The North Korean hacking group ScarCruft is pivoting from its traditional espionage activities to focus on financially motivated ransomware attacks, utilizing a new malware known as VCD.

This new VCD ransomware encrypts victims' files and demands a ransom, with payment notes provided in both English and Korean.

Victims who opened the malicious file associated with this campaign were infected with over nine types of malware, including a variant of ChillyChino and a Rust-based backdoor called NubSpy, which enabled covert control of their computers.

Cybersecurity experts from the South Korean firm S2W reported that ScarCruft's recent campaign specifically targeted South Korea through phishing emails disguised as postal code updates.

S2W's Threat Analysis and Intelligence Center suggests that this shift indicates ScarCruft is integrating financial objectives into its espionage tactics, likely in response to North Korea's ongoing economic sanctions.

A United Nations report has highlighted that North Korean hackers, including ScarCruft, have stolen approximately $3 billion over the past six years, underscoring the financial motivations driving these cyber activities.

Mayank Kumar from DeepTempo emphasized the urgent need for cybersecurity defenders to adapt to the evolving landscape where nation-backed hacking increasingly overlaps with criminal cyber tactics.