ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
ScarCruft’s New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware
2025.08.07

✅ Report Title: ScarCruft’s New Language - Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware



S2W’s Threat Intelligence Center, TALON, has released a detailed analysis report on a new malware campaign conducted by the ScarCruft group. This high-level threat intelligence report offers an in-depth examination of ScarCruft’s tactical evolution, focusing on a malware infection chain disguised as a postal-code update notice, as well as the group’s adoption of Rust-based backdoors and ransomware deployment.



✅ Executive Summary:


- Recently, S2W’s Threat Analysis and Intelligence Center (TALON) identified and analyzed a new malware infection chain disguised as a postal-code update notice targeting South Korean users. The campaign is attributed to ChinopuNK, a subgroup of ScarCruft tracked internally by S2W, which is known for distributing the Chinotto malware.


- First identified in 2016, ScarCruft is a North Korean state-sponsored APT group known for targeting North Korean defectors, journalists covering North Korea-related issues, and government entities. While the group initially focused on South Korean targets, its operations have since expanded to other countries including Japan, Vietnam, Russia, Nepal, and several nations in the Middle East.


- The infection chain was initiated via a malicious LNK file embedded in a RAR archive. Upon execution, the LNK dropped an AutoIt loader, which then fetched and executed additional payloads including a stealer, ransomware, and backdoor from an external server.


- Among the nine distinct malware samples identified in this campaign, the following are the most notable: NubSpy, LightPeek, TxPyLoader, FadeStealer, VCD Ransomware, and CHILLYCHINO, among others.



📌 Why This Campaign Matters


- This campaign demonstrates a clear advancement in ScarCruft’s operational capabilities. The deployment of ransomware and Rust-based backdoor are particularly noteworthy, as these techniques have been rarely observed in their historical activity.


- NubSpy’s use of PubNub as a C2 channel highlights the group’s continued reliance on real-time messaging infrastructure. The persistent abuse of such services—including PubNub and Ably—since at least 2017 adds credibility to the group’s attribution.


- This report provides detailed technical analysis of newly identified malware samples and presents clear evidence linking them to ScarCruft. 



✅ Recommended Threat Detection and Mitigation Actions:


- To counter such attacks, organizations are advised to regularly review indicators such as URLs and file hashes for signs of compromise, and to update their detection policies with behavior-based rules aligned to the threat group’s TTPs.


- It is also essential to continuously monitor for similar campaigns by tracking infrastructure patterns, programming language usage, and behavioral characteristics commonly associated with the ScarCruft group.



You can find a more in-depth analysis in the full report at the link below.



🧑‍💻 Author: S2W TALON


👉 Read the full report: https://bit.ly/3J7p9rH


*The full report is available upon request or with a subscription to the S2W platform.


News Highlights
Weekly Darkweb in July W5
2025.08.06
Previous
Threat Intelligence Reports
2025 H1 Ransomware Trends Report
2025.08.12
Next
List