The North Korean state-backed hacking group ScarCruft has significantly evolved its tactics, moving beyond traditional cyber-espionage to incorporate ransomware attacks—marking a notable strategic shift for the group. This development represents a concerning expansion of capabilities that blends intelligence gathering with financially motivated cybercrime.
In July 2025, ScarCruft deployed a newly developed ransomware called VCD as part of a sophisticated attack campaign targeting South Korean individuals. The ransomware gets its name from the file extension it appends to encrypted files and notably provides ransom notes in both English and Korean languages.
The attack began with phishing emails containing malicious archives disguised as postal code updates related to street address changes. Once victims opened these files, their systems became infected with more than nine different types of malware, including the VCD ransomware.
Technical Sophistication and Methods
The campaign showcased remarkable technical complexity, employing multiple malware components working in concert:
- NubSpy: A backdoor that cleverly uses the legitimate PubNub real-time messaging platform for command-and-control communications, allowing malicious traffic to blend with normal network activity
- LightPeek and FadeStealer: Information-stealing programs capable of recording audio, logging keystrokes, and gathering data from connected devices
- ChillyChino: A new variant of the Chinotto malware, developed in the Rust programming language for enhanced cross-platform compatibility
Strategic Implications
This integration of ransomware suggests a potential shift toward financially motivated operations, or an expansion of operational goals that now include disruptive or extortion-driven tactics. The move represents a significant departure from ScarCruft’s traditional focus on pure intelligence gathering.
Background and Attribution
ScarCruft, also known as APT37 and InkySquid, operates under North Korea’s Ministry of State Security and has been active since at least 2016. The group has historically targeted entities across South Korea, Japan, Vietnam, Russia, and Nepal, focusing on high-profile individuals, government agencies, and media organizations.
The recent campaign was attributed to a ScarCruft subgroup called ChinopuNK, which researchers identified with high confidence based on the use of PubNub for communications and deployment of FadeStealer malware—both signatures linked to the group since at least 2023.
Broader Context of North Korean Cybercrime
This evolution aligns with North Korea’s broader pattern of using cyber operations for financial gain. North Korean hackers—including groups like Lazarus, Kimsuky, and Andariel—have stolen approximately $3 billion over six years through various cyberattacks. These operations serve dual purposes: gathering strategic intelligence and generating revenue for the heavily sanctioned regime.
