Spearphishing
-
ScarCruft Uses RokRAT in HanKook Phantom Campaign Targeting South Korea
Researchers have uncovered a targeted phishing campaign by North Korea-linked ScarCruft (APT37), dubbed Operation HanKook Phantom, delivering RokRAT to South Korean academics, former officials, and researchers via a manipulated LNK attack chain and PowerShell-based payloads, with exfiltration to multiple cloud services and a willingness to use decoy documents tied to high-profile statements.
-
State-sponsored XenoRAT campaign targets South Korean embassies, researchers say
A Trellix-led analysis describes a multi-phase, state-sponsored XenoRAT espionage campaign targeting South Korean embassies, with links to North Korea’s Kimsuky and indications of possible China-based sponsorship. The operation has conducted at least 19 spearphishing attacks since March, delivering XenoRAT via password-protected ZIP archives and complex, multilingual lures.
