Skip to Content

APT37 CloudMensis ScarCruft’s Dolphin Backdoor Attack

Updated on 2022-12-08: North Korea’s APT37 Hackers Exploited Internet Explorer JScript9 Engine Zero-Day

Hackers linked to North Korea have been exploiting a zero-day type-confusion vulnerability in Internet Explorer’s JScript9 engine. Google’s Project Zero detected the vulnerability, which affects Windows 7 though 11 and Windows Server 2008 through 2022 prior to patches Microsoft released in November. APT has been exploiting the vulnerability to spread malware embedded in documents.


  • You may consider Internet Explorer “legacy” at this point. But it may still be used to render content in Office documents.
  • North Korea, while a fairly underfunded state, still has this innovating team of individuals who find interesting ways to abuse Windows. Don’t underestimate their technical capabilities; they can still be effective. This is a classic one. Who would have thought IE11 is still the core rendering engine for HTML in Office in 2022? It would be as if I said IE6 was being used to render HTML in Adobe Reader. It’s rather shocking, but maybe not surprising.


Updated on 2022-12-07: ScarCruft’s Chinotto

Korea’s CERT team has put out a report on Chinotto, a malware strain used by ScarCruft, a North Korean APT. Read more: TTPs #9: 개인의 일상을 감시하는 공격전략 분석

Updated on 2022-12-02

North Korea-linked APT37, aka ScarCruft, was found leveraging a previously undocumented backdoor, named Dolphin, against South Korean entities. Read more: Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin

Updated on 2022-12-01: ScarCruft’s Dolphin

ESET has put out a report on Dolphin, a new backdoor they spotted in attacks carried out by the ScarCruft APT. The malware can monitor local drives for specific content, steal files of interest, monitor keystrokes, take screenshots, and extract and steal credentials from browsers. Evidence suggests the backdoor has been used in attacks as early as April 2021. Read more: Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin

“A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security.”

Overview: CloudMensis=Scarcruft

In a series of tweets on Wednesday, ESET said it was able to finally attribute an APT operation targeting macOS users that they spotted in July (which they named CloudMensis) to the ScarCruft North Korean cyber-espionage group.


    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on