North Korea’s ScarCruft APT group [7], also known as InkySquid, has a history of targeted attacks against South Korean individuals [3], media organizations [1] [3] [4] [5] [6] [7], and think-tank personnel focused on North Korean affairs [3]. Recently, they have expanded their target list to include cybersecurity professionals and businesses [6].


According to a report from SentinelLabs [6], ScarCruft is planning a different type of offensive [3]. They have been testing an innovative infection routine using technical threat research on another North Korean APT group [3], Kimsuky [2] [3] [4] [7], as a lure [3] [7]. The group aims to steal nonpublic threat intelligence reports and gain access to cybersecurity environments for impersonation attacks [3] [7]. ScarCruft has been sending phishing emails to their targets [6], attempting to install the RokRAT backdoor [6]. They focus on high-profile experts in North Korean affairs and news organizations focused on North Korea to gather strategic intelligence [5]. ScarCruft also uses oversized Windows Shortcut files to initiate multi-stage infection chains delivering a custom-written backdoor called RokRAT [4]. Their primary objective appears to be gathering strategic intelligence and gaining insights into nonpublic cyber threat intelligence and defense strategies [4].


The targeting of cybersecurity professionals by ScarCruft highlights the group’s commitment to gathering strategic intelligence through targeted attacks. This poses a significant threat to the cybersecurity community and businesses. It is crucial for professionals and organizations to remain vigilant against phishing attempts and ensure robust security measures are in place to protect against backdoor installations. The shared operational characteristics between ScarCruft and Kimsuky suggest a coordinated effort within North Korea’s cyberespionage activities. This raises concerns about the potential for future attacks and the need for ongoing monitoring and mitigation strategies.