Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

North Korean Hackers Use New ‘Chinotto’ Malware to Target Windows, Android Devices

Kaspersky has analyzed a new espionage campaign conducted by the threat actor named ScarCruft, and the security firm’s researchers have uncovered a previously unknown malware that has been used to target Windows and Android devices.

Kaspersky has analyzed a new espionage campaign conducted by the threat actor named ScarCruft, and the security firm’s researchers have uncovered a previously unknown malware that has been used to target Windows and Android devices.

Active since at least 2012 and also referred to as APT37, Group123, and Temp.Reaper, ScarCruft is likely backed by the North Korean government and is known for the targeting of defectors, journalists, and government organizations, among others.

The recently observed campaign falls within the same pattern, having a news organization that covers North Korea as its target. Following infection with PowerShell malware, the adversary spied on the victim for months, and even attempted to spear-phish victims’ associates.

Kaspersky’s investigation into the attack uncovered the use of three malware types, all three having the same command and control (C&C) scheme and using HTTP for communication. The new malware has been named Chinotto and researchers have identified PowerShell, Windows and Android versions of the threat.

Additional victims were identified in South Korea, as well as compromised web servers (mostly located in South Korea) that ScarCruft has been abusing for this campaign since early 2021. Older variants of the malware had been delivered to victims since mid-2020, the researchers say.

The security firm discovered that the adversary used stolen Facebook credentials to contact a victim’s acquaintance, after which a phishing email was sent from a stolen account to the potential victim. A password-protected RAR archive containing a malicious Word document was attached to the message. Malicious macros in the document were designed to run shellcode and fetch the next stage payload.

The computer of the person who sent the phishing email was found to be infected with a PowerShell script functioning as a backdoor. The compromise likely happened in March 2021, and the adversary apparently exfiltrated files from it in August 2021, after the Chinotto malware was deployed.

Chinotto provides attackers with control over the compromised machines, as well as with data exfiltration capabilities. It can download and upload files, remove files, archive directories and exfiltrate them, take screenshots, and run Windows commands, among others.

The Android version of Chinotto asks for various permissions that allow it to collect sensitive information such as contacts, messages, call logs, device data, and audio recordings. The malware is likely being deployed via smishing (SMS phishing) attacks.

The researchers were able to identify four different suspected victims, all located in South Korea and all using Windows machines, showing that ScarCruft focused on individuals rather than companies in this campaign.

“The target of this attack is within the same scope as previous ScarCruft group campaigns. Based on the victimology and several code overlaps, we assess with medium confidence that this cyber-espionage operation is related to the ScarCruft group,” Kaspersky notes.

Related: North Korea-Linked ‘ScarCruft’ Adds Bluetooth Harvester to Toolkit

Related: North Korean Hacker Group Intensifies Espionage Campaigns

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.