ScarCruft APT Deploys VCD Ransomware, Uses PubNub & New Malware in Espionage Campaign

S2W’s Threat Analysis and Intelligence Center (TALON) has uncovered a sophisticated malware campaign attributed to the North Korean APT group ScarCruft (a.k.a. APT37, Reaper, Ricochet Chollima). The operation, disguised as a postal code update notice, reveals a rare blend of cross-language malware development, legitimate service abuse, and victim-specific ransomware targeting.

“One of the key characteristics of this campaign is the use of the PubNub real-time messaging API for command-and-control (C2) communication… effectively evading detection and complicating mitigation efforts,” S2W TALON writes.

While the initial infection vector remains unconfirmed, TALON assesses phishing emails carrying a malicious LNK in a compressed RAR archive as the likely entry point. Once triggered, the LNK executes an AutoIt-based loader, NubSpy, which communicates over PubNub channels to retrieve attacker commands.

Nine distinct malware components were deployed, including:

• NubSpy – AutoIt/PowerShell backdoor using PubNub for C2.
• TxPyLoader: A Python-based loader that performs Transacted Hollowing.
• LightPeek – PowerShell infostealer capturing files and screenshots.
• FadeStealer – Keylogger, audio recorder, and removable media profiler.
• CHILLYCHINO (Rust variant) – Remote command execution backdoor.
• VCD Ransomware – Targeted encryption with RSA + AES-256-CBC.

ScarCruft’s abuse of PubNub is not new. TALON notes that the group has used the service since at least 2017 across Windows, Android, and phishing campaigns. In this case, PubNub channels were uniquely generated per victim, enabling attackers to “deliver arbitrary commands… while blending into legitimate network traffic.”

The group’s phishing infrastructure has also leveraged PubNub to harvest stolen credentials from spoofed Naver and Daum login pages.

The VCD Ransomware found in this campaign was custom-built with hardcoded directory paths gathered from prior reconnaissance. The malware encrypts files selectively, drops bilingual ransom notes, and self-deletes after execution. Email contact in the ransom note: creativeidea2024@proton.me.

Its encryption routine uses alternating block encryption patterns to hinder recovery while optimizing performance, and files are renamed with the .VCD extension.

TALON highlights that ScarCruft is “reimplementing existing malware in alternative programming languages to evade detection”—a shift evident in the Rust-based CHILLYCHINO backdoor, functionally identical to its PowerShell predecessor but compiled to bypass signature-based defenses.

Attribution to ScarCruft is reinforced by:

• The reuse of FadeStealer, first linked to ScarCruft in 2023.
• Persistent PubNub abuse across malware and phishing.
• Consistent TTPs such as Transacted Hollowing, Base64 + XOR obfuscation, and scheduled task persistence.

“The reuse of previously observed malware families, overlapping infrastructure, and consistent TTPs strongly suggest continuity with past campaigns,” S2W TALON concludes.

Related Posts:

• ScarCruft Strikes: North Korea’s Cyber Espionage Against Media and Experts Unveiled
• North Korean APT-C-28 Expands Cyber Espionage Campaign
• North Korea hacker group APT37 is using zero-day vulnerability to attack Japan, Vietnam and the Middle East countries
• USPS Impersonation Scams Surge: Fake Domains Rival Real USPS Website in Traffic
• North Korean ScarCruft APT Targets Users with Novel KoSpy Android Spyware