North Korea-Linked ScarCruft APT developed a new tool that harvests Bluetooth data

North Korea-Linked ScarCruft APT developed a new tool that harvests Bluetooth data

A North Korea-linked threat group tracked as ScarCruft, APT37 and Group123 that is believed to be working on behalf of the North Korean government continues to evolve and expand its arsenal. The latest addition to ScarCruft’s toolkit is what researchers described as a “rare” Bluetooth device harvester designed to steal information from the devices connected via Bluetooth to the compromised machine.

According to the report from cybersecurity outfit Kaspersky Lab, which is tracking the group since 2016, the malware uses Windows Bluetooth APIs to find information on connected Bluetooth devices and saves various data such as name, class and address of the device, and whether the device is connected, authenticated or is a remembered device.

The researchers have identified several victims of this campaign - investment and trading companies in Vietnam and Russia. Some of that organizations are believed to have ties to the North Korea, which may be a reason why ScarCruft decided to monitor them. Furthermore, StarCruft also attacked diplomatic agencies in Hong Kong and North Korea.

“It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes”, the researchers said.

Kaspersky has also found some overlaps with another hacker group tracked as DarkHotel and KONNI. In particular, one Russia-based victim targeted by ScarCruft was previously compromised with the GreezeBackdoor and KONNI malware belonging to the DarkHotel.

“This is not the first time we have seen ScarCruft and DarkHotel overlap. They have similar interests in terms of targets, but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly-skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve”. concluded the researchers.

Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025