Summary: A North Korean threat actor, ScarCruft, has developed an Android surveillance tool called KoSpy that targets Korean and English-speaking users through deceptive apps on the Google Play Store. Additionally, a series of npm packages linked to another North Korean campaign are designed to deploy malware and steal sensitive information. Recent findings also highlight a campaign using Rust-based malware targeting the cryptocurrency sector through social engineering tactics.
Affected: Android users, software developers, cryptocurrency sector
Keypoints :
- KoSpy collects extensive data, including SMS messages, call logs, location, and screenshots, disguising itself as utility applications.
- The malware uses Firebase Firestore for resilient command-and-control operations, enabling the threat actor to operate undetected.
- Recently discovered npm packages designed to deploy BeaverTail malware collected credentials from browsers, exploiting well-known library names through typosquatting.
- A new campaign targets cryptocurrency using RustDoor and Koi Stealer, employing social engineering tactics to infiltrate networks and steal sensitive data.
Source: https://thehackernews.com/2025/03/north-koreas-scarcruft-deploys-kospy.html