{ "id": "747f97af-df34-4484-a0f7-af5542f03f6e", "created_at": "2026-04-06T00:14:22.425242Z", "updated_at": "2026-04-10T03:38:06.336153Z", "deleted_at": null, "sha1_hash": "3e237c8f9ee084bf7a28b9a47f018839bb3b9018", "title": "Scarcruft Bolsters Arsenal for targeting individual Android devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2850586, "plain_text": "Scarcruft Bolsters Arsenal for targeting individual Android devices\r\nBy S2W\r\nPublished: 2023-03-27 · Archived: 2026-04-05 19:58:37 UTC\r\nAuthor: BLKSMTH | S2W TALON\r\nLast Modified: Mar 23, 2023\r\nPress enter or click to view image in full size\r\nPhoto by Pathum Danthanarayana on Unsplash\r\nExecutive Summary\r\nAccording to an analysis report published by InterLab in December 2022, a South Korean journalist\r\nreceived a message requesting a conversation via the Wechat messenger, and the requestor instructed the\r\njournalist to install a malicious APK file disguised as a messenger called “Fizzle.apk” — InterLab named\r\nthe malicious APK \"RambleOn\"\r\nWe found similar features and codes to the mobile version of the ROKRAT malware that the Scarcruft\r\ngroup has been using since 2017.\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 1 of 23\n\nIn tracking the Scarcruft group, researchers within S2W's Talon have identified additional samples that\r\nperform similar functions to those disclosed in this release, with significant upgrades from previous\r\nreleases.\r\nScarcruft is strongly believed to conduct initial penetration by contacting individuals directly via\r\nmessengers, such as in this case, to trick them into installing a malicious APK disguised as legitimate.\r\nS2W Talon named \"Cumulus\" in reference to past samples similar to the type of malware disclosed by\r\nInterLab, and named the plugin used by Cumulus as \"Clugin\".\r\nThere are three types of Cumulus, depending on whether or not the Clugin is downloaded and the type of\r\nmessaging service used.\r\nWe observed that the Scarcruft group updated the malware's functionality or installed China-specific\r\napplications on test devices to target users with Chinese language and Chinese-manufactured mobile\r\ndevices.\r\nIntroduction\r\nThe Scarcruft Group (aka APT37), a North Korean APT group, is believed to have been active since 2016 and\r\ncontinues to carry out attacks against institutions and political organizations around the world until 2023. In April\r\n2017, the Cisco Talos team disclosed the Scarcruft group's proprietary tool, ROKRAT, a malware that has been\r\ncontinuously modified and used by the group to this day. Initially, only the Windows version of ROKRAT was\r\nused, but the Android version of the malware was later identified.\r\nAccording to a report published by the Financial Security Institute, the Scarcruft group conducted an attack in\r\nmid-2017 that distributed malicious APKs to specific devices through a watering hole attack. At the end of 2017,\r\nthe group also carried out an attack campaign targeting North Korean human rights organization officials and\r\njournalists from North Korean media outlets to induce the installation of malicious APKs through KakaoTalk, the\r\nmost popular messenger in South Korea. In addition, malicious APKs were also distributed by contacting targets\r\nthrough Facebook and uploading APKs to the Google PlayStore. The malicious apps were all identified as mobile\r\nversions of ROKRAT.\r\nReference: [FSI] Threat Intelligence Report - Campaign DOKKAEBI\r\nAccording to an analysis report published by InterLab in December 2022, during a conversation with a South\r\nKorean journalist via Wechat messenger, the Scarcruft group convinced him to install a malicious APK file\r\ndisguised as a messenger called \"Fizzle.apk\", saying that he could not send sensitive files via Wechat messenger.\r\nInterLab named the malicious APK \"RambleOn\", but analysis of the malicious APK revealed similarities to the\r\nScarcruft group's ROKRAT mobile version. Unlike in the past, the APK has the ability to receive data from the\r\nattacker via a messaging service called Pushy.\r\nIn following the Scarcruft group's trail, Talon, S2W's threat research and intelligence center, identified additional\r\nsamples that perform similar functions to the published samples. They have similar functionality to the malicious\r\nAPKs released in 2017, but unlike in the past, the ability to use messaging services has been added. We also found\r\nthat these APKs have been continuously updated to date. S2W Talon named the malicious APKs \"Cumulus\" and\r\nthe plugin modules used by Cumulus \"Clugin\".