North Korean hackers ScarCruft shift from spying to ransomware, using VCD malware in phishing attacks, targeting South Korea with advanced tools. Discover how this new malware marks a shift from espionage to financially motivated cyberattacks.
A well-known North Korean hacking group, ScarCruft, is changing its methods, adding a new type of attack to its usual playbook of spying. Cybersecurity experts from the South Korean firm S2W recently released a report revealing that ScarCruft is now using a new ransomware called VCD.
This is a critical shift, as the group has traditionally focused on stealing information from high-profile people and government agencies in countries like South Korea, Japan, and Russia.
The group’s recent campaign, carried out by a subgroup called ChinopuNK, occurred in July and used phishing emails to target people in South Korea. These emails contained a tricky file disguised as an update for postal codes.
Once opened, this file infected the victim’s computer with more than nine different kinds of malware, including a new variant of a known malware called ChillyChino, and a backdoor that was written in the Rust programming language. Among these were information-stealing programs like LightPeek and FadeStealer, as well as a backdoor called NubSpy that let the hackers secretly control the computer.
This backdoor is especially clever because it uses a real-time messaging service called PubNub to hide its malicious traffic within normal network activity. This campaign is also notable because it included the new VCD ransomware, which locks up a person’s files and demands a ransom. The ransom note is even available in both English and Korean.
According to S2W’s Threat Analysis and Intelligence Center (TALON), this new approach suggests that ScarCruft might be adding financially motivated goals to its spying activities. The group is part of a larger network of North Korean hackers who are known to generate money for the country’s government, which is facing many economic sanctions.
A United Nations report from last year (PDF) even stated that North Korean hackers, including groups like Lazarus and Kimsuky, had stolen around $3 billion over six years.
Mayank Kumar, founding AI engineer at the firm DeepTempo, commented on this evolution, highlighting how these attacks are becoming more complex. Sharing his comment with Hackread.com, Kumar said that ScarCruft’s use of ransomware alongside its usual spying tools shows a new trend where nation-backed hacking and criminal tactics are merging.
“Advanced persistent threat groups must expand their toolsets and blur the line between espionage and cybercrime. Defenders must prepare for campaigns where ransomware is one element in a multi-stage operation. Adaptive, deep learning–driven anomaly detection across network traffic, system events, and security logs, paired with strong segmentation, rapid containment, and visibility into both human and automated adversary activity, is essential to counter such blended threats,” Kumar suggested.
