{ "id": "7c57694b-95ba-45c2-a03e-bef433c18c40", "created_at": "2026-04-06T00:10:22.629726Z", "updated_at": "2026-04-10T03:38:06.510237Z", "deleted_at": null, "sha1_hash": "5ef05322e80e612e44f2f70d37aab09d795b90f8", "title": "ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4137628, "plain_text": "ScarCruft | Attackers Gather Strategic Intelligence and Target\r\nCybersecurity Professionals\r\nBy Aleksandar Milenkoski \u0026 Tom Hegel\r\nPublished: 2024-01-22 · Archived: 2026-04-05 13:44:30 UTC\r\nExecutive Summary\r\nSentinelLABS observed a campaign by ScarCruft, a suspected North Korean APT group, targeting media\r\norganizations and high-profile experts in North Korean affairs.\r\nWe recovered malware in the planning and testing phases of Scarcruft’s development cycle, presumably\r\nintended for use in future campaigns.\r\nScarCruft has been experimenting with new infection chains, including the use of a technical threat\r\nresearch report as a decoy, likely targeting consumers of threat intelligence like cybersecurity\r\nprofessionals.\r\nScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into\r\nnon-public cyber threat intelligence and defense strategies.\r\nOverview\r\nIn collaboration with NK News, SentinelLABS has been tracking campaigns targeting experts in North Korean\r\naffairs from South Korea’s academic sector and a news organization focused on North Korea. We observed\r\npersistent targeting of the same individuals over a span of two months. Based on the specific malware, delivery\r\nmethods, and infrastructure, we assess with high confidence that the campaigns are orchestrated by ScarCruft.\r\nAlso known as APT37 and InkySquid, ScarCruft is a suspected North Korean advanced persistent threat (APT)\r\ngroup with a long history of targeted attacks against individuals as well as public and private entities, primarily in\r\nSouth Korea.\r\nIn addition, we retrieved malware that we assess is currently in the planning and testing phases of ScarCruft’s\r\ndevelopment cycle and will likely be used in future campaigns. In an interesting twist, ScarCruft is testing\r\nmalware infection chains that use a technical threat research report on Kimsuky as a decoy document. Kimsuky is\r\nanother suspected North Korean threat group observed to share operational characteristics with ScarCruft, like\r\ninfrastructure and C2 server configurations. Given ScarCruft’s practice of using decoy documents relevant to\r\ntargeted individuals, we suspect that the planned campaigns will likely target consumers of technical threat\r\nintelligence reports, like threat researchers, cyber policy organizations, and other cybersecurity professionals.\r\nWe observed ScarCruft using oversized Windows Shortcut (LNK) files that initiate multi-stage infection chains\r\ndelivering RokRAT, a custom-written backdoor associated with the threat group. RokRAT is a fully-featured\r\nbackdoor equipped with capabilities that enable its operators to conduct effective surveillance on targeted entities.\r\nIn an attempt to execute undetected, the infection chains involve multiple executable formats and evasion\r\ntechniques. They continue an existing trend, closely resembling the infection chains seen in ScarCruft activities\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 1 of 17\n\nfrom earlier in 2023, including the campaigns disclosed by AhnLab in April 2023, Checkpoint in May 2023, and\r\nQi An Xin in July 2023.\r\nBy targeting high-profile experts in North Korean affairs and news organizations focused on North Korea,\r\nScarCruft continues to fulfill its primary objective of gathering strategic intelligence. This enables the adversary to\r\ngain a better understanding of how the international community perceives developments in North Korea, thereby\r\ncontributing to North Korea’s decision-making processes.