\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 2 of 23\n\nIn this report, we further categorize the identified Cumulus by type and describe the attacker's TTPs and strategy\r\nbased on our detailed analysis.\r\nOverview of Cumulus Types\r\nCumulus (aka. RambleOn) has been used by the Scarcruft APT group since at least 2019 to target Android\r\ndevices. The group has been using a mobile version of the ROKRAT malware since at least 2017, and S2W Talon\r\nseparately classifies Cumulus as a type of existing ROKRAT mobile malware with messaging capabilities such as\r\nFCM or Pushy added. Cumulus is usually distributed disguised as a legitimate mobile application, such as a\r\nCoinMiner, image viewer, or messenger. Although we could not secure more samples, we have also seen them\r\ndistributed under the package names \"com.personal.info\", \"com.sec.mishat\", and \"com.data.person\". Based on the\r\ntypes of applications Cumulus disguises, we suspect that it is distributed directly to individuals via messengers,\r\nsuch as this RambleOn type.\r\nPress enter or click to view image in full size\r\nTable 1. Types of Cumulus\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 3 of 23\n\nAfter obtaining additional Cumulus disguised as legitimate applications and analyzing them, we were able to\r\ncategorize them into three types, as shown below. Types B and C download a separate plugin and perform their\r\nmain actions in the plugin, which is why we named the plugin downloaded by Cumulus as Clugin.\r\nPress enter or click to view image in full size\r\nTable 2. Type Classification\r\nClugin: Plugin that Cumulus downloads from the cloud and is responsible for information leakage.\r\nCommand: Configuration file that a Clugin or Cumulus downloads from the cloud to execute commands.\r\nCallRecorder: An additional Dex file that the Clugin or Cumulus downloads from the cloud to perform\r\ncall recording functions.\r\nType A downloads and loads the Command file, which contains the configuration information necessary to\r\nperform the malicious behavior, and CallRecorder from the cloud. It then uploads the infected device information\r\nand internal files to the cloud. It receives a separate message from the attacker via FCM.\r\nType B downloads the Clugin from the cloud. Clugin takes over the functions of Cumlus, downloads Command\r\nfile and CallRecorder, steals and uploads information to the cloud. Compared to Type A, by introducing Clugin,\r\nType B organizes modularization by function and secured stable persistence and malware update function. Same\r\nas Type A, Type B receives a separate message through FCM.\r\nTEST seems to be used by the attacker for testing before the attack and uploads the infected device information\r\nand internal files to the cloud without downloading any additional files. Cumulus, which is used in real-world\r\nattacks, uses abbreviations to upload each exfiltration data to the cloud, but in the case of TEST, the full word is\r\nused for ease of identification during the test.\r\nType C has most of the same features as Type B, but uploads the Device Token to the cloud instead of the\r\nFirebase Database and receives messages from the attacker via Pushy.\r\nFCM is a service that specializes in message delivery within Firebase and was also used in the mobile malware\r\nused by the Kimsuky group that we disclosed last year. The difference is that the Device Token is sent to the cloud\r\nor a legitimate Firebase database, rather than to an attacker's C\u0026C server. The most recent version of the Pushy\r\nservice is a separate third-party service that provides similar functionality to FCM.\r\nTimeLine\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 4 of 23\n\nFigure 1. Full Timeline for Cumulus\r\nClugin appears to have been uploaded to Yandex Cloud and distributed since at least September 2021. Although\r\nwe do not have an exact date for the creation of Yandex Cloud, we believe that Clugin distribution began around\r\nthat time. The pCloud account was subsequently created in October 2021, but the data exfiltration we identified\r\nwas from March 2022. Given that Type B was distributed in March 2022, we believe that the attacker began\r\ndistributing Clugin via pCloud in a similar way. The attacker appears to have initially distributed Clugin through\r\nYandex Cloud, and then, starting in March, configured it to communicate with pCloud on initial infection and only\r\ncommunicate with Yandex Cloud when passing a separate command. TEST is believed to be a test version to\r\nintroduce this. The Scarcruft group appears to have set the OAuth key for pCloud communication differently for\r\neach distributed APK but kept the OAuth key for the Yandex cloud relatively unchanged.