TTPs__ScarCruft_Tracking_Note.pdf (7 MB)

KrCERT/CC’s ScarCruft tracking note describes a North Korea-linked surveillance actor active against South Korean defectors, overseas workers, journalists, missionaries, and other people of interest since at least 2012. The report updates earlier TTPs by documenting a Go-based C2 channel that abuses the legitimate Ably realtime messaging service, allowing infected hosts to beacon with computer and user names and receive base64-encoded commands through third-party infrastructure. KrCERT/CC monitored exposed Ably channels using malware-embedded API keys and observed follow-on deployment of Chinotto-related tooling, CKUP DLLs, PowerShell/JScript controllers, and UltraVNC components for screen capture, keylogging, and information theft. The activity shows ScarCruft diversifying C2 and remote-access tooling to maintain surveillance even when one command channel fails.