A recent phishing attack in South Korea has revealed a new remote access trojan (RAT) called SuperBear [2]. This attack targeted civil society groups and highlights the increasing cybersecurity threats faced by individuals and organizations in the country.


The attack began when an activist received a malicious LNK file from an email impersonating a member of their organization [2]. Upon execution, the file launched a PowerShell command [1] [2], which then executed a Visual Basic script [1] [2]. This script fetched additional payloads from a compromised WordPress website [1] [2], leading to the deployment of the SuperBear RAT [2]. This RAT exhibits malicious behaviors such as process injection via process hollowing [2]. It establishes communication with a remote server [1] [2], enabling data exfiltration, shell command execution [2], and DLL downloading [2]. The C2 server instructs clients to exfiltrate and process system data [1] [2].

While the culprits behind the attack have not been definitively identified [2], the tactics used bear similarities to those employed by North Korean nation-state actors, specifically the group known as Kimsuky or APT43 [2]. This incident further emphasizes the need for heightened vigilance and robust cybersecurity measures in South Korea.


The discovery of the SuperBear RAT and its association with a phishing attack on civil society groups in South Korea highlights the significant cybersecurity threats faced by individuals and organizations in the country. The similarities to tactics used by North Korean nation-state actors raise concerns about the potential involvement of these actors. This incident underscores the importance of implementing strong cybersecurity measures and remaining vigilant against phishing attacks. It also serves as a reminder of the ongoing need for continuous monitoring and proactive defense strategies to mitigate future cyber threats in the region.


[1] https://thehackernews.com/2023/09/new-superbear-trojan-emerges-in.html
[2] https://cybermaterial.com/superbear-phishing-attack-exposed/