\r\nScarCruft’s focus on consumers of technical threat intelligence reports suggests an intent to gain insights into non-public cyber threat intelligence and defense strategies. This helps in identifying potential threats to their operations\r\nand contributes to refining their operational and evasive approaches. As we continue to track suspected North\r\nKorean threat actors and their pace of experimentation, we assess they have a growing interest in mimicking\r\ncybersecurity professionals and businesses, ultimately for use in the targeting of specific customers and contacts\r\ndirectly, or more broadly through brand impersonation.\r\nScarCruft Campaigns\r\nA phishing email, impersonating a member of the North Korea Research Institute (Institute for North Korean\r\nStudies  – INKS), was sent from the email address kirnchi122[@]hanmail.net on December 13, 2023, targeting\r\nan expert in North Korean affairs. The email contains an attached archive file named December 13th\r\nannouncement.zip (machine translation from Korean), which includes nine files.\r\nThe files claim to be presentation materials from a fabricated event relevant to the targeted individual — an\r\napparent human rights expert discussion meeting. To make the phishing email current and therefore more credible,\r\nthe email asserts that the meeting occurred on the same date the email was sent (December 13).\r\nPhishing email (in Korean)\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 2 of 17\n\nAmong the nine files, seven are benign Hangul Word Processor (HWP) and PowerPoint documents, while two are\r\nmalicious LNK files. LNK files have become popular among threat actors for malware deployment since\r\nMicrosoft’s announcement that Office applications will by default disable the execution of Office macros in the\r\ncontext of documents that originate from untrusted sources.\r\nIn an attempt to make the malicious LNK files blend among the benign files, all files have names that relate to\r\nhuman rights in North Korea and start with a number assigned to each file. Furthermore, the LNK files disguise\r\nthemselves as Hanword documents, using the Hangul Word Processor icon (the Icon location LNK artifact was\r\nset to C:\\Program Files (x86)\\Hnc\\Office 2018\\HOffice100\\Bin\\Hwp.exe ).\r\nFilename Machine translation\r\n1. 전영선 북한 주민 정보접근\r\n권 강화방안.hwp\r\n1. Jeon Young-seon’s plan to strengthen North Korean residents’ right to\r\naccess information.hwp\r\n2.이상용 반동사상문화배격법\r\n과 정보 유입 활동의 변화.pptx\r\n2. Lee Sang-yong’s reactionary ideology cultural rejection law and\r\nchanges in information inflow activities.pptx\r\n3. 이윤식 북한인권법 실행방안\r\n북한인권재단 출범 중심.lnk\r\n3. Lee Yun-sik’s North Korean Human Rights Act implementation plan\r\ncentered on the launch of the North Korean Human Rights\r\nFoundation.lnk\r\n5. 여현철 북한주민 정보접근권\r\n강화 방안.hwp\r\n5. Yeo Hyeon-cheol’s plan to strengthen North Korean residents’ right to\r\naccess information.hwp\r\n6. 이종겸 북한인권 토론회 토\r\n론문.hwp\r\n6. Lee Jong-gyeom North Korean human rights debate discussion\r\npaper.hwp\r\n7. 박유성 북한주민 정보접근\r\n강화방안.hwp\r\n7. Park Yoo-sung’s plan to strengthen North Korean residents’ access to\r\ninformation.hwp\r\n8. 이도건 북한연구소 토론\r\n회.lnk\r\n8. Lee Do-gun North Korean Research Center Discussion.lnk\r\n9. 김태원 북한인권 전문가 토\r\n론회 토론문.hwp\r\n9. Taewon Kim, North Korean human rights expert discussion paper.hwp\r\n10. 서유석 북한 주민들의 알권\r\n리 제고 방안.hwp\r\n10. Seo Yoo-seok’s plan to improve North Korean residents’ right to\r\nknow.hwp\r\nThe LNK files exceed 48 MB and implement a multi-stage mechanism deploying the RokRAT backdoor.\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 3 of 17\n\nInfection chain: 8. 이도건 북한연구소 토론회.lnk\r\nThe LNK files execute PowerShell code that performs the following actions:\r\nLocates the executing LNK file based on its filesize.