{ "id": "01b3faf5-93b1-4c3f-be0e-b8667f92e913", "created_at": "2026-04-06T00:21:07.499942Z", "updated_at": "2026-04-10T03:38:06.264627Z", "deleted_at": null, "sha1_hash": "ae65e2b955f6ac2fd7b9659ce065b9fef1150b1c", "title": "ScarCruft continues to evolve, introduces Bluetooth harvester", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 246569, "plain_text": "ScarCruft continues to evolve, introduces Bluetooth harvester\r\nBy GReAT\r\nPublished: 2019-05-13 · Archived: 2026-04-02 12:23:48 UTC\r\nExecutive summary\r\nAfter publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor.\r\nScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and\r\ncompanies with links to the Korean peninsula. The threat actor is highly skilled and, by all appearances, quite\r\nresourceful.\r\nWe recently discovered some interesting telemetry on this actor, and decided to dig deeper into ScarCruft’s recent\r\nactivity. This shows that the actor is still very active and constantly trying to elaborate its attack tools. Based on\r\nour telemetry, we can reassemble ScarCruft’s binary infection procedure. It used a multi-stage binary infection to\r\nupdate each module effectively and evade detection. In addition, we analyzed the victims of this campaign and\r\nspotted an interesting overlap of this campaign with another APT actor known as DarkHotel.\r\nMulti-stage binary infection\r\nThe ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web\r\nCompromises (SWC). As in Operation Daybreak, this actor performs sophisticated attacks using a zero-day\r\nexploit. However, sometimes using public exploit code is quicker and more effective for malware authors. We\r\nwitnessed this actor extensively testing a known public exploit during its preparation for the next campaign.\r\nIn order to deploy an implant for the final payload, ScarCruft uses a multi-stage binary infection scheme. As a\r\nrule, the initial dropper is created by the infection procedure. One of the most notable functions of the initial\r\ndropper is to bypass Windows UAC (User Account Control) in order to execute the next payload with higher\r\nprivileges. This malware uses the public privilege escalation exploit code CVE-2018-8120 or UACME which is\r\nnormally used by legitimate red teams. Afterwards, the installer malware creates a downloader and a configuration\r\nfile from its resource and executes it. The downloader malware uses the configuration file and connects to the C2\r\nserver to fetch the next payload. In order to evade network level detection, the downloader uses steganography.\r\nThe downloaded payload is an image file, but it contains an appended malicious payload to be decrypted.\r\nhttps://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/\r\nPage 1 of 6\n\nMulti-stage binary infection\r\nThe final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by\r\nCisco Talos. This cloud service-based backdoor contains many features. One of its main functions is to steal\r\ninformation. Upon execution, this malware creates 10 random directory paths and uses them for a specially\r\ndesignated purpose. The malware creates 11 threads simultaneously: six threads are responsible for stealing\r\ninformation from the infected host, and five threads are for forwarding collected data to four cloud services (Box,\r\nDropbox, Pcloud and Yandex). When uploading stolen data to a cloud service, it uses predefined directory path\r\nsuch as /english, /video or /scriptout.\r\nhttps://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/\r\nPage 2 of 6\n\nCloud-based backdoor\r\nThe same malware contains full-featured backdoor functionality. The commands are downloaded from the /script\r\npath of a cloud service provider and the respective execution results are uploaded to the /scriptout path. It supports\r\nthe following commands, which are enough to fully control the infected host:\r\nGet File/Process listing\r\nDownload additional payload and execute\r\nExecute Windows command\r\nUpdate configuration data including cloud service token information\r\nSave screenshot and an audio recording\r\nThe ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and\r\ncontinues to create tools for additional data exfiltration. During our research, we confirmed that they have an\r\ninterest in mobile devices.\r\nWe also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester.\r\nThis malware is responsible for stealing Bluetooth device information. It is fetched by a downloader, and collects\r\ninformation directly from the infected host. This malware uses Windows Bluetooth APIs to find information on\r\nconnected Bluetooth devices and saves the following information.\r\nInstance Name: Name of device\r\nAddress: Address of device\r\nClass: Class of the device\r\nConnected: Whether the device is connected(true or false)\r\nAuthenticated: Whether the device is authenticated(true or false)\r\nRemembered: Whether the device is a remembered device(true or false)\r\nThe attackers appear to be increasing the scope of the information collected from victims.\r\nBuild path of Bluetooth information harvester\r\nVictimology\r\nWe have found several victims of this campaign, based on our telemetry – investment and trading companies in\r\nVietnam and Russia. We believe they may have some links to North Korea, which may explain why ScarCruft\r\ndecided to closely monitor them. ScarCruft also attacked a diplomatic agency in Hong Kong, and another\r\ndiplomatic agency in North Korea. It appears ScarCruft is primarily targeting intelligence for political and\r\ndiplomatic purposes.