Lazarus, Scarcruft North Korean APTs Shift Tactics, Thrive

As threat actors around the world grow and evolve, APTs from the DPRK stand out for their spread and variety of targets.

North Korean state advanced persistent threats (APTs) are evolving: developing new payloads; modifying their tactics, techniques, and procedures (TTPs); and targeting new sectors and individuals without bias — even if those individuals themselves happen to be North Koreans.
In its
APT trends report for the first quarter of 2023
, Kaspersky highlighted developments in APT activity across the globe. In Russia, for example,
threat actors are overlapping and collaborating
, despite some crucial differences in motivations. And in Iran, known groups like
MuddyWater
and
OilRig
are carrying out new campaigns and modifying their malware, with the former in particular spreading to countries as far and wide as Egypt, Canada, and Malaysia.
Meanwhile, Southeast Asia has been a key area of development, says David Emm, senior security researcher at Kaspersky, and it doesnt show any signs of slowing down any time soon.
An area of particular note is North Korea, where
state-sponsored entities like Scarcruft
and
the notorious Lazarus Group
are upgrading their malware to go after some somewhat unexpected targets. Lazarus, for example, is targeting organizations in countries one might not immediately associate with North Korean interests — for example, Bulgaria — while Scarcruft is attacking North Koreans themselves.
Lazarus Groups most famous exploits
may be
long in the past now
, but its still as active as ever.
In 2022, for example, the group leveraged
the Log4j crisis
to deploy its DTrack backdoor and other post-exploitation malware onto networks belonging to organizations in the field of scientific research: biomedical, genetics, soil sciences, and energy.
More recently, in a campaign that ended this January, the group weaponized a backdoored client for the open source remote administration tool UltraVNC. Its zombified UltraVNC might have seemed to operate normally on the surface, while it covertly exfiltrated data about the host computer and downloaded to it a brand-new version of Blindincan
Blindincan is a remote access Trojan that enables Lazarus to read, write, and delete files (among other things), retrieve information about a hosts OS and disks, and more. The newest version introduced plug-ins to expand upon the originals functionality.
Analysis of the January 2023 campaign suggested that Blindincan was deployed against organizations in the manufacturing and real estate sectors in India and telecommunications companies in Pakistan and Bulgaria.
Meanwhile, Kasperskys researchers observed the Scarcruft APT deploying a new info-stealer called SidLevel, written in Go,
a popular trend among Southeast Asian hackers
as of late.
After obtaining access to data from the attackers command-and-control C2 servers, the researchers found a wealth of stolen information not from foreign targets, but domestic ones — and not just domestic targets but individuals: novelists, students, and businesspeople from North Korea itself.
Being one person against the might of a nation-state APT is a tricky position to be in, Emm acknowledges, but its not as uncommon as it sounds.
You know, often when an APT goes after organizations, they will actually go after individuals, he points out. Hackers often target low-level employees with access to broader IT infrastructure in a large enterprise, or they go directly for the throat: spear-phishing a high-level executive or administrator with privileged access to sensitive documents or systems.
For organizations and individuals, the key is to decide if you are in that category — that you may be a person of interest, he says. Then, you really need to think above and beyond. Being able to detect suspicious activity, and taking great care over the data that youre holding onto, needs to be over and above what maybe an ordinary individual would do.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Lazarus, Scarcruft North Korean APTs Shift Tactics, Thrive