#apt37 — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #apt37, aggregated by home.social.
-
Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.
Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault
-
Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.
Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault
-
Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.
Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault
-
Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.
Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault
-
Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.
Pulse ID: 6a04a9a090a64de310cb0568
Pulse Link: https://otx.alienvault.com/pulse/6a04a9a090a64de310cb0568
Pulse Author: AlienVault
Created: 2026-05-13 16:41:04Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #BackDoor #CyberSecurity #Email #InfoSec #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteCommandExecution #SpearPhishing #bot #AlienVault
-
APT37 Targets Android Devices with BirdCall Malware
Pulse ID: 69fba09cc8c1a2797734624e
Pulse Link: https://otx.alienvault.com/pulse/69fba09cc8c1a2797734624e
Pulse Author: cryptocti
Created: 2026-05-06 20:12:12Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #Android #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #bot #cryptocti
-
APT37 Targets Android Devices with BirdCall Malware
Pulse ID: 69fba09cc8c1a2797734624e
Pulse Link: https://otx.alienvault.com/pulse/69fba09cc8c1a2797734624e
Pulse Author: cryptocti
Created: 2026-05-06 20:12:12Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #Android #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #bot #cryptocti
-
APT37 Targets Android Devices with BirdCall Malware
Pulse ID: 69fba09cc8c1a2797734624e
Pulse Link: https://otx.alienvault.com/pulse/69fba09cc8c1a2797734624e
Pulse Author: cryptocti
Created: 2026-05-06 20:12:12Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #Android #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #bot #cryptocti
-
APT37 Targets Android Devices with BirdCall Malware
Pulse ID: 69fba09cc8c1a2797734624e
Pulse Link: https://otx.alienvault.com/pulse/69fba09cc8c1a2797734624e
Pulse Author: cryptocti
Created: 2026-05-06 20:12:12Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #Android #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #bot #cryptocti
-
APT37 Targets Android Devices with BirdCall Malware
Pulse ID: 69fba09cc8c1a2797734624e
Pulse Link: https://otx.alienvault.com/pulse/69fba09cc8c1a2797734624e
Pulse Author: cryptocti
Created: 2026-05-06 20:12:12Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #Android #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #bot #cryptocti
-
📰 North Korean APT ScarCruft Hits Gaming Platform in Supply-Chain Attack
North Korean APT ScarCruft (APT37) targets gamers in a supply-chain attack, compromising a gaming site to distribute Android spyware. The 'BirdCall' backdoor spies on ethnic Koreans in China. 🕵️♂️ #APT37 #ScarCruft #CyberSecurity #Android
-
📰 North Korean APT ScarCruft Hits Gaming Platform in Supply-Chain Attack
North Korean APT ScarCruft (APT37) targets gamers in a supply-chain attack, compromising a gaming site to distribute Android spyware. The 'BirdCall' backdoor spies on ethnic Koreans in China. 🕵️♂️ #APT37 #ScarCruft #CyberSecurity #Android
-
ScarCruft APT Exploits Yanbian Gaming Platform for Intelligence Gathering
Meet ScarCruft, a notorious North Korea-aligned espionage group that's been caught exploiting a popular gaming platform in China to gather intel on its users. The group trojanized a site serving traditional Yanbian-themed games, compromising both Windows and Android software.
-
ScarCruft hackers deploy BirdCall malware via gaming platform.
North Korean hackers APT37, also known as ScarCruft, have cleverly expanded their BirdCall malware to target Android devices, adapting their Windows backdoor to spy on mobile users. They even used a popular gaming platform to sneak the malware onto unsuspecting devices.
#Apt37 #Scarcruft #RicochetChollima #BirdcallMalware #AndroidSpyware
-
AI-Assisted Code Targets Crypto Wallets via Malicious npm Dependency
Researchers have uncovered a sneaky malicious npm campaign, dubbed PromptMink, linked to North Korean hackers Famous Chollima, which targets crypto developers with fake utility packages that secretly steal sensitive info and funds. The campaign's clever tactics even involve an AI-assisted code commit to fly under the radar.