\r\nhttps://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/\r\nPage 3 of 6\n\nVictimology of this campaign\r\nOverlap with other actors\r\nWe discovered one victim from Russia that also triggered a malware detection while staying in North Korea in the\r\npast. The fact that this victim visits North Korea makes its special and suggests that it may have valuable\r\ninformation about North Korean affairs. ScarCruft infected this victim on September 21, 2018. But before the\r\nScarCruft infection, however, another APT group also targeted this victim with the host being infected with\r\nGreezeBackdoor on March 26, 2018.\r\nGreezeBackdoor is a tool of the DarkHotel APT group, which we have previously written about. In addition, this\r\nvictim was also attacked by the Konni malware on 03 April 2018. The Konni malware was disguised as a North\r\nKorean news item in a weaponized documents (the name of the document was “Why North Korea slams South\r\nKorea’s recent defense talks with U.S-Japan.zip”)\r\nInfection timeline\r\nThis is not the first time we have seen an overlap of ScarCruft and DarkHotel actors. Members from our team\r\nhave already presented on the conflict of these two threat actors at security conferences. We have also shared more\r\ndetails with our threat intelligence customers in the past. They are both Korean-speaking threat actors and\r\nsometimes their victimology overlaps. But both group seem to have different TTPs (Tactics, Techniques and\r\nProcedures) and it leads us to believe that one group regularly lurks in the other’s shadow.\r\nhttps://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/\r\nPage 4 of 6\n\nConclusions\r\nThe ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean\r\naffairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic\r\nagencies around the globe. Based on the ScarCruft’s recent activities, we strongly believe that this group is likely\r\nto continue to evolve. For more information please contact: intelreports@kaspersky.com\r\nAppendix I – Indicators of Compromise\r\nFile hashes (malicious documents, Trojans, emails, decoys)\r\nScarCruft tools\r\n02681a7fe708f39beb7b3cf1bd557ee9 Bluetooth info harvester\r\nC781f5fad9b47232b3606e4d374900cd Installer\r\n032ed0cd234f73865d55103bf4ceaa22 Downloader\r\n22aaf617a86e026424edb7c868742495 AV Remover\r\n07d2200f5c2d03845adb5b20841faa94 AV Remover\r\n1f5ac2f1744ed9c3fd01fe72ee8d334f Initial Dropper\r\n4d20f7311f4f617104f559a04afd2fbf Installer\r\n03e5e566c1153cb1d18b8bc7c493025f Downloader\r\nC66ef71830341bb99d30964a8089a1fc Loader\r\n5999e01b83aa1cc12a2ad6a0c0dc27c3 Installer\r\n4d3c34a3070643c225be1dbbb3457ad4 Injector\r\n0790F1D7A1B9432AA5B8590286EB8B95 Downloader\r\n04371bf88b598b56691b0ad9da08204b Installer\r\ne8b23cfc805353f55ed67cf0af58f305 UAC bypass(UACME)\r\n5380a173757e67d9b12f316771012768 Installer\r\nEc0e77b57cb9dd7a04ab6e453810937c Downloader\r\n25701492a18854ffdb05317ec7d19c29 Installer\r\n172b4dc27e41e4a0c84a803b0b944d3e UAC bypass(UACME)\r\n7149c205d634c4d17dae33fffb8a68ab Image file embedded ROKRAT\r\nA76c4a79e6ff73bfd7149a49852e8916 ROKRAT\r\nF63fc2d11fcebd37be3891def5776f6c Dropper\r\n899e90a0851649a5c270d1f78baf60f2 Simple HTTP Downloader\r\nE88f7f285163d0c080c8d3e525b35ab3 Simple HTTP Downloader\r\nD7c94c5ba028dc22a570f660b8dee5b9 Simple HTTP Downloader\r\nA6bd2cf7bccf552febb8e8347d07529a Simple HTTP Downloader\r\n7a338d08226f5a38353385c8a5dec746 Simple HTTP Downloader\r\n46F66D2D990660661D00F5177306309C Simple HTTP Uploader\r\nGreezaBackdoor of DarkHotel\r\n5e0e11bca0e94914e565c1dcc1ee6860\r\nhttps://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/\r\nPage 5 of 6\n\nKonni\r\n4c2016df6b546326d67ac2a79dea1343\r\nURLs\r\nhttp://34.13.42[.]35/uploads/1.jpg\r\nhttp://34.13.42[.]35/uploads/2.jpg\r\nhttp://34.13.42[.]35/uploads/qwerty.jpg\r\nhttp://34.13.42[.]35/uploads/girl.jpg\r\nhttp://34.13.42[.]35/uploads/girllisten.jpg\r\nhttps://34.13.42[.]35/uploads/newmode.php\r\nhttp://acddesigns.com[.]au/demo/red/images/slider-pic-6.jpg\r\nhttp://kmbr1.nitesbr1[.]org/UserFiles/File/image/index.php\r\nhttp://kmbr1.nitesbr1[.]org/UserFiles/File/images.png\r\nhttp://www.stjohns-burscough[.]org/uploads/images.png\r\nhttp://lotusprintgroup[.]com/images.png\r\nhttps://planar-progress.000webhostapp[.]com/UserFiles/File/image/image/girl.jpg\r\nhttps://planar-progress.000webhostapp[.]com/userfiles/file/sliderpic.jpg\r\nhttp://www.jnts1532[.]cn/phpcms/templates/default/message/bottom.jpg\r\nhttp://www.rhooters[.]com/bbs/data/m_photo/bottom.jpg\r\nhttps://buttyfly.000webhostapp[.]com/userfiles/file/sliderpic.jpg\r\nDomains and IPs\r\nbuttyfly.000webhostapp[.]com\r\nplanar-progress.000webhostapp[.]com\r\n120.192.73[.]202\r\n180.182.52[.]76\r\nSource: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/\r\nhttps://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia", "ETDA" ], "references": [ "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" ], "report_names": [ "90729" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434867, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae65e2b955f6ac2fd7b9659ce065b9fef1150b1c.pdf", "text": "https://archive.orkl.eu/ae65e2b955f6ac2fd7b9659ce065b9fef1150b1c.txt", "img": "https://archive.orkl.eu/ae65e2b955f6ac2fd7b9659ce065b9fef1150b1c.jpg" } }