Today’s roundup

• ScarCruft Uses RokRAT Malware in Operation HanKook Phantom Targeting South Korean Academics
• Ransomware Attack on Pennsylvania’s AG Office Disrupts Court Cases
• Amazon Stops Russian APT29 Watering Hole Attack Exploiting Microsoft Auth
• Salesloft Attacks Target Google Workspace
• WhatsApp Patches Zero-Day, Zero-Click Flaw

Summary

North Korea-linked ScarCruft (APT37) deployed RokRAT malware in Operation HanKook Phantom, using phishing emails with malicious LNK files disguised as academic newsletters to target South Korean researchers and ex-officials, exfiltrating data via cloud services. Pennsylvania’s Attorney General confirmed a ransomware attack disrupted court operations after refusing ransom demands. Amazon thwarted Russian APT29’s Microsoft authentication exploitation in a watering hole attack aimed at broadening intelligence collection. Adversaries compromised Google Workspace accounts by exploiting Salesloft Drift’s Salesforce integration. WhatsApp addressed a critical zero-day, zero-click vulnerability tied to sophisticated attacks, though details remain undisclosed.