September 1, 2025
ScarCruft Uses RokRAT Malware in Operation HanKook Phantom Targeting South Korean Academics
Cybersecurity researchers have discovered a new phishing campaign undertaken by the North Korea-linked hacking group called ScarCruft (aka APT37) to deliver a malware known as RokRAT. The activity has been codenamed Operation HanKook Phantom by Seqrite Labs, stating the attacks appear to target individuals associated with the National Intelligence Research Association, including academic figures

Cybersecurity researchers have discovered a new phishing campaign undertaken by the North Korea-linked hacking group called ScarCruft (aka APT37) to deliver a malware known as RokRAT.

The activity has been codenamed Operation HanKook Phantom by Seqrite Labs, stating the attacks appear to target individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers.

“The attackers likely aim to steal sensitive information, establish persistence, or conduct espionage,” security researcher Dixit Panchal said in a report published last week.

The starting point of the attack chain is a spear-phishing email containing a lure for “National Intelligence Research Society Newsletter—Issue 52,” a periodic newsletter issued by a South Korean research group focused on national intelligence, labour relations, security, and energy issues.

The digital missive contains a ZIP archive attachment that contains a Windows shortcut (LNK) masquerading as a PDF document, which, when opened, launches the newsletter as a decoy while dropping RokRAT on the infected host.

RokRAT is a known malware associated with APT37, with the tool capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. The gathered data is exfiltrated via Dropbox, Google Cloud, pCloud, and Yandex Cloud.

Seqrite said it detected a second campaign in which the LNK file serves as a conduit for a PowerShell script that, besides dropping a decoy Microsoft Word document, runs an obfuscated Windows batch script that’s responsible for deploying a dropper. The binary then runs a next-stage payload to steal sensitive data from the compromised host while concealing network traffic as a Chrome file upload.

The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers’ Party of Korea and, dated July 28, rejecting Seoul’s efforts at reconciliation.

“The analysis of this campaign highlights how APT37 (ScarCruft/InkySquid) continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms,” Panchal said.

“The attackers specifically target South Korean government sectors, research institutions, and academics with the objective of intelligence gathering and long-term espionage.”

The development comes as cybersecurity company QiAnXin detailed attacks mounted by the infamous Lazarus Group (aka QiAnXin) using ClickFix-style tactics to trick job seekers into downloading a supposed NVIDIA-related update to address camera or microphone issues when providing a video assessment. Details of this activity were previously disclosed by Gen Digital in late July 2025.

The ClickFix attack results in the execution of a Visual Basic Script that leads to the deployment of BeaverTail, a JavaScript stealer that can also deliver a Python-based backdoor dubbed InvisibleFerret. Furthermore, the attacks pave the way for a backdoor with command execution and file read/write capabilities.

The disclosure also follows new sanctions imposed by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) against two individuals and two entities for their role in the North Korean remote information technology (IT) worker scheme to generate illicit revenue for the regime’s weapons of mass destruction and ballistic missile programs.

The Chollima Group, in a report released last week, detailed its investigation into an IT Worker cluster affiliated with Moonstone Sleet that it tracks as BABYLONGROUP in connection with a blockchain play-to-earn (P2E) game called DefiTankLand.

It’s assessed that Logan King, the supposed CTO of DefiTankLand, is actually a North Korean IT Worker, a hypothesis bolstered by the fact that King’s GitHub account has been used as a reference by a Ukrainian freelancer and blockchain developer named “Ivan Kovch.”

“Many members had previously worked on a huge cryptocurrency project on behalf of a shady company called ICICB (who we believe to be a front), that one of the non-DPRK members of the cluster runs the Chinese cybercrime market FreeCity, and an interesting connection between DeTankZone and an older IT Worker who previously operated out of Tanzania,” the Chollima Group said.

“While the DefiTankLand CEO Nabil Amrani has worked previously with Logan on other blockchain projects, we do not believe he is responsible for any of the development. This all means that the “legitimate” game behind Moonstone Sleet’s DeTankZone was in fact developed by DPRK IT Workers, only to be later picked up and used by a North Korean APT Group.”