#MaliciousNpmDependency #AiassistedCode #CryptoWallets #FamousChollima #Apt37
-
Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks
APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution.
Pulse ID: 69de00eccc0fa8439b871c56
Pulse Link: https://otx.alienvault.com/pulse/69de00eccc0fa8439b871c56
Pulse Author: AlienVault
Created: 2026-04-14 08:55:08Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT37 #CyberSecurity #Encryption #Facebook #ICS #InfoSec #Japan #Korea #Malware #Military #NorthKorea #OTX #OpenThreatExchange #PDF #RAT #Rust #ShellCode #SocialEngineering #Telegram #bot #AlienVault
-
APT37’s Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks
#APT37
https://www.genians.co.kr/en/blog/threat_intelligence/pretexting -
APT37 Adds New Capabilities for Air-Gapped Networks
#APT37 #RESTLEAF #SNAKEDROPPER #THUMBSBD #VIRUSTASK #BLUELIGHT
https://threatlabz.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks -
APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.
Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.Are critical infrastructure operators prepared for USB-mediated C2 relays?
Engage below.
Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture
-
Hackers Use KakaoTalk and Google Find Hub in Android Spyware Attack https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/ #ScamsandFraud #Cybersecurity #GoogleFundHub #CyberAttack #NorthKorea #SouthKorea #KakaoTalk #Security #Android #Malware #Kimsuky #APT37 #Konni
-
North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.
#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec -
North Korea’s ScarCruft Targets Academics With RokRAT Malware – Source:hackread.com https://ciso2ciso.com/north-koreas-scarcruft-targets-academics-with-rokrat-malware-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #HanKookPhantom #cybersecurity #CyberAttack #NorthKorea #ScarCruft #Hackread #Phishing #security #malware #RokRAT #APT37
-
North Korea’s ScarCruft Targets Academics With RokRAT Malware https://hackread.com/north-korea-scarcruft-target-academics-rokrat-malware/ #HanKookPhantom #Cybersecurity #CyberAttack #NorthKorea #ScarCruft #Security #Phishing #Malware #RokRAT #APT37
-
North Korea’s APT37 deploys RokRAT in new phishing campaign against academics – Source: securityaffairs.com https://ciso2ciso.com/north-koreas-apt37-deploys-rokrat-in-new-phishing-campaign-against-academics-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #OperationHanKookPhantom #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #SecurityNews #hackingnews #Security #hacking #Malware #APT37 #APT
-
Lookout Discovers New Spyware by North Korean APT37
#KoSpy #APT37
https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37 -
North Korean APT Exploited IE Zero-Day in Supply Chain Attack – Source: www.securityweek.com https://ciso2ciso.com/north-korean-apt-exploited-ie-zero-day-in-supply-chain-attack-source-www-securityweek-com/ #rssfeedpostgeneratorecho #SupplyChainSecurity #CyberSecurityNews #internetexplorer #securityweekcom #securityweek #NorthKorea #FEATURED #zeroday #APT37
-
Happy Friday everyone!
It's always a good morning when you get news of some new MITRE ATT&CK Tactics, Techniques, or Sub-techniques! Nate Nelson highlights the new additions and discusses how #APT37 and #APT41 are adopting the techniques in recent attacks! Enjoy and Happy Hunting!
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
https://www.darkreading.com/vulnerabilities-threats/dprk-exploits-mitre-sub-techniques-phantom-dll-hijacking-tcc-abuse#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting! #readoftheday
-
Took a look back at some of North Korea's #ROKRAT malware payload delivery mechanisms in my latest blog post:
-
Happy Tuesday everyone!
#APT37, aka #ScarCruft, is at it again! SentinelOne researchers noticed that they are targeting media organizations and others that are associated with North Korean affairs. The group leverages .LNK files, zip files, and phishing emails.
