A North Korean state-backed hacker group known as ScarCruft has been observed targeting media organizations and high-profile experts specializing in North Korean affairs in a new cyberespionage campaign.

According to a new SentinelLabs’ report, the threat actor has been actively developing and testing new malware during its development cycle and experimenting with innovative infection chains involving a technical threat research report as a decoy to infiltrate targeted systems.

ScarCruft, also known as APT37, Inky Squid, RedEyes, and Reaper, has a history of conducting targeted attacks against individuals as well as public and private entities, primarily in South Korea. The group's primary objective remains the acquisition of strategic intelligence, with a focus on non-public cyber threat intelligence and defense strategies.

In the recent campaign, the group employed a novel lure tactic involving a threat intelligence report on another well-known North Korean threat actor, Kimsuky.

Notably, the decoy document is a legitimate report published in October 2023 by Genians, a South Korean cybersecurity company. The infection routine observed in the latest campaign includes the use of oversized Windows Shortcut (LNK) files initiating multi-stage infection chains delivering RokRAT, a sophisticated custom malware associated with ScarCruft. RokRAT is a backdoor with surveillance capabilities, allowing the operators to effectively monitor targeted entities. The backdoor uses public cloud services for command-and-control purposes, such as pCloud and Yandex Cloud, disguising malicious communication as legitimate network traffic.

ScarCruft's focus on consumers of technical threat intelligence reports, such as threat researchers, cyber policy organizations, and other cybersecurity professionals, indicates an intent to gain insights into non-public cyber threat intelligence and defense strategies.

“Our insight into ScarCruft’s malware testing activities reveals the adversary’s commitment to innovating its arsenal and expanding its target list, likely intending to target and/or masquerade as cybersecurity professionals or businesses,” the researchers said. “We suspect that ScarCruft is pursuing non-public cyber threat intelligence and defense strategies. This could benefit not only ScarCruft specifically but also the other constituent groups within the North Korean threat landscape, aiding them in identifying threats to their operations and improving their operational playbooks.”