\r\n1. Behavior flow for Type A\r\nAfter infection, Type A registers a method to JobScheduler to periodically execute the main malicious behavior. It\r\nthen downloads a Command file from the Yandex cloud and steals information as specified in the Command file.\r\nIt additionally downloads and loads a CallRecorder, which performs call recording and saves it to a file.\r\nThe collected infected device information and internal files are uploaded to Yandex, which also transmits the\r\ndevice token for FCM communication, allowing the attacker to obtain the Device Token of the infected device\r\nfrom the Yandex cloud. The attacker can use the obtained Device Token to send a message to the infected device\r\nvia FCM, and Cumulus, which receives the message, checks whether the method that performs the malicious\r\nbehavior is registered in the JobScheduler and registers it if it is not.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 5 of 23\n\nFigure 2. Execution flow of Type A\r\n2. Behavior flow for Type B\r\nCumulus in Type B downloads the Clugin from the cloud, then the Clugin downloads CallRecorder, and steals the\r\ninfected device information and internal files. In addition, Type B receives messages via FCM, adding update\r\nfunctions such as changing cloud storage and changing OAuth Token.\r\nWhen executed, Type B first sends the Device Token to the Firebase Database. With the sent token, the attacker\r\npasses the OAuth Token and the cloud REST API through FCM, which is presumably used to download the\r\nClugin from the cloud. At the time of analysis, we were unable to obtain actual data from FCM, but based on the\r\ninternal code of Type B, we believe that it is downloaded from Yandex Cloud.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 6 of 23\n\nFigure 3. Execution flow of Type B\r\n3. Behavior flow for TEST\r\nIn the case of TEST, when the APK is executed, it steals information such as infected device information, SMS,\r\ncontacts, internal files, and recordings and uploads them to the pCloud. Although TEST includes Yandex Cloud's\r\nOAuth Token, it actually uses only pCloud's OAuth Token initialized within the pCloud SDK class and does not\r\nuse the Yandex Token. In addition, there is no function to send the device's Device Token separately, so we assume\r\nthat Type A is for testing purposes only. The string \"test-pi-d9b7e\" is used in the code to initialize Firebase\r\nfunctionality, and the functionality is incomplete compared to other types, suggesting that the attacker used this\r\ntype for testing.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 7 of 23\n\nFigure 4. Execution flow of TEST\r\n4. Behavior flow for Type C\r\nType C sends messages to Cumulus via a third-party messaging service called Pushy rather than FCM. Type C has\r\nboth hardcoded pCloud and Yandex's OAuth Token values, and an attacker can update the type of cloud service\r\nand OAuth Token via Pushy.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 8 of 23\n\nFigure 5. Execution flow of Type C\r\nDetailed Analysis\r\nWe conducted a detailed analysis of a messenger impersonation APK called \"Fizzle\" (named RambleOn by\r\nInterlab) and Clugin version 6.0, which is classified as Type C of Cumulus types. Below is the entire execution\r\nprocess of a Type C Cumulus.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 9 of 23\n\nFigure 6. The communication scenario of Cumulus\r\nStage 1: Cumulus (Fizzle.apk)\r\n1. Status in SharedPreferences\r\nCumulus manages the status with SharedPreferences and references it to perform its malicious behavior. The\r\nUUID or TID in the status is used as an ID to identify the infected device. Initially, it uses the UUID, but if it\r\nsubsequently receives a message from the attacker via Pushy, it changes the ID to the TID contained in the\r\nmessage instead of the UUID. Then, store the Device Token for receiving messages from Pushy in PUSHYT and\r\nset CLOUD to P to communicate with pCloud. The OAuth Token required for cloud communication is specified in\r\nPRIMARY_ACCESSTOKEN. Also, set the Clugin version to VERSION to request the Plugin{VERSION} file to the\r\ncloud, and set the download success to 1 or 0 in PLUGINDEXDOWN{VERSION}. CLOUD is only supported for\r\nP (pCloud) and Y (Yandex), and is set to P on the first run.