Cybersecurity researchers have uncovered a new phishing operation attributed to the North Korea-linked group ScarCruft (APT37), with the campaign codenamed Operation HanKook Phantom by Seqrite Labs. The activity appears aimed at individuals connected to South Korea’s National Intelligence Research Association, targeting academics, former government officials, and researchers. Seqrite Labs said the attacks show a sustained, tailored approach to espionage.
The operation begins with a spear-phishing email that lures recipients with a purported newsletter titled “National Intelligence Research Society Newsletter—Issue 52.” The message carries a ZIP archive containing a Windows shortcut (LNK) masquerading as a PDF document. When opened, the decoy launches the newsletter and drops RokRAT on the infected host, enabling further data collection and command execution.
RokRAT, an attribute of APT37, is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. Exfiltration reportedly occurs through multiple cloud services, including Dropbox, Google Cloud, pCloud, and Yandex Cloud, signaling a robust data-leak capability for long-term espionage.
A second campaign described by Seqrite involves the LNK loader acting as a conduit for a PowerShell script that, in addition to dropping a decoy Microsoft Word document, runs an obfuscated Windows batch script responsible for deploying a dropper. The resulting next-stage payload is designed to steal sensitive data while concealing network activity as a Chrome file upload. The lure document in this campaign is a public statement issued by Kim Yo Jong on July 28 rejecting Seoul’s reconciliation efforts. Reuters reported on the broader context surrounding the lure.
Security researcher Dixit Panchal, quoted in Seqrite’s report, said: “The analysis of this campaign highlights how APT37 (ScarCruft/InkySquid) continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms.” He added that the attackers specifically target South Korean government sectors, research institutions, and academics to support intelligence gathering and long-term espionage.
The developments come as researchers note wider activity linked to North Korean actors. QiAnXin detailed attacks associated with the Lazarus Group using What was described as ClickFix-style tactics to dupe job seekers into downloading a supposed NVIDIA-related update to address camera or microphone issues during a video assessment. The chain involves a Visual Basic Script that deploys BeaverTail, a JavaScript stealer capable of delivering a Python-based backdoor dubbed InvisibleFerret, among other capabilities. QiAnXin WeChat article noted these techniques as part of a broader DPRK-linked toolkit.
In a related development, the Chollima Group published findings on a North Korean IT worker cluster tracked as BABYLONGROUP and linked to the Moonstone Sleet operation, which it ties to a blockchain game called DefiTankLand. The group argues that the so-called legitimate project was developed by DPRK IT workers before being repurposed for other activities. Chollima Group said the investigation sheds light on a broader IT worker scheme used to generate illicit revenue for DPRK programs.
Separately, updates from mainstream security and sanctions reporting remind readers of ongoing enforcement actions related to North Korea’s IT operations. In August, U.S. authorities imposed sanctions connected to DPRK IT workers involved in illicit activity, underscoring the evolving threat landscape facing government and research institutions in the region.