NICKEL FOXCROFT

NICKEL FOXCROFT is a targeted threat group that CTU researchers assess with moderate confidence conducts espionage on behalf of the North Korean government. It appears to focus exclusively on targets in South Korea, particularly individuals and organizations involved in reporting on North Korea, researching geopolitics on the Korean peninsula, or supporting defectors.

Like other North Korean threat groups, NICKEL FOXCROFT relies heavily on social engineering to spearphish victims and deliver payloads onto target networks. On at least one occasion, the group socially engineered victims to obtain their social media credentials and then exploited access to these accounts to more effectively target the victim’s associates.

NICKEL FOXCROFT historically exploited vulnerabilities in Hangul Word Processor (HWP) files, which are commonly used by public and private organizations in South Korea. The threat actors then changed to using malicious Microsoft Word documents in spearphishing emails. The documents deliver tools such as RokRat, which includes credential theft, data exfiltration, screenshot capture, system information capture, and file and directory management capabilities.