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 10 of 23\n\nTable 3. Values in status\r\n2. Download Clugin from Cloud\r\nCumulus references the status to download the Clugin in Dex form from the cloud service. Since the cloud\r\nidentifies infected devices by their UUID or TID values, it is possible to install a different Clugin for each device.\r\nAfter downloading, it calls the LogState method of the com.personal.info.plugin class.\r\nClugin path on first run (on Cloud): /P/plugin{VERSION}\r\nClugin storage path (on infected device): ch.seme/Files/.temp/plugin{VERSION}.dex\r\nPress enter or click to view image in full size\r\nFigure 7. Downloads Clugin and invoke\r\nStage 2: Clugin (DEX)\r\nCumulus downloads and executes Clugin in the form of plugin from the cloud. In this process, we were able to\r\ncollect samples of different versions of Clugin, between 1.0 and 6.0. After analyzing each version of the Clugin,\r\nthe table below summarizes the versions and features that we found to have noticeable changes.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 11 of 23\n\nTable 4. Feature comparison table of Clugin by version\r\n1. Download Command file from Cloud\r\nThe Clugin reads the Command file from the cloud and performs information theft according to the values set in\r\neach field. For each field, the data is specified in the format {Type} : {Key} : {Value}, and the Key and Value are\r\nparsed and registered in SharedPreferences. The C(Command) file can be deleted from the cloud after\r\ndownloading.\r\nCommand file download path: /{UUID}/C\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 12 of 23\n\nFigure 8. Command file parsing process\r\nPress enter or click to view image in full size\r\nTable 5. Keys in Command file\r\nThe CMD in the Command file determines whether malicious behavior is performed.\r\nCMD == 0: Do not perform malicious behavior\r\nCMD \u003e 0: Run the service and send the information after stealing it\r\nCMD \u003e 10: Download and load CallRecorder\r\n2. Interact with Cumulus to execute malicious services\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 13 of 23\n\nThe Clugin checks whether the AR and SDPATH values are set in the Command file and executes the malicious\r\nbehavior by interacting with Cumulus. If CMD is greater than 0 in the Command file, the Clugin checks to see if a\r\nspecific service in Cumulus is currently running, and if not, executes the service through an Intent. The service in\r\nCumulus directly calls specific methods in the Clugin to perform the actual audio recording or file collection\r\nbehavior. In the figure below, Clugin checks whether a service named \"com.sec.mishat.{ServiceName}\" is\r\nrunning, which is the package name of Cumulus. The reason for this implementation is that the commands are\r\nmodularized using Clugin, so the version of Clugin can be updated at any time, taking advantage of the fact that\r\nClugin does not depend on Cumulus. The malicious behavior executed in this way is as follows.\r\nUpdate Clugin from the cloud\r\nAudio Record using CallRecorder\r\nCollect files from external storage\r\nPress enter or click to view image in full size\r\nFigure 9. The process of how methods are executed in Clugin\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 14 of 23\n\nFigure 10. Check if a specific service is running in Cumulus\r\n3. Download CallRecorder\r\nCumulus reads the CMD from SharedPreferences and if the value is greater than 10, it downloads an additional\r\nCallRecorder from the cloud that performs the call recording function and calls the CallRecorder's \"execute\"\r\nmethod.\r\nPress enter or click to view image in full size\r\nFigure 11. Downloads CallRecorder and invoke\r\n4. Collect \u0026 Exfiltration\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFinally, Clugin collects information from the infected device and sends it to the cloud. Here's what the data is\r\nencrypted and how stored in the cloud.