\r\nExtracts from the LNK file a decoy document (in HWP and HWPX format), a Windows Batch script\r\nnamed 111223.bat , and a PowerShell script named public.dat , placing the script in the %Public%\r\nfolder.\r\nDisplays the decoy document and executes 111223.bat .\r\nDeletes the executing Shortcut file.\r\nThe PowerShell code locates the content of the files it extracts from the LNK file based on hardcoded offsets.\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 4 of 17\n\nPowerShell code\r\n111223.bat then executes the PowerShell script stored in %Public%\\public.dat . This script decodes and\r\nexecutes another hex-encoded PowerShell script embedded in public.dat .\r\nThe content of public.dat\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 5 of 17\n\nThe decoded script downloads from a major Cloud file hosting provider a file named myprofile[.]zip , XOR-decrypts the file using the first byte as an XOR key, and executes the decrypted content in a thread.\r\nmyprofile[.]zip implements a shellcode that deploys the RokRAT backdoor. RokRAT uses public Cloud\r\nservices for command-and-control purposes, such as pCloud and Yandex Cloud, disguising malicious\r\ncommunication as legitimate network traffic.\r\nPowerShell script executing shellcode\r\nWhile most of the documents we analyzed are stripped of metadata, a HWPX decoy document stands out by\r\ncontaining metadata that identifies the pseudonym bandi as the document’s creator. We note the use of the same\r\nstring in the context of Kimsuky activities, for example, in an email address used in a phishing campaign\r\n( bandi00413[@]daum.net ) and in a C2 server domain ( one.bandi[.]tokyo ).\r\nWhile the overlap in pseudonym use does not represent a strong link between the groups from a technical\r\nperspective, it is still indicative of the suspected relations between them. In the context of North Korea, the term\r\nbandi is known as the pseudonym of a suspected North Korean author known for publishing dissident writing.\r\nbandi also means ‘firefly’ in Korean.\r\nThe bandi pseudonym (HWPX document metadata)\r\nEarlier Overlapping Campaign\r\nSome of the individuals targeted in the December 2023 ScarCruft activity, discussed above, were also targeted\r\napproximately one month earlier on November 16, 2023. This speaks of the adversary’s persistence and\r\nadaptability in pursuing its goals. The November campaign included individuals from a news organization focused\r\non North Korea as well.\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 6 of 17\n\nA phishing email, impersonating a member of the North Korea Research Institute, was sent from the address\r\nc039911[@]daum.net . The email attaches two malicious HWP files, titled 조선 시장 물가 분석(회령).hwp\r\n( Shipbuilding market price analysis (Hoeryeong).hwp ) and 조선 시장 물가 분석(신의주).hwp\r\n( Shipbuilding market price analysis (Sinuiju).hwp , machine translation from Korean), disguised as North\r\nKorean market price analysis data.\r\nPhishing email (in Korean)\r\nThe documents contain OLE objects, activated by double-clicking on the document’s content. In adherence to the\r\nHWP document format, the OLE objects are stored as compressed Structured Storage objects, and their\r\ndecompression reveals C2 URLs accessed upon OLE object activation.\r\nThe HWP documents contain metadata, including the LinkValue , Last Saved By , and Author metadata\r\nvalues, which provide information on the system accounts where the documents have been created.\r\nHWP document C2 URL and metadata\r\n조선 시장 물가 분석(회\r\n령).hwp\r\nhttp[://]nav[.]offlinedocument[.]site/capture/parts/you?\r\nview=5JV0FAGA6KW1GBHB7LX2HCIC\r\nLinkValue: \\Users\\Moo\\AppData\\Local\\Temp\r\nLast Saved By: Moo\r\nAuthor: Moo\r\n조선 시장 물가 분석(신\r\n의주).hwp\r\nhttp[://]nav[.]offlinedocument[.]site/capture/parts/you?