A North Korean hacking unit has launched a ransomware campaign targeting South Korea and other countries, marking a shift from pure espionage. Security firm S2W identified the subgroup, 'ChinopuNK', as part of the ScarCruft threat actor.
The operation began in July, utilising phishing emails and a malicious shortcut file within a RAR archive to deploy multiple malware types. These included a keylogger, stealer, ransomware, and a backdoor.
ScarCruft, active since 2016, has targeted defectors, journalists, and government agencies. Researchers say the move to ransomware indicates either a new revenue stream or a more disruptive mission.
The campaign has expanded beyond South Korea to Japan, Vietnam, Russia, Nepal, and the Middle East. Analysts note the group's technical sophistication has improved in recent years.
Security experts advise monitoring URLs, file hashes, behaviour-based indicators, and ongoing tracking of ScarCruft's tools and infrastructure, to detect related campaigns from North Korea and other countries early.
