ScarCruft Hacker Group Launched a New Malware Attack Using Rust and PubNub

The North Korean state-sponsored Advanced Persistent Threat (APT) group ScarCruft has launched a sophisticated new malware campaign targeting South Korean users through a deceptive postal-code update notice.

This latest attack represents a significant evolution in the group’s operational capabilities, marking the first observed deployment of ransomware alongside their traditional espionage tools.

The campaign showcases ScarCruft’s adoption of modern programming languages and innovative command-and-control infrastructure to enhance detection evasion.

The attack chain begins with a malicious LNK file embedded within a RAR archive, disguised as a legitimate postal service notification.

Upon execution, the LNK file deploys an AutoIt loader that subsequently fetches and executes multiple payloads from external servers, creating a multi-stage infection process designed to bypass traditional security measures.

This campaign has been attributed to ChinopuNK, a specialized subgroup within ScarCruft that focuses on distributing diverse malware strains through real-time messaging platforms.

S2W researchers identified nine distinct malware samples in this campaign, with several representing notable technological advances for the threat group.

The most significant additions include NubSpy, a backdoor leveraging PubNub for command-and-control communications, and CHILLYCHINO, a Rust-based backdoor adapted from earlier PowerShell versions.

The campaign also introduced VCD Ransomware, which encrypts victim files with a .VCD extension, marking ScarCruft’s first documented foray into ransomware deployment.

Technical Innovation and Detection Evasion

The adoption of Rust programming language for backdoor development represents a strategic shift toward enhanced detection evasion capabilities.

CHILLYCHINO demonstrates ScarCruft’s commitment to modernizing their toolset by porting existing PowerShell functionality into a compiled language that offers superior performance and reduced antivirus detection rates.

The malware utilizes PubNub’s legitimate real-time messaging service as its command-and-control channel, allowing operators to blend malicious traffic with normal network communications.

// Example Rust-based C2 communication structure
pub struct C2Channel {
    pubnub_client: PubNub,
    channel_id: String,
    encryption_key: [u8; 32],
}

This campaign’s technical sophistication, combined with the deployment of ransomware capabilities, suggests ScarCruft may be expanding beyond traditional espionage operations toward financially motivated activities, representing a concerning evolution in North Korean cyber warfare tactics.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial