HanKook Phantom, appears to be targeting individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers.
According to security researcher Dixit Panchal, the attackers likely aim to steal sensitive information, establish persistence, or conduct espionage. The campaign is notable for its use of spear-phishing tactics, where a targeted individual receives a customized email that appears to be from a legitimate source, such as a newsletter or an official statement.
The starting point of the attack chain is a spear-phishing email containing a lure for "National Intelligence Research Society Newsletter—Issue 52," which is a periodic newsletter issued by a South Korean research group focused on national intelligence, labour relations, security, and energy issues. The email contains a ZIP archive attachment that contains a Windows shortcut (LNK) masquerading as a PDF document.
When the victim opens the attachment, it launches the newsletter as a decoy while dropping RokRAT, a known malware associated with APT37. RokRAT is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. The gathered data is exfiltrated via Dropbox, Google Cloud, pCloud, and Yandex Cloud.
Seqrite Labs has detected a second campaign in which the LNK file serves as a conduit for a PowerShell script that runs an obfuscated Windows batch script responsible for deploying a dropper. The binary then runs a next-stage payload to steal sensitive data from the compromised host while concealing network traffic as a Chrome file upload.
The analysis of this campaign highlights how APT37 (ScarCruft/InkySquid) continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms. The attackers specifically target South Korean government sectors, research institutions, and academics with the objective of intelligence gathering and long-term espionage.
It is worth noting that this development comes as cybersecurity company QiAnXin detailed attacks mounted by the infamous Lazarus Group (aka QiAnXin) using ClickFix-style tactics to trick job seekers into downloading a supposed NVIDIA-related update to address camera or microphone issues when providing a video assessment. The ClickFix attack results in the execution of a Visual Basic Script that leads to the deployment of BeaverTail, a JavaScript stealer that can also deliver a Python-based backdoor dubbed InvisibleFerret.
Furthermore, the disclosure follows new sanctions imposed by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) against two individuals and two entities for their role in the North Korean remote information technology (IT) worker scheme to generate illicit revenue for the regime's weapons of mass destruction and ballistic missile programs.
The Chollima Group, in a report released last week, detailed its investigation into an IT Worker cluster affiliated with Moonstone Sleet that it tracks as BABYLONGROUP in connection with a blockchain play-to-earn (P2E) game called DefiTankLand. It is assessed that Logan King, the supposed CTO of DefiTankLand, is actually a North Korean IT Worker, bolstered by the fact that King's GitHub account has been used as a reference by a Ukrainian freelancer and blockchain developer named "Ivan Kovch."
The investigation highlights how North Korea-linked hackers have continued to employ sophisticated tactics, including spear-phishing, fileless malware execution, and covert exfiltration mechanisms. The operation is notable for its use of highly tailored attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms.
In conclusion, ScarCruft's Operation HanKook Phantom represents a significant escalation in North Korea-linked hacking campaigns targeting South Korean academics and researchers. The campaign highlights the sophistication and tailor-made nature of the attack, leveraging spear-phishing tactics, fileless malware execution, and covert exfiltration mechanisms to steal sensitive information and conduct espionage.
Related Information:
https://www.ethicalhackingnews.com/articles/ScarCrufts-Operation-HanKook-Phantom-A-Cyber-Warfare-Campaign-Targeting-South-Korean-Academics-ehn.shtml
https://thehackernews.com/2025/09/scarcruft-uses-rokrat-malware-in.html
Published: Mon Sep 1 08:05:28 2025 by llama3.2 3B Q4_K_M
