ESET researchers have reported how a previously-unreported backdoor used by the ScarCruft APT works at the AVAR 2022 conference.
.jpg "Source: ESET. Overview of the attack components leading to the execution of the Dolphin backdoor.") |
| Source: ESET. Overview of the attack components leading to the execution of the Dolphin backdoor. |
Filip Jurčacko, Malware Researcher at ESET, shared during the conference that the backdoor, which ESET has dubbed Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices, exfiltrating files of interest, keylogging, taking screenshots, and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. Dolphin also abuses cloud storage services — specifically Google Drive — for Command and Control communication.
“After being deployed on selected targets, it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive. One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably to maintain Gmail account access for the threat actors,” said Jurčacko.
ScarCruft, also known as APT37 or Reaper, is an espionage group that has been operating since at least 2012. It primarily focuses on South Korea, but other Asian countries have also been targeted. ScarCruft seems to be interested mainly in government and military organisations, and companies in various industries linked to the interests of North Korea.
In 2021, ScarCruft conducted a watering-hole attack on a South Korean online newspaper focused on North Korea. The attack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT.
“In the previous reports, the BLUELIGHT backdoor was described as the attack’s final payload. However, when analysing the attack, we discovered through ESET telemetry a second, more sophisticated backdoor deployed on selected victims via this first backdoor. We named this backdoor Dolphin based on a PDB path found in the executable,” shared Jurčacko.
PDB stands for program database and is a file format.
Since the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the backdoor, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection.
While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims. Both backdoors are capable of exfiltrating files from a path specified in a command, but Dolphin also actively searches drives and automatically exfiltrates files with interesting extensions.
The backdoor collects basic information about the targeted machine, including the operating system version, malware version, list of installed security products, username, and computer name. By default, Dolphin searches all fixed (hard disk drives) and non-fixed drives (external USB drives), creates directory listings, and exfiltrates files by extension. Dolphin also searches portable devices, such as smartphones, via the Windows Portable Device API. The backdoor also steals credentials from browsers, and is capable of keylogging and taking screenshots. Finally, it stages this data in encrypted ZIP archives before uploading to Google Drive.
Ca-rding, Spa-mming, Hac-king, Cra-cking, FULLZ, Tools, Tutorials
ReplyDeleteFor More Details
ICQ/TG (@killhacks)
SKype/Wickr (peeterhacks)
Genuine, Legit & Verified Stuff
You can asked few for test (Only Bulk Order)
Our team is available 24/7
Fullz CC with All Info
Dumps 101 & 202 with/Withou Pin
SSN DOB DL Fullz
700+ High CS Fullz
Premium Logins
EIN Fullz Business
Hac-king All Tools & Tutorials with guide
Tutorials for spamming & Carding
Mailers/Senders (SMTP, Alexus, Email Blaster)
Combos/Logs/I.P's/Proxies
PayPal/Office365/Coinbase/Netflix/Amazon Logs
RA-T's/Vi-ruses/Dor=ks/Bru-tes/Ke-y-logg-ers
B***e Fr**d 2021-2022
Valid Web Onion Links
Many other stuff just asked & take it
24/7 our team is available for assistance
Contact for more info
peeterhacks (Wickr/Skype)
@killhacks (TG/ICQ)
Bitcoin Recovery Testimony:
ReplyDelete⭐️⭐️⭐️⭐️⭐️
I lost over $150k in Bitcoin to a scammer I met through a colleague. Feeling hopeless, I turned to a friend who recommended JETWEBHACKERS. They were incredible! They recovered my stolen assets quickly and professionally. If you’re struggling to get your Bitcoin back, these experts are your answer. Don’t wait—contact them today!
Website:jetwebhackers.com
EMAIL: jetwebhackers@gmail.com
Telegram: @jetwebhackers
WhatsApp: +1 (+1 (310) 721-3656
How I Recovered $73,000 After Falling Victim to a Crypto Scam – My True Story
ReplyDeleteIn 2025, while battling cancer and desperately seeking funds for a life-saving surgery, I became the target of a sophisticated scam. I was approached on Instagram by a woman named Susan, who claimed to be a cryptocurrency expert. She seemed genuine and promised to multiply my $73,000 investment into $340,000 quickly. In my vulnerable state, I trusted her—only to discover it was all a lie.
I was devastated. Not only was my health at risk, but I had also lost everything I had. Just when I thought there was no hope, a close friend recommended JetWebHackers—a team of digital recovery specialists.
Reaching out to them was the best decision I ever made. With professionalism, discretion, and remarkable expertise, JetWebHackers recovered $290,000 of my stolen funds. I still can't believe it. They turned my nightmare into a miracle, and I’ll be forever thankful.
If you've been scammed or know someone who has, don’t give up. There is help out there—and JetWebHackers are the real deal.
Contact Them Today:
Website: jetwebhackers.com
Email: jetwebhackers@gmail.com
Telegram: @jetwebhackers
WhatsApp: +1 (325) 721-3656
I fell victim to a Coinbase scam when I received an email that looked completely legitimate. It claimed there was a security issue with my account and instructed me to log in through a link to verify my details. The site looked exactly like Coinbase, so I entered my information without thinking twice. Within minutes, my crypto was gone.
ReplyDeleteI contacted Coinbase support immediately, but they explained the transactions could not be reversed. I felt devastated knowing I had just lost my savings.
In my search for help, I discovered Asset Resolute. They listened to my situation, explained their recovery process, and started tracking my stolen funds right away. They followed the trail through multiple wallets until they located my crypto in an exchange account. Working with the exchange, they were able to freeze part of the stolen funds and eventually recover a portion for me.
If you have lost funds to a Coinbase-related scam, I highly recommend reaching out to assetresolute@gmail.com. They work fast, know exactly what to do, and truly care about helping victims.
For guiding me through a challenging time, I would like to thank WIZARD JAMES RECOVERY. I was deceived into investing online with the promise of a weekly profit increase of thirty percent, but it was a hoax. Before reading an article about WIZARD JAMES RECOVERY and how they had helped others recover lost bitcoin, I was furious. However, I was able to recover my cryptocurrencies since WIZARD JAMES RECOVERY assisted me and made things easy for me. Reach out to them if you have experienced something similar.
ReplyDeleteEmail: Wizardjamesrecovery@usa.com