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 15 of 23\n\nTable 6. List of collected data and upload path\r\nFor the stolen items stored in the D path on the cloud, encryption is performed before exfiltration, which involves\r\ndownloading an epk file containing the encryption key from the cloud. The file data is then AES decrypted and\r\nBase64 decoded with hardcoded values in Clugin to extract the RSA public key. Each collected file is then\r\nencrypted by randomly generating an AES secret key, and the secret key is encrypted with the extracted RSA\r\npublic key. Finally, the encrypted file data is stored along with the encrypted AES secret key, length of encrypted\r\nAES secret key, Custom Path, and length of Custom Path. If the RSA public key does not exist, the generated AES\r\nsecret key is stored in plain.\r\nSecret Key: 1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik,\r\nIV: qwertyuiop456789\r\nPress enter or click to view image in full size\r\nFigure 12. Structure of the files to be stolen\r\nThe AES secret key and hardcoded IV value used to encrypt files are shown below.\r\nEncryption: AES-256-CBC\r\nSecret Key: Random 32byte\r\nIV: qwertyuiop456789\r\nFigure 13. Encryption flow\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 16 of 23\n\nFiles containing encrypted file data and additional information are named according to the type of each file. Only\r\nthe top two formats in the table below are actually used, and a combination of UUID, cell phone number, and data\r\ntype is used as the Custom Path.\r\nPress enter or click to view image in full size\r\nTable 7. Format of Custom path\r\nStage 3: CallRecorder\r\nAfter analyzing the CallRecorder that is additionally downloaded by the Clugin, we found that it is a DEX file that\r\nhas a call recording function. CallRecorder records incoming and outgoing calls and saves them as separate files.\r\nThe saved recording files are sent to the cloud via the Clugin.\r\nPackage Name: com.sec.android.acservice\r\nFigure 14. Key features within CallRecorder\r\nActions when additional messages are received from pushy\r\nAn attacker can send messages to Cumulus using Pushy, a messaging service, to update the status of the malware.\r\nThis allows the attacker to continuously update the status of the infected device. The following information can be\r\nupdated via messages\r\nTID: Change the upload path for stolen information on the cloud\r\nACCESSTOKEN: Change OAuth Token\r\nCLOUD: Change cloud service from pCloud to Yandex\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 17 of 23\n\nVERSION: Update the Clugin version\r\nAUTOSTART: Set app auto launch\r\nPress enter or click to view image in full size\r\nFigure 15. Status update\r\nThe flow of malicious behavior executed by Cumulus via the Pushy message service is shown below. In the first\r\nexecution, the infected device is identified by its UUID value, but after that, it is identified by its TID value.\r\nPress enter or click to view image in full size\r\nFigure 16. Execution flow when receiving a message from Pushy\r\nInteresting discoveries\r\nWe have been monitoring the group’s attack campaign for a few months and have been able to obtain data from\r\nvictims compromised by Cumulus and Clugin, as well as test data from attackers leaked by OPSec failures. We\r\nwere able to see malicious app deployment tests and the context of malicious app distribution via messengers.\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 18 of 23\n\n1. Targeting Chinese Phones\r\nThe Scarcruft group has traditionally implemented its messaging capabilities through Firebase, but in the latest\r\nversion, it uses a third-party service called Pushy. This is believed to be in case the targets use mobile devices\r\nmade in China, such as Huawei. In fact, Pushy reviews indicate that many people have switched from Firebase to\r\nPushy to ensure a stable implementation in China.\r\n2. Installed Packages in Test Environment\r\nWe found that the attacker was testing the malicious APK. From the test logs, we could see the information of the\r\nattacker's test device, and from the installed application information, we could see that VPN and translation\r\napplications were installed.\r\nAstrill VPN is used as a VPN application to bypass internet blocking in China, and SpeedCN is an application that\r\nincreases the speed of Internet access in China. The presence of a translation application that can translate Chinese\r\namong the installed applications suggests that the attacker is preparing to target Chinese-speaking users.