I found this article most interesting because of the multiple types of file formats that were used, to include .bat and .dat files, involved in the campaign. They also use a custom backdoor known as #RokRat to aid in their attack. This is a great article and worth the time! Enjoy and Happy Hunting!
Notable MITRE ATT&CK TTPs and Behaviors:
TA0001 - Initial Access
T1566.001 - Phishing: Spearphishing AttachmentTA0002 - Execution
T1059.001 - Command And Scripting Interpreter: Powershell
T1204.001 - User Execution: Malicious Link#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting
-
NEW research on my blog!
The evolution of North Korean threat group #APT37's Android spyware: #ROKRAT & #RambleOn
In this research I perform a comparative analysis between ROKRAT & RambleOn, North Korean threat group APT37's Android malware.
Link: https://www.0x0v1.com/the-evolution-of-apt37s-rokrat-rambleon-android-spyware/
#threatintel #apt #reverseengineering #malware #spyware #northkorea
-
In revisiting some old #APT37 samples, I wanted to take a look back at the #GOLDBACKDOOR dropper. Which actively targeted civil society & journalists based in South Korea.
Here's in my reverse engineering analysis, I deep dive into this older malware campaign by the North Korean threat group.
This is part of my project REarchive, where I look at historic APT campaigns that haven't been covered much publicly. Read here:
https://www.0x0v1.com/rearchive-goldbackdoor/ -
Die vom nordkoreanischen Staat gesponserte Hackergruppe #ScarCruft (#APT37) hat die IT-Infrastruktur und den E-Mail-Server von NPO Mashinostroyeniya gehackt.
NPO Mashinostroyeniya ist ein russischer Konstrukteur und Hersteller von Orbitalfahrzeugen, Raumfahrzeugen und taktischen Verteidigungs- und Angriffsraketen, die von der russischen und indischen Armee eingesetzt werden.
-
Just uploaded my #APT37 #ROKRAT shellcode decrypter script to my github. Hope this helps malware researchers out there
https://github.com/0x0v1/MalwareRETools/tree/main/APT37/ROKRAT
-
I just published a script that will assist malware researchers looking at #APT37's #ROKRAT to decode the PS reflection portion of the loader phase. It gives analysts the option to pull shellcode from the payload delivery host quickly for timely analysis.
https://github.com/0x0v1/MalwareRETools/tree/main/APT37/ROKRAT
I will later publish a script to deencrypt the shellcode for analysis - just need to clean a few things up in it.
-
Happy Tuesday everyone! #APT37 is the topic of today's #readoftheday, specifically ThreatMon takes a deep-dive into the #RokRat malware, which is a remote access trojan (RAT). Enjoy and Happy Hunting!
Link to article in the comments!
***AS usual I am going to leave one of the MITRE ATT&CK blank. I would like to see if any of you that see this can help FILL in that blank! If so, leave your thoughts in the comments OR send me a DM!***
Notable MITRE ATT&CK TTPs:
TA0007 - Discovery
T1087 - Account Discovery
T1083 - File and Directory Discovery
T1018 - Remote System Discovery
T1082 - System Information DiscoveryTA0009 - Collection
T[What technique covers the threat actor capturing information under the TEMP folder?] - Good luck!TA0011 - Command And Control
T1071.001 - Application Layer Protocol: Web ProtocolsTA0002 - Execution
T1059.003 - Command and Scripting Interpreter: Windows Command Shell#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting
-
#GoogleTAG continues to observe exploitation of CVE-2022-41128, a vulnerability in Internet Explorer, by #APT37 a North Korean threat actor group.
#CTI #ThreatIntel #Infosec -
South Korean researchers (Genians) report that APT37 is abusing Google Find Hub to track victims and remotely wipe Android devices.
The attackers use phished Google credentials to access legitimate Find Hub functions - no exploit involved.
Google has confirmed this and advises enabling 2-Step Verification or passkeys.
Credential security remains the weakest link in most modern attacks.
