By rssfeeds-admin 
A group identified as SectorJ149, also tracked as UAC-0050, has been linked to sophisticated attacks on South Korea’s manufacturing, energy, and semiconductor sectors.
Investigations suggest that these operations leverage customized malware purchased on dark web markets, demonstrating the growing nexus between geopolitical conflicts and cyber-enabled economic disruption.
Sophisticated Malware Chains Target South Korea
In November 2024, South Korean cybersecurity teams uncovered spear phishing campaigns by SectorJ149 targeting executives and technical staff of leading companies involved in the semiconductor, secondary battery, and production equipment industries.
Attackers crafted emails disguised as purchase requests and quotation inquiries, embedding malicious compressed files (.cab). Once executed, the file released obfuscated Visual Basic Script (VBS) malware, triggering hidden PowerShell commands.
These PowerShell scripts contacted platforms such as GitHub and Bitbucket to fetch image files (e.g., “img_test.jpg”) laced with hidden code.
Using steganography, malicious payloads were decrypted into Portable Executable (PE) malware and executed in memory without leaving traces on the hard drive—a fileless attack technique designed to blind traditional detection tools.
The deployed loader malware proceeded to fetch further payloads disguised as text files, decrypting them into advanced stealer and remote access tools.
Persistence was achieved by exploiting the Windows registry under “HKEY_CURRENT_USER,” allowing re-execution even after a reboot without administrative privileges.
To maximize stealth, techniques like process hollowing concealed malicious code within legitimate processes, while execution required specific parameters, frustrating attempts by analysts to replicate the infection chain.
Dark Web Market Fuels Cyber Warfare
Security researchers linked the final-stage malware to notorious malware-as-a-service (MaaS) variants widely resold on underground markets.
These included Lumma Stealer, FormBook, and Remcos RAT—tools capable of harvesting cryptocurrency wallets, browser credentials, and VPN data.
Additional malware, such as Mars Stealer and Medusa Stealer, was also observed in toolkit arsenals, alongside open-source options like XenoRAT, which is used to maintain persistence and bypass network restrictions.
The information collected ranged from hardware wallet seed phrases to credentials for browsers, password managers, and VPN tools like KeePass, NordVPN, and ProtonVPN.
By capturing login data, clipboard content, keystrokes, and screenshots, attackers could infiltrate additional systems and exfiltrate sensitive corporate and personal data.
SectorJ149’s attacks against South Korea closely mirrored earlier intrusions against Ukrainian industries in October 2024, sharing identical loader malware, delivery infrastructure, and TTPs.
Indicators of compromise tied to GitHub delivery methods, Base64 encryption, and image-based steganography reinforced the attribution.
While the group previously focused on financially motivated operations, recent campaigns align more closely with political or strategic objectives, echoing Moscow’s broader attempts to weaponize cyber operations against industries of countries perceived as adversarial.
For South Korea and the global industry at large, these developments underscore the importance of preemptive Cyber Threat Intelligence (CTI), continuous monitoring, and rapid collaboration between organizations and government agencies.
With cyber operations increasingly serving as extensions of statecraft, protecting critical economic sectors has become an issue of both corporate resilience and national security.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Global Industries Face Escalating Cyber Assaults from Pro-Russian Hackers appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.