ScarCruft, the North Korea-sponsored advanced persistent threat (APT) group, is gearing up for targeted attacks on cybersecurity researchers and other members of the threat intelligence community — likely in a bid to steal nonpublic threat intel and improve its operational playbook.
According to an analysis from SentinelLabs, ScarCruft (aka APT37, Inky Squid, RedEyes, and Reaper) spent November and December targeting media organizations and think-tank personnel that focus on North Korean affairs, in a series of fairly typical impersonation-style attacks that researchers expect to continue into 2024. However, while analyzing that campaign, SentinelLabs researchers came across new, in-development malware and some trial infection chains that suggest that a different type of offensive is in the offing.
This is not the first time that
North Korean actors have targeted cybersecurity pros; but notably, the infection routine the attackers have been testing out is innovative in that it uses technical threat research on the
North Korean APT known as Kimsuky as a lure. The report is legit, published in October by Genians, a South Korean cybersecurity company — and calling out a fellow APT in such a way is a twist that appears to break new ground, according to Aleksandar Milenkoski, senior threat researcher at SentinelOne.
