Cybercity researchers have discovered a new phishing campaign conducted by Hacking Group associated with North Korea, called the Scorrup (aka APT37), known as Rokrat.
The activity is named Operation Hankook Phantom by Seqrite Labs, stating that the attacks appear to target individuals associated with the National Intelligence Research Association, including academic figures, including former government officials and researchers.
Security researcher Dixit Panchal said in a report published last week, “The objective of the attackers aims to steal, establish or spy.”
The initial point of the attack chain is a Spear-Fishing Email with “National Intelligence Research Society Newsletter- Issue 52” is a greed for Issue 52, a periodic newspaper released by a South Korean research group that focuses on national intelligence, labor relations, security and energy issues.
Digital missiles have a zip archive attachment that consists of a Windows shortcut (LNK) in the form of a PDF document, which when opened, launches the newsletter as a decoy, leaving the rocrat on the infected host as a decoy.
Rokrat is a known malware associated with APT37, which has a system capable of collecting information information, executing arbitrary commands, calculating file systems, capturing screenshots and downloading extra payloads. The data collected is exfiltrated via Dropbox, Google Cloud, PCloud and Yandex Cloud.
The Seqrite stated that it discovered another campaign in which the LNK file acts as a drain for a powershell script, which in addition to leaving a Decoy Microsoft Word document, runs an Offuscated Windows batch script that is responsible for deploying a dopper. The binary then runs an next-step payload to steal sensitive data from the compromised hosts when hiding the network traffic as the chrome file uploads.
The Lure document used in this example is a statement issued by Kim Yo Jong, which is rejecting Seoul’s efforts, rejecting Seoul’s efforts on 28 July, the Deputy Director of the Work and Information Department of Korea, Korea’s Workers Party’s promotional and information department’s efforts.
Panchal said, “The analysis of this campaign highlights how APT37 (Skrcruft/Inkysquid) appoints highly serial-firing attacks, malicious LNK loaders, filelass powerchal execution, and secret exfluence mechanisms.”
“The attackers especially target intelligence and long -term espionage to South Korean government sectors, research institutes and academics.”
This development comes as a cyber security company, which is in the form of a wide attacks imposed by the notorious Lazarus Group (aka Qianxin), which is using a click-styling strategy to trick job seekers while providing a video evaluation, while providing a video evaluation. The details of this activity were first revealed by General Digital at the end of July 2025.
As a result of the clickfix attack, a visual results in the execution of the basic script, which leads to the deployment of a JavaScript’s stolen bearrtel, which can also distribute a python-based backdor dubbed invisible. In addition, the attacks paved the route to a back door with command execution and the abilities of reading/writing the file.
This disclosure follows the new restrictions imposed by the US Department of Treasury’s Office Department of Foreign Assets Control (OFAC) against two persons and two institutions, which follows new sanctions imposed for their role in North Korean Remote Information Technology (IT) activist scheme, which generate illegal revenue for weapons of large -scale destruction and ballistic missile programs.
In a report released last week, the Cholima Group expanded its investigation into an IT worker cluster affiliated to the Moonstone Sleet that it tracks the blockchain Play-to-EARN (P2E) game as a babylongroup in connection with the game called defitalland.
It is evaluated that Logan King, the alleged CTO of Defitcalland, is actually a North Korean IT worker, a hypothesis affects the fact that the Kings Githb account is used by the Ukrainian freelancer and blockchain developer as a reference to “Ivan Kovach”.
“Many members had previously worked on a huge cryptocurrency project on behalf of a shady company called ICICB (which we believe in one front), that one of the non-DPRK members of the cluster runs the Chinese Cybercrime Market Frequency, and is an interesting relationship between the first Tanzania.”
“While Defitcalland CEO Nabil Amrani has worked with Logan on other blockchain projects before, we do not believe that he is responsible for any development. This means that the” legitimate “game behind the deteczone of Moonstone Sleet was actually developed by DPRK IT Workers, only one North Korean APT group.”
