ScarCruft’s New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware

2025-08-07 S2W

https://medium.com/s2wblog/scarcrufts-new-language-whispering-in-pubnub-crafting-backdoor-in-rust-striking-with-ransomware-21628cb8b56e

Attachments

ScarCrufts_New_Language.pdf (6 MB)

Thumbnail for ScarCruft’s New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware

S2W TALON attributes a postal-code update lure campaign against South Korean users to ChinopuNK, an internally tracked ScarCruft subgroup associated with Chinotto malware. The infection chain begins with a malicious LNK in a RAR archive, drops an AutoIt loader, and retrieves follow-on payloads including stealers, ransomware, and backdoors from external infrastructure. The toolset includes NubSpy using PubNub for C2, LightPeek, TxPyLoader, FadeStealer, VCD ransomware, and CHILLYCHINO, a Rust-based backdoor adapted from a PowerShell version. The activity matters for DPRK tracking because it shows ScarCruft expanding beyond espionage tradecraft into ransomware deployment, modern language ports, and continued abuse of real-time messaging platforms such as PubNub and Ably.

Related Actors

Related Reports

« Back