The ZUMKONG infostealer is a hacking tool that is a part of the arsenal of the infamous APT37 (Advanced Persistent Threat). This hacking group is also known under the alias ScarCruft. Malware researchers have determined that this group of individuals is located in North Korea and is likely doing the bidding of Kim Jong-Un as hired mercenaries by the government. Therefore, it makes sense why most of the victims of the APT37 group are South Korean organizations and individuals in influential positions.

Propagation Method

It is likely that the ScarCruft hacking group is using spam email campaigns to propagate most of their threats, as this appears to be their preferred infection vector. The emails are usually tailored carefully since they do not tend to target everyday users but high-ranking employees or large corporations of government bodies. The contents of these emails are made to look genuine and trick the user into opening a potential macro-laced file, which may be attached to the message.

Works with the SLOWDRIFT Trojan

After studying the campaigns, which involved the ZUMKONG infostealer, malware experts discovered that this threat was spread with the help of another one of APT37's tools – the SLOWDRIFT Trojan downloader. These two threats work in unison perfectly – the SLOWDRIFT Trojan infiltrates the targeted system, feeds the attackers information about the host, and they choose which another hacking tool they should use in this operation. In this case, the ScarCruft group has opted to deploy the ZUMKONG malware. The SLOWDRIFT Trojan downloader paves the way for the ZUMKONG infostealer to compromise the system as a second-stage payload. The ScarCruft hacking group is known to have an affinity for stealth, so the victim is likely never even to spot the harmful activities of the ZUMKONG malware.


The full capabilities of the ZUMKONG malware are still to be uncovered. However, it is known that this threat can collect data such as:

  • Cookies.
  • Google Chrome settings details.
  • Internet Explorer settings details.
  • Usernames and passwords. /li>

The collected data is siphoned to the attackers via the network of a genuine Russian email service called 'mail.zmail.ru.'

The APT37 group has an impressive list of tools that keeps expanding, and with the funding from the North Korean government, these shady individuals are certainly going to continue their campaigns in the future.


Most Viewed