North Korean hackers—long considered some of the most technically sophisticated cyber operatives in the world—are changing their approach. They explicitly focus on the cryptocurrency and retail sectors. This move marks a significant departure from their previous tactic. Recent operations undertaken by this ScarCruft group, which is referred to as APT37, underscore this shift. By the end of May 2025, attackers had released a second wave of attacks. They took advantage of ClickFix to use their newly developed malware variant BeaverTail for deployment. These actions point to a wider campaign to leverage existing vulnerabilities across every industry.
ScarCruft has been connected to campaigns using phony technical reports to bait users of threat intelligence. These decoys are used to distribute RokRAT, a remote access Trojan. The collective employs phishing emails that highlight deepfake military ID cards as sophisticated bait. This method allows them to spread ransomware and other malware, allowing for data theft and providing them remote access to affected systems.
BeaverTail to their arsenal as third wheels as part of cool and ongoing campaign Infectious Interview. This campaign spreads malware through job tests, primarily targeting developers of software. BeaverTail serves a dual purpose: it acts as an information stealer while downloading a Python-based backdoor known as InvisibleFerret. This backdoor evades detection by encoding its HTTP POST requests to its C2 server in Base64.
Recent Cyber Operations and Their Implications
For the past several months, North Korean hacking entities have increased their nefarious activities. They are more aggressively ingesting, scanning for, and operationalizing threat intelligence to inform their operations. As explained by experts from SentinelOne, these activities generally consist of analyzing cyber threat intelligence data on the relevant groups’ infrastructure.
“This activity […] involved the threat actors examining cyber threat intelligence (CTI) information related to their infrastructure.” – SentinelOne, SentinelLabs, and Validin
The campaign’s recent tactical shifts have grown beyond targeting software developers and the cryptocurrency sector. Oliver Smith, cybersecurity analyst with domain protection company Digipri, said that ScarCruft’s tactics have changed. The collective’s latest push is towards marketing and trading positions at crypto and retail companies. This shift away from enforcement against lower hanging fruit points to a broader strategic move toward more financially fruitful targets.
“The threat actor used ClickFix lures to target marketing and trader roles in cryptocurrency and retail sector organizations rather than targeting software developers and the cryptocurrency sector.” – Oliver Smith
Kimsuky, also called APT43, another North Korean-aligned group, has come under fire for their cyber activities. As a last point, Kimsuky allegedly sustained a defeat that may reveal its operating procedures and instrumentality. The organization is behind two distinct but related campaigns. They abuse GitHub repositories to distribute stealer malware and conduct data exfiltration.
The Mechanics of BeaverTail and Contagious Interview
At the core of the Contagious Interview campaign is a specific tool, the BeaverTail malware. It is shared under the guise of neutral job tests, aimed at people looking to find work in software development and other disciplines. This malicious software is distributed by multiple methods such as fake npm packages and counterfeit Windows videoconferencing applications.
Password-protected archives have further been used for payload delivery in combination with BeaverTail. This approach provides one more layer of economic obfuscation that security technologies are not well-equipped to detect.
“To access the repository, the attacker embedded a hardcoded GitHub Private Token directly within the script.” – S2W
The distribution strategy includes a tricksy hiring portal built out with Vercel. Here, threat actors created fraudulent job postings for opportunities as cryptocurrency traders and sales and marketing associates at various Web3 companies. This creates a unique strategy that allows you to discreetly engage with potential victims without risking jeopardizing their safety.
Broader Implications for Cybersecurity
This rapid evolution of North Korean cyber operations should be alarming to cybersecurity professionals around the world. Analysts note that the discovery of ransomware within their operations marks a shift from traditional espionage tactics towards financially motivated and potentially destructive activities.
“The discovery of ransomware marks a significant shift from pure espionage operations toward financially motivated and potentially destructive activity.” – S2W
This trend reinforces the importance of increased awareness amongst companies operating in the cryptocurrency and retail industries. The tactics used by these threat actors point to an expectation for increased future development in their operations.
Additionally, GitLab has noticed that this campaign shows a strategic growth for some units within North Korea’s cyber operations. These organizations are going beyond their traditional geographic boundaries to broaden their target demographics. They still want to take advantage of new vulnerabilities in every sector.
“The campaign suggests a slight tactical shift for a subgroup of North Korean BeaverTail operators, expanding beyond their traditional software developer targeting to pursue marketing and trading roles across cryptocurrency and retail sectors.” – GitLab