#CyberSecurity #APT37 #GoogleFindHub #ThreatIntel #AndroidSecurity #InfoSec #MalwareAnalysis #Kimsuky #TechNadu
-
South Korean researchers (Genians) report that APT37 is abusing Google Find Hub to track victims and remotely wipe Android devices.
The attackers use phished Google credentials to access legitimate Find Hub functions - no exploit involved.
Google has confirmed this and advises enabling 2-Step Verification or passkeys.
Credential security remains the weakest link in most modern attacks.
#CyberSecurity #APT37 #GoogleFindHub #ThreatIntel #AndroidSecurity #InfoSec #MalwareAnalysis #Kimsuky #TechNadu
-
South Korean researchers (Genians) report that APT37 is abusing Google Find Hub to track victims and remotely wipe Android devices.
The attackers use phished Google credentials to access legitimate Find Hub functions - no exploit involved.
Google has confirmed this and advises enabling 2-Step Verification or passkeys.
Credential security remains the weakest link in most modern attacks.
#CyberSecurity #APT37 #GoogleFindHub #ThreatIntel #AndroidSecurity #InfoSec #MalwareAnalysis #Kimsuky #TechNadu
-
North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.
#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec -
North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.
#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec -
North Korean hackers are using Google’s own tools to remotely wipe Android devices and hijack messaging apps. Think your account is safe? Dive into how a single breach can trigger a digital meltdown.
#konni
#apt37
#cyberespionage
#androidsecurity
#googlefindhub
#malware
#northkorea
#spearphishing
#infosec -
Hackers Use KakaoTalk and Google Find Hub in Android Spyware Attack https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/ #ScamsandFraud #Cybersecurity #GoogleFundHub #CyberAttack #NorthKorea #SouthKorea #KakaoTalk #Security #Android #Malware #Kimsuky #APT37 #Konni
-
Hackers Use KakaoTalk and Google Find Hub in Android Spyware Attack https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/ #ScamsandFraud #Cybersecurity #GoogleFundHub #CyberAttack #NorthKorea #SouthKorea #KakaoTalk #Security #Android #Malware #Kimsuky #APT37 #Konni
-
Hackers Use KakaoTalk and Google Find Hub in Android Spyware Attack https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/ #ScamsandFraud #Cybersecurity #GoogleFundHub #CyberAttack #NorthKorea #SouthKorea #KakaoTalk #Security #Android #Malware #Kimsuky #APT37 #Konni
-
APT37’s Ruby Jumper campaign demonstrates a mature approach to air-gap traversal.
Observed tradecraft includes:
• LNK-based initial execution
• Embedded PowerShell payload extraction
• Ruby interpreter abuse (v3.3.0)
• Scheduled task persistence (5-minute interval)
• USB-based covert bidirectional C2
• Multi-stage backdoor deployment
Toolset: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, BLUELIGHT.The removable media relay model enables:
– Command staging offline
– Data exfiltration without internet access
– Lateral spread across isolated systems
– Surveillance via Windows spyware
This reinforces a critical point:
Air-gap controls must extend beyond physical disconnection — including USB governance, device auditing, behavioral monitoring, and strict runtime execution policies.Are critical infrastructure operators prepared for USB-mediated C2 relays?
Engage below.
Follow TechNadu for high-signal threat intelligence insights.
Repost to elevate awareness.#Infosec #APT37 #AirGapSecurity #ThreatModeling #MalwareAnalysis #NationStateThreats #USBExfiltration #SOC #DetectionEngineering #CyberDefense #OperationalSecurity #ThreatHunting #ZeroTrustArchitecture
-
Asec: RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release https://asec.ahnlab.com/en/56857/ #MalwareInformation #ScarCruft #backdoor #RedEyes #APT37 #chm
-
Asec: RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release https://asec.ahnlab.com/en/56857/ #MalwareInformation #ScarCruft #backdoor #RedEyes #APT37 #chm
-
Asec: RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release https://asec.ahnlab.com/en/56857/ #MalwareInformation #ScarCruft #backdoor #RedEyes #APT37 #chm