\r\nview=GV6BQLRKHW7CRMSLIX8DSNTM\r\nLinkValue: \\Users\\DailyN~1\\AppData\\Local\\Temp\r\nLast Saved By: dailynk_001\r\nAuthor: dailynk01\r\nThe DailyN~1 / dailynk_001 / dailynk01 account is particularly interesting since it relates to Daily NK, a\r\nprominent South Korean online news outlet that provides independent reporting on North Korea with which we\r\nhave collaborated in the past. The focus of this organization makes them an attractive target for North Korean\r\nthreat actors seeking to intrude or impersonate it, a strategy previously observed by SentinelLABS in past\r\nKimsuky campaigns. It remains to be investigated whether this account is used for developing malware involved\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 7 of 17\n\nin Daily NK-related campaigns and/or serves as an additional indicator of the suspected relations between\r\nKimsuky and ScarCruft. Additionally, in our previous reporting on the overlap of suspected North Korean\r\nintrusions into a Russian missile engineering organization, we shared links to ScarCruft infrastructure making use\r\nof this same illicit naming scheme, such as dallynk[.]com .\r\nPivoting on the DailyN~1 artifact revealed additional HWP documents that share overlapping metadata\r\ninformation and employ the same OLE-based infection vector, using different C2 URLs.\r\nHWP document (SHA-1 hash) C2 URL and metadata\r\ne9df1f28cfbc831b89a404816a0242ead5bb142c\r\nhttp[://]nav[.]offlinedocument[.]site/capture/parts/you?\r\nview=IV3D9YMNJW4EAZNOKX5FB0OP\r\nLinkValue: \\Users\\DailyN~1\\AppData\\Local\\Temp\r\nLast Saved By: dailynk01\r\nAuthor: umgdnk-03\r\n2f78abc001534e28eb208a73245ce5389c40ddbe\r\nhttp[://]app[.]documentoffice[.]club/voltage_group_intels?\r\nuser=HE16AJHVFCZ48HFTGD059IGU\r\nLinkValue: \\Users\\DailyN~1\\AppData\\Local\\Temp\r\nLast Saved By: dailynk_001\r\nAuthor: /\r\nThe app.documentoffice[.]club domain is also used as C2 endpoint for malicious Microsoft Office documents,\r\nemploying ActiveX controls to establish communication with the C2 server.\r\nOffice document (SHA-1 hash) C2 URL\r\ne46907cfaf96d2fde8da8a0281e4e16958a968ed\r\nhttp[://]app[.]documentoffice[.]club/salt_view_doc_words?\r\nuser=8B86CA616964A84Y7A75B950\r\n39c97ca820f31e7903ccb190fee02035ffdb37b9\r\nhttp[://]app[.]documentoffice[.]club/salt_view_doc_words?\r\nuser=H11I75PFF0ZG53NDG00H64OE\r\n577c3a0ac66ff71d9541d983e37530500cb9f2a5\r\nhttp[://]app[.]documentoffice[.]club/salt_view_doc_words?\r\nuser=MZ9IUNQ7KX7GSLO5LY8HTMP6\r\nAt the time of analysis, the C2 URLs were inactive, preventing us from examining their functions and any\r\npotential additional payloads they might deliver to the targets. We are still investigating the role of the user and\r\nview query parameter values, such as 5JV0FAGA6KW1GBHB7LX2HCIC and H11I75PFF0ZG53NDG00H64OE .\r\nWhile preparing this report, Genians released research that outlines ScarCruft campaigns throughout 2023,\r\ncovering certain aspects of the activities discussed in this section. We add to the public information on this activity\r\ncluster by providing additional details on the related infrastructure.\r\nInfrastructure associated with this cluster of suspected North Korean threat activity leads to multiple interesting\r\ndetails which we have found useful for further monitoring and analysis of separate campaigns. The domains\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 8 of 17\n\nofflinedocument[.]site and documentoffice[.]club both make use of a variety of subdomains such as\r\nopen , nav , and app as previously mentioned. During their illicit use, the domains temporarily make use of\r\nLithuania’s Cherry Servers virtual private server (VPS) hosting service – 84.32.131[.]87 , and\r\n84.32.131[.]104 in this case.