North Korea’s ScarCruft Hackers Pivot to Ransomware in Escalating Cyber Campaigns

A notorious North Korean hacking outfit is branching out from covert surveillance into outright cyber extortion. Researchers at South Korean cybersecurity firm S2W say ScarCruft, an advanced persistent threat (APT) group with a long history of espionage, has deployed a newly identified ransomware called VCD in recent campaigns targeting South Korea.

Historically focused on intelligence gathering against high-value targets in South Korea, Japan, and Russia, ScarCruft is now adding a financially motivated dimension to its playbook. S2W’s latest analysis points to a July operation by a ScarCruft subgroup known as ChinopuNK. The group lured victims with phishing emails containing an attachment disguised as a postal code update. Opening the file unleashed a cascade of malware, from a Rust-based backdoor to information stealers like LightPeek and FadeStealer, as well as NubSpy — a stealthy remote control tool that hides its communications within legitimate PubNub traffic.

In a first for the group, the payload also included VCD ransomware. The malware encrypts files and issues a ransom demand in both Korean and English, signaling the group’s willingness to target both local and international victims.

The shift echoes a broader trend in state-linked cyber activity: the blurring of espionage and criminal tactics. ScarCruft, like its sibling APTs Lazarus and Kimsuky, operates under North Korea’s larger cyber apparatus, which the United Nations estimates has stolen roughly $3 billion over the past six years to help fund the heavily sanctioned regime.

Mayank Kumar, founding AI engineer at security startup DeepTempo, says the group’s latest move should be read as a warning: “As AI-driven productivity surges, hybrid cyber operations are likely to rise sharply. Autonomous or semi-autonomous agents will make these campaigns harder to detect; one might trigger a low-priority alert as a diversion while another quietly siphons sensitive data. Such agents can maintain convincing decoys while delivering strategic damage.”

Kumar noted that ScarCruft’s use of ransomware may be more than a grab for cash. Encryption, he suggested, can act as a smokescreen to conceal theft, delay incident response, or apply political pressure. “Advanced persistent threat groups must expand their toolsets and blur the line between espionage and cybercrime. Defenders must prepare for campaigns where ransomware is one element in a multi-stage operation. Adaptive, deep learning–driven anomaly detection across network traffic, system events, and security logs — paired with strong segmentation, rapid containment, and visibility into both human and automated adversary activity — is essential to counter such blended threats.”

The VCD campaign underscores how quickly offensive cyber capabilities evolve, and how traditional distinctions between nation-state and criminal hacking are dissolving. In today’s threat landscape, ransomware may no longer be a purely criminal enterprise — it is increasingly a weapon in the geopolitical arsenal.