ScarCruft’s New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware
Contents
ScarCruft’s New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware
Author: Jiho Kim, Jaeki Kim | S2W TALON
Last Modified : Aug 07, 2025
Executive Summary
Recently, S2W’s Threat Analysis and Intelligence Center (TALON) identified and analyzed a new malware infection chain disguised as a postal-code update notice targeting South Korean users. The campaign is attributed to ChinopuNK, a subgroup of ScarCruft tracked internally by S2W, which is known for distributing the Chinotto malware.
First identified in 2016, ScarCruft is a North Korean state-sponsored APT group known for targeting North Korean defectors, journalists covering North Korea-related issues, and government entities. While the group initially focused on South Korean targets, its operations have since expanded to other countries including Japan, Vietnam, Russia, Nepal, and several nations in the Middle East.
The infection chain was initiated via a malicious LNK file embedded in a RAR archive. Upon execution, the LNK dropped an AutoIt loader, which …
Author: Jiho Kim, Jaeki Kim | S2W TALON
Last Modified : Aug 07, 2025
Executive Summary
Recently, S2W’s Threat Analysis and Intelligence Center (TALON) identified and analyzed a new malware infection chain disguised as a postal-code update notice targeting South Korean users. The campaign is attributed to ChinopuNK, a subgroup of ScarCruft tracked internally by S2W, which is known for distributing the Chinotto malware.
First identified in 2016, ScarCruft is a North Korean state-sponsored APT group known for targeting North Korean defectors, journalists covering North Korea-related issues, and government entities. While the group initially focused on South Korean targets, its operations have since expanded to other countries including Japan, Vietnam, Russia, Nepal, and several nations in the Middle East.
The infection chain was initiated via a malicious LNK file embedded in a RAR archive. Upon execution, the LNK dropped an AutoIt loader, which …