\r\nA repeating trend is the actor registering domains through Namecheap, leaving the domain parked on a\r\nNamecheap IP address, and then rotating to Cherry Servers. In separate domains, we observe this same operational\r\nworkflow, and interestingly other domains which the actor only makes use of for one or two days before shifting\r\nback to a parked IP address. We assess this process aims to limit detection and analysis capabilities following their\r\nmalicious activity, such as hosting a phishing login or malware delivery link.\r\nExamples of this activity can be found through publicly available telemetry, such as that of\r\ninstantreceive[.]org . This domain hosted a page mimicking GitHub, a characteristic not new to North Korea-attributed threat actors, as we have reported on in the past.\r\nGitHub phishing page\r\nThis domain overlaps through the use of unique Cherry Servers hosting IPs, which can be used for further\r\nmoderate-confidence infrastructure pivoting. We encourage readers to conduct additional research and monitoring.\r\nThe full list shown here is provided in the IOC table.\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 9 of 17\n\nCherry Servers overlap map\r\nScarCruft Testing Grounds\r\nWhile investigating ScarCruft activities, we retrieved malware that we assess to be part of ScarCruft’s planning\r\nand testing processes. This includes a spectrum of shellcode variants delivering RokRAT, public tooling, and two\r\noversized LNK files, named inteligence.lnk and news.lnk .\r\nAlthough similar to those implemented by 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk and\r\n8. 이도건 북한연구소 토론회.lnk discussed above, the infection chains  executed by inteligence.lnk and\r\nnews.lnk exhibit some differences. This has likely been done to evade detection based on the known ScarCruft\r\ntechniques that have been publicly disclosed by the threat intelligence community.\r\nInfection chain: news.lnk\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 10 of 17\n\ninteligence.lnk executes PowerShell code, which locates the executing LNK file based on its filename instead\r\nof its filesize. The code then extracts from the LNK file and displays a decoy PDF document (named\r\ninteligence.pdf ), and downloads from a major Cloud file hosting provider a hex-encoded file named\r\nstory.txt . The PowerShell code locates the content of the decoy document it extracts from the LNK file based\r\non a byte pattern ( 50 4b 03 04 ) instead of a hardcoded file offset.\r\nThe PowerShell code then decodes the file, and executes the decoded file content in a thread. story.txt\r\nimplements a benign shellcode that just opens notepad.exe , indicating that inteligence.lnk has been\r\ndeveloped for testing purposes.\r\nIn contrast to 3. 이윤식 북한인권법 실행방안 북한인권재단 출범 중심.lnk and 8. 이도건 북한연구소 토론\r\n회.lnk ,  inteligence.lnk does not execute a Windows Batch script and an external PowerShell script.\r\ninteligence.lnk: Extraction and display of a decoy document\r\ninteligence.lnk: Shellcode decoding and execution\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 11 of 17\n\ninteligence.lnk: Shellcode\r\nnews.lnk downloads, in the form of a file named story3.txt , and executes PowerShell code. The\r\nimplementation and functionality of the code are very similar to that executed by inteligence.lnk , with a major\r\ndifference being that the shellcode it executes is not downloaded from a remote endpoint but is embedded in the\r\nLNK file itself.\r\nIn contrast to inteligence.lnk , the shellcode executed by news.lnk is weaponized and deploys the RokRAT\r\nbackdoor. It is likely that news.lnk is the fully developed version of inteligence.lnk , intended for use in\r\nfuture ScarCruft campaigns. As of the time of writing, we have not observed news.lnk or its variants in the wild.\r\nBoth LNK files deploy the same decoy document – a public research report on the Kimsuky threat group by\r\nGenians, a South Korean cybersecurity company. The report is written in Korean and was released in late October\r\n2023.\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 12 of 17\n\nDecoy document\r\nGiven the report’s technical content, the LNK file names, and ScarCruft’s use of decoys relevant to the targeted\r\nindividuals, we suspect ScarCruft has been planning phishing or social engineering campaigns on recent\r\ndevelopments in the North Korean cyber threat landscape, targeting audiences consuming threat intelligence\r\nreports.\r\nConclusions\r\nThe findings outlined in this post highlight ScarCruft’s ongoing dedication to gathering strategic intelligence\r\nthrough targeted attacks. Our insight into ScarCruft’s malware testing activities reveals the adversary’s\r\ncommitment to innovating its arsenal and expanding its target list, likely intending to target and/or masquerade as\r\ncybersecurity professionals or businesses.\r\nWe observed the group experimenting with new infection chains inspired by those they have used in the past. This\r\ninvolves modifying malicious code implementations and excluding certain files from the infection steps, likely as\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 13 of 17\n\na strategy to evade detection based on filesystem artifacts and the known ScarCruft techniques that have been\r\npublicly disclosed by the threat intelligence community.\r\nWe suspect that ScarCruft is pursuing non-public cyber threat intelligence and defense strategies. This could\r\nbenefit not only ScarCruft specifically but also the other constituent groups within the North Korean threat\r\nlandscape, aiding them in identifying threats to their operations and improving their operational playbooks.\r\nA heightened awareness and better understanding of the adversary’s attack and infection methods among potential\r\ntargets are crucial for effective defense. SentinelLABS remains actively engaged in tracking ScarCruft activities\r\nand supporting the organizations and individuals at risk of being targeted.\r\nIndicators of Compromise\r\nSHA-1 Hashes\r\nValue Note\r\n0ED884A3FC5C28CDB8562CD28993B30991681B0A intelligence.lnk\r\n2F78ABC001534E28EB208A73245CE5389C40DDBE Malicious HWP document\r\n39C97CA820F31E7903CCB190FEE02035FFDB37B9 Malicious Office document\r\n4024A9B0C0F19A33A3C557C7E220B812EE6FDD17 8. 이도건 북한연구소 토론회.lnk\r\n46C3F9DE79D85165E3749824804235ACA818BA09\r\n9. 김태원 북한인권 전문가 토론회 토론\r\n문.hwp\r\n483B84F973528B23E5C14BC95FBC7031A4B291F1\r\n1. 전영선 북한 주민 정보접근권 강화방\r\n안.hwp\r\n4C74E227190634A6125B2703B05CB16AD69AC051\r\n2.이상용 반동사상문화배격법과 정보 유입\r\n활동의 변화.pptx\r\n577C3A0AC66FF71D9541D983E37530500CB9F2A5 Malicious Office document\r\n7C4E37E0A733B5E8F0F723CCA2A9675901527DC4 Decoy document\r\n88DB1E2EFBB888A97A530C8BEF8CA104CEAAB80C public.dat\r\n8951F3EB2845C0060E2697B7F6B25ABE8ADE8737\r\n3. 이윤식 북한인권법 실행방안 북한인권재\r\n단 출범 중심.lnk\r\n9DD8AA1D66CC4E765E63DC5121216D95E62A0E1C\r\n10. 서유석 북한 주민들의 알권리 제고 방\r\n안.hwp\r\n9E0C6A067AAB113E6A4B68299AB3B9D4C36FC330 news.lnk\r\n9EAAAB9D4F65E3738BB31CDF71462E614FFBD2BA 6. 이종겸 북한인권 토론회 토론문.hwp\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 14 of 17\n\nB23A3738B6174F62E4696080F2D8A5F258799CE5 조선 시장 물가 분석(회령).hwp\r\nB91B318A9FBB153409A846BF173E9D1BD0CC4DBF 111223.bat\r\nC4B58CA12F7B16B6D39CE4222A5A2E054CD77B4E 7. 박유성 북한주민 정보접근 강화방안.hwp\r\nD457D6BDCFA6D31934FB1E277FA0DE7119E9C2A5\r\n5. 