South Korean CSOs Under Cyberattack: 3-Year Study

A three-year study conducted by independent security researcher Ovie (Ovi) has exposed the scale and sophistication of digital threats targeting civil society organizations (CSOs) in South Korea. The research, based on technical analysis of over 100 cyber incidents, highlights how activists, journalists, and human rights defenders working on North Korean issues are consistently targeted by nation-state-backed cyber actors.

“Unlike private sector entities that rely on telemetry data, CSOs have direct access to victims’ experiences, devices, and infrastructure. This unique vantage point allows for a deeper understanding of attack campaigns, their motivations, and their broader implications,” Ovi writes.

The study sheds light on a complex threat landscape where North Korean and Chinese-backed APT groups frequently launch cyberattacks on South Korean human rights activists. These groups use a combination of:

• Spear-phishing campaigns
• Credential harvesting attacks
• Advanced malware implants
• Fake job recruitment scams
• Remote Access Trojans (RATs)

North Korea, in particular, appears to aggressively target CSOs involved in human rights advocacy and unification efforts, a strategy that aligns with the regime’s broader espionage goals.

“Human rights activists & journalists working on North Korean related human rights issues, advocacy of unification & reporting are highly targeted by digital attacks from Nation State threat actors,” Ovi states.

The research identifies three major threat actors actively targeting South Korean civil society:

1. APT37 (Reaper) – A North Korean state-sponsored hacking group known for espionage campaigns.
2. Kimsuky (Velvet Chollima) – A North Korean cyber espionage unit specializing in spear-phishing and malware attacks.
3. UCID902 – An unidentified but persistent threat actor suspected to be state-sponsored, focused on credential theft.

APT37, for example, has been linked to the deployment of ROKRAT, a powerful Remote Access Trojan (RAT) designed to infiltrate networks and steal sensitive information.

APT37’s activities are believed to be coordinated and supported by the North Korean government. The group is known for using spear-phishing, malware deployment, and zero-day exploits to target entities worldwide.

The majority of attacks observed in the study began with sophisticated social engineering tactics. Over three years, spear-phishing emails accounted for nearly all initial compromise attempts, often impersonating trusted contacts or organizations.

One of the most notable cases involved a North Korean-affiliated actor posing as a representative of the Free North Korea Movement Coalition. The attacker used the email ‘beroiapark@daum.net’ to contact activists, claiming to be organizing a political event. The emails contained links to credential-harvesting sites or documents with embedded malware.

“The attacker sought to establish relationships with activists in the region by luring them to engage in large political events on TV,” Ovi explains​.

Another campaign, named Contagious Interview, involved fake job offers targeting developers and journalists. Victims were tricked into installing malware under the guise of job-related tasks, such as running scripts or installing software.

The study identified several notable malware families used against South Korean activists:

1. ROKRAT (Windows RAT)

• Used by APT37 for data exfiltration and remote control.
• Delivered through malicious Hangul Word Processor (HWP) documents.
• Embedded Object Linking and Embedding (OLE) exploits to launch PowerShell commands.

2. SuperBear RAT

• Delivered via LNK files, disguised as legitimate DOCX documents.
• Capable of keystroke logging, data theft, and remote execution.

3. RambleOn Spyware (Android Malware)

• Developed by APT37, targeting journalists covering North Korean affairs.
• Exfiltrates SMS messages, call logs, and GPS data.
• Uses encrypted communications to evade detection.

“This was a highly notable campaign from North Korean threat actors targeting journalists who were reporting on North Korean affairs,” Ovi reports.

Threat actors have been observed using advanced techniques to remain undetected. These include:

• Memory-based execution – Malware is loaded directly into RAM to avoid antivirus detection.
• Self-deleting payloads – Attackers erase forensic traces immediately after execution.
• Use of legitimate tools – Abuse of PowerShell and Windows Management Instrumentation (WMI) for stealth operations.

A connection will open to try to connect to the remote server and send data. After completing this step, the logs related to the connection are destroyed so as not to leave any traces on the network.

The research underscores a significant cybersecurity gap affecting non-governmental organizations (NGOs) and activists. Many CSOs lack the resources, training, and infrastructure needed to defend against such persistent, nation-state-backed threats.

To counteract these attacks, Ovi calls for greater investment in civil society cybersecurity, including:

• Security awareness training for activists and journalists.
• Stronger endpoint security and monitoring tools.
• International collaboration to track and mitigate nation-state attacks.

“This study underscores the need for further collaboration, support, and investment in civil society-led cybersecurity efforts to mitigate digital threats effectively,” Ovi concludes.

Related Posts:

• North Korea hacker group APT37 is using zero-day vulnerability to attack Japan, Vietnam and the Middle East countries
• Serbian Spyware Scandal: Civil Society Under Siege
• NSO Group Exploits iOS 15 and iOS 16 with Zero-Click Attacks on Civil Society Targets
• Zero-Click HomeKit Exploit Used to Spy on Serbian Journalists
• Ukrainian Activists Strikes: Trigona Ransomware Servers Hacked