ScarCruft APT Malware Uses Image Steganography

May 16 · 4 min read
Credit: Virus Bulletin

This North Korean ScarCruft Advanced Persistent Threat (APT) malware is pretty advanced. Not only does it contain a rare Bluetooth harvesting component to capture device data using a Windows Bluetooth Application Programming Interface (API), but it also uses image steganography to obfuscate its network traffic. ScarCruft was observed by the Kaspersky GReAT research team targeting Russian and Vietnamese “investment companies and diplomatic agencies” (Barth, 2019).

ScarCruft is also known by other names such as APT37, Group123, TEMP.Reaper.

Whenever researching APT groups, I like to also reference the MITRE ATT&CK site: which can yield much more information than you’ll typically find in a 5-minute news article.

As with nearly all APT groups, ScarCruft has a preferred malware toolkit that they’ve developed and customized to suit their needs. Their go-to Remote Access Trojan (RAT) is known as ROKRAT. By studying the APT group’s malware, security researchers can determine generally what they are after. ScarCruft is a cyber espionage focused APT that goes after actionable intelligence information that they can use for political and diplomatic purposes (think Trump pee tape that they could use to blackmail the President should such a tape exist). According to MITRE’s ATT&CK site, ScarCruft is affiliated with a larger APT group known as the “Lazarus Group” (for meaning see: and has previously targeted nations such as:

South Korea









other parts of Middle East

The part I find the most interesting as someone who has spent quite a bit of time studying and researching digital steganography that is combined with malware to avoid detection is that ScarCruft does exactly that in addition to containing that rare Bluetooth harvesting tool. ScarCruft contains a malicious payload that is encrypted and embedded into an image file that has to be decrypted (Barth, 2019). Now just stop and think for a moment how much effort these malware developers had to spend to write this code that does all of that… That is sophisticated on an entirely different level. We’re talking highly skilled, super knowledgeable blackhat level here. Very few people in the world possess both the knowledge and the skill to create this type of malware. So, now we are starting to see North Korea show its prowess on the cyber espionage and cyber warfare scene. They are certainly a force to be contended with along the same lines as Russia, China, Iran, and other allied nations like the UK, France, and Isreal. The list grows bigger and bigger each year, the APTs and their malware bag o’ tricks get fancier and more sophisticated as the years roll on. We all thought Flame and Stuxnet was the top of the crop when it came to malware and it still is, but there are some other malware variants now that are starting to put that into question such as Scarcruft or Triton (ICS-focused).

Many people are unaware that these APT groups are often backed by nation-states and composed of some highly skilled malware developers (programmers) who write the malicious software code, there may also be blackhats responsible for command and control (C2) of infected servers that the APT group uses as proxy servers to communicate with infected computers and to obfuscate its source IP addresses. They operate in teams or squads if they are military units. In the case of North Korea, their APTs are likely military units that are focused primarily on hacking to make the regime money lost from UN-imposed sanctions and cyber espionage that the regime can use in other ways. A lot of money, time, and resources are spent on these APT malware campaigns so one can imagine the lengths, as evidenced with ScarCruft, that nations go to keep their malware hidden. There’s always been the spy versus spy game of men and women spying for their countries, but now there is a whole different form of spying that can be far less costly and even more effective. Of course, every nation is going to want in on that action, so don’t expect this activity to stop anytime soon. If there ever is an international cybersecurity treaty, don’t put much faith in it for the reasons I just mentioned.

If you’re interested in staying up to date on APT malware activity, I highly suggest subscribing to the weekly Virus Bulletin newsletter. It is well worth the read and you won’t be disappointed.

Originally published at on May 16, 2019.


Written by


Cyberpunk Dad³ @USMC(ret.) combat vet. guardian of cyberspace. researches & writes about hacking, DFIR, OSINT, privacy, side-channel attacks. coffee. runner.