여현철 북한주민 정보접근권 강화 방\r\n안.hwp\r\nD9AC0CC6D7BDC24F52878D3D5AC07696940062D0 myprofile[.]zip\r\nE46907CFAF96D2FDE8DA8A0281E4E16958A968ED Malicious Office document\r\nE9DF1F28CFBC831B89A404816A0242EAD5BB142C Malicious HWP document\r\nFBF4D8C7418B021305317A185B1B3534A2E25CC8 조선 시장 물가 분석(신의주).hwp\r\nDomains\r\nValue Note\r\napp[.]documentoffice[.]club C2 domain (HWP and Office documents)\r\nbenefitinfo[.]live VPS overlap (moderate confidence)\r\nbenefitinfo[.]pro VPS overlap (moderate confidence)\r\nbenefiturl[.]pro VPS overlap (moderate confidence)\r\ncareagency[.]online VPS overlap (moderate confidence)\r\ncra-receivenow[.]online VPS overlap (moderate confidence)\r\ncrareceive[.]site VPS overlap (moderate confidence)\r\ndepositurl[.]co VPS overlap (moderate confidence)\r\ndepositurl[.]lat VPS overlap (moderate confidence)\r\ndirect.traderfree[.]online VPS overlap (moderate confidence)\r\nforex.traderfree[.]online VPS overlap (moderate confidence)\r\ngroceryrebate[.]online VPS overlap (moderate confidence)\r\ngroceryrebate[.]site VPS overlap (moderate confidence)\r\ngstcreceive[.]online VPS overlap (moderate confidence)\r\ninstantreceive[.]org VPS overlap (moderate confidence)\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 15 of 17\n\nnav[.]offlinedocument[.]site C2 domain (HWP documents)\r\nreceive[.]bio VPS overlap (moderate confidence)\r\nreceiveinstant[.]online VPS overlap (moderate confidence)\r\nrentsubsidy[.]help VPS overlap (moderate confidence)\r\nrentsubsidy[.]online VPS overlap (moderate confidence)\r\ntinyurlinstant[.]co VPS overlap (moderate confidence)\r\nurldepost[.]co VPS overlap (moderate confidence)\r\nverifyca[.]online VPS overlap (moderate confidence)\r\nvisiononline[.]store VPS overlap (moderate confidence)\r\nURLs\r\nValue Note\r\nhttp[://]app[.]documentoffice[.]club/salt_view_doc_words?\r\nuser=8B86CA616964A84Y7A75B950\r\nC2 URL (Office\r\ndocument)\r\nhttp[://]app[.]documentoffice[.]club/salt_view_doc_words?\r\nuser=H11I75PFF0ZG53NDG00H64OE\r\nC2 URL (Office\r\ndocument)\r\nhttp[://]app[.]documentoffice[.]club/salt_view_doc_words?\r\nuser=MZ9IUNQ7KX7GSLO5LY8HTMP6\r\nC2 URL (Office\r\ndocument)\r\nhttp[://]app[.]documentoffice[.]club/voltage_group_intels?\r\nuser=HE16AJHVFCZ48HFTGD059IGU\r\nC2 URL (HWP\r\ndocument)\r\nhttp[://]nav[.]offlinedocument[.]site/capture/parts/you?\r\nview=5JV0FAGA6KW1GBHB7LX2HCIC\r\nC2 URL (HWP\r\ndocument)\r\nhttp[://]nav[.]offlinedocument[.]site/capture/parts/you?\r\nview=GV6BQLRKHW7CRMSLIX8DSNTM\r\nC2 URL (HWP\r\ndocument)\r\nhttp[://]nav[.]offlinedocument[.]site/capture/parts/you?\r\nview=IV3D9YMNJW4EAZNOKX5FB0OP\r\nC2 URL (HWP\r\ndocument)\r\nIP Addresses\r\nValue Note\r\n84.32.129[.]32 Cherry Servers VPS\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 16 of 17\n\n84.32.131[.]104 Cherry Servers VPS\r\n84.32.131[.]30 Cherry Servers VPS\r\n84.32.131[.]50 Cherry Servers VPS\r\n84.32.131[.]59 Cherry Servers VPS\r\n84.32.131[.]66 Cherry Servers VPS\r\n84.32.131[.]87 Cherry Servers VPS\r\nEmail Addresses\r\nValue Note\r\nc039911[@]daum.net Phishing email address\r\nkirnchi122[@]hanmail.net Phishing email address\r\nSource: https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cyberse\r\ncurity-professionals/\r\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/\r\nPage 17 of 17\n\nhttps://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/ \n84.32.131[.]104 Cherry Servers VPS\n84.32.131[.]30 Cherry Servers VPS\n84.32.131[.]50 Cherry Servers VPS\n84.32.131[.]59 Cherry Servers VPS\n84.32.131[.]66 Cherry Servers VPS\n84.32.131[.]87 Cherry Servers VPS\nEmail Addresses \nValue Note \nc039911[@]daum.net Phishing email address\nkirnchi122[@]hanmail.net Phishing email address\nSource: https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cyberse \ncurity-professionals/ \n Page 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/" ], "report_names": [ "a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434222, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ef05322e80e612e44f2f70d37aab09d795b90f8.pdf", "text": "https://archive.orkl.eu/5ef05322e80e612e44f2f70d37aab09d795b90f8.txt", "img": "https://archive.orkl.eu/5ef05322e80e612e44f2f70d37aab09d795b90f8.jpg" } }