\r\nPress enter or click to view image in full size\r\nTable 8. Installed packages on the test device\r\nAttribution\r\nOur analysis of the Cumulus and Clugin samples reveals a strong similarity in code and functionality to malicious\r\nAPKs distributed by the Scarcruft group in the past through watering hole attacks. The malware used was a\r\nmobile version of ROKRAT, which suggests that the Scarcruft group continued to update it and use it to this day.\r\nReference: [FSI] Threat Intelligence Report - Campaign DOKKAEBI\r\nThe malicious APK used by Scarcruft in 2017 drops an additional malicious APK with the package name\r\n\"com.android.systemservice\", and code similarities between the APK and Clugin 6.0 were found. The same\r\nroutine for downloading Command files from the cloud and registering settings via SharedPreferences is present\r\nin both malware. We also found the same values for the keys registered by the 2017 sample and those in the\r\nCommand downloaded by the 2023 sample.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 19 of 23\n\nIn addition to this, it was found that a similar code was used to collect the same data. In Clugin 6.0, it was added a\r\npart that collects email information from the device.\r\nPress enter or click to view image in full size\r\nThe package name \"com.sec.android.acservice\", which is the package name of the CallRecorder downloaded from\r\nthe Clugin, had been used in similar samples in the past.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 20 of 23\n\nConclusion\r\nWe found that the Scarcruft group has continued to improve the mobile version of the ROKRAT malware\r\nthey have been utilizing since 2017 and is still actively using it today.\r\nThe mobile version of the ROKRAT malware can be classified as Cumulus, which receives messages from\r\nattackers via messaging services such as FCM or Pushy, and exfiltrates data to cloud services such as\r\npCloud and Yandex.\r\nAs disclosed by Interlab, the group is conducting attack campaigns targeting individuals and using\r\nconversations to convince them to install malicious apps disguised as legitimate apps, such as image\r\nviewers, messenger programs, etc.\r\nA multi-channel strategy that utilizes cloud services such as Yandex and pCloud, as well as legitimate\r\nservices such as Firebase and Pushy for command and control.\r\nIoCs\r\nFull IoC list can be found our github\r\n5dde5f5fcc1ebfd932e1ef0bfcc7b272\r\n957ebfbd0b23a164529d7510ca89ddae\r\n3ae92bc233dd6a4412aa77da4dc44a19\r\nae767e4658a5d235ec614eaa8655da0d\r\nbe6f13d6e7ae5039aed46d1f8844f3ee\r\n0711102cbfcf18a3672a892c4ea31ad1\r\ne4f781e00bc48f88a717095deb78be6f\r\nce3104fe4184558feea707368846c226\r\n97856a842ff8161576fee5ad3fd0ec67\r\n580f22dde975ac5e3544f3a74f4a91b9\r\n97a750f33812195cc2add4ebd120b468\r\n1f2c23c7c9ecb28bfdc6627a3ad23783\r\n97a9ab76af215241ad2a07856b40242e\r\nfe11b08764fba51236325be852ca1406\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 21 of 23\n\na90e3bd0e2de1b6a6bec269dc0f09369\r\n15470bafbaf3841bac1813881e6524fa\r\n97ecdb46b8325a845e998cfe3bd2262e\r\n214ead5c75899b8d1382e558e542574a\r\n464df52f091f95a561474d4de62a821b\r\n759b26631a660d82f6a93621991c4292\r\n445922b01b3f8f463cb9f48d74efd9a8\r\n89c669739066ac655a1e2b772bb020f3\r\na97e22b8ca16452a4ddcb32284d7c7a7\r\n8092bb293352ef572464c682e81f329f\r\n1d4683844c8429ad141f9f66bcf29728\r\n27e0dcceb68c03b246874c9fcc9b744e\r\n72182f83e771fcaaa1e86c7c932014cb\r\nf58fed1e492f40d28e0bc38dc0f76b35\r\nd7723de89903a04b93c7a9a92d8309c2\r\nATT\u0026CK Matrix\r\nCredential Access\r\nSteal Application Access Token (T1635)\r\nPersistence\r\nEvent Triggered Execution (T1624)\r\nDiscovery\r\nFile and Directory Discovery (T1420)\r\nLocation Tracking (T1430)\r\nSoftware Discovery (T1418)\r\nSystem Information Discovery (T1426)\r\nCollection\r\nArchive Collected Data (T1532)\r\nAudio Capture (T1429)\r\nCommand and Control\r\nWeb Service (T1481)\r\nExfiltration\r\nExfiltration Over Alternative Protocol (T1639)\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 22 of 23\n\nSource: https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nhttps://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab" ], "report_names": [ "scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434462, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e237c8f9ee084bf7a28b9a47f018839bb3b9018.pdf", "text": "https://archive.orkl.eu/3e237c8f9ee084bf7a28b9a47f018839bb3b9018.txt", "img": "https://archive.orkl.eu/3e237c8f9ee084bf7a28b9a47f018839bb3b9018.jpg" } }