A simple pop-up ad became a vector for mass surveillance
In the quiet background of ordinary digital life, a North Korean state-sponsored group turned the humble pop-up advertisement into a weapon of mass surveillance. ScarCruft, long known for precision targeting of activists and defectors, scaled its ambitions by exploiting a ghost in the machine — the lingering remnants of Internet Explorer, officially retired but still breathing inside millions of Windows systems. The campaign, uncovered by South Korean authorities, is a reminder that in the architecture of modern technology, nothing truly disappears; obsolescence is not the same as absence.
- Thousands of South Korean computers were silently infected without a single click — the attack arrived disguised as an ordinary toast notification from trusted software.
- The vulnerability exploited lives inside Internet Explorer's deprecated JavaScript engine, a relic Microsoft retired in 2022 but never fully excised from Windows and third-party applications.
- Once inside, RokRAT operates as a relentless surveillance engine — stealing documents, logging keystrokes, monitoring clipboards, and photographing screens every three minutes.
- ScarCruft adapted its 2022 playbook with just three new lines of code, surgically bypassing Microsoft's prior patches and demonstrating a group that refines rather than reinvents.
- South Korea's National Cyber Security Center and AhnLab have mapped the full operation, but the underlying attack surface — legacy IE components embedded across millions of machines — remains largely unresolved.
South Korean cybersecurity authorities have exposed a campaign by North Korean hackers that turned routine pop-up advertisements into silent infection vectors. The group behind it, ScarCruft — also known as APT37 — has long targeted human rights activists, defectors, and political organizations. This time, they compromised a South Korean advertising agency's server to push malicious toast notifications through a widely installed free utility, reaching victims at scale without requiring any interaction at all.
Hidden inside these ordinary-looking ads was an iframe triggering a JavaScript exploit targeting CVE-2024-38178, a high-severity flaw in Internet Explorer's Chakra engine. Though Microsoft officially retired the browser in 2022, its components persist inside Windows and third-party software — and those remnants remain fully exploitable. The attack required no click, no download, no mistake on the victim's part.
The payload delivered was RokRAT, a surveillance tool built for espionage. It exfiltrates documents to a Yandex cloud server every thirty minutes, captures keystrokes and clipboard contents, and takes screenshots every three minutes. To avoid detection, it injects itself into explorer.exe — or, if common antivirus tools are present, into a random system executable. A final component ensures it survives reboots by embedding itself in the Windows startup folder.
What makes the campaign especially telling is its relationship to the past. ScarCruft ran a nearly identical operation in 2022 using a different IE flaw. This version required only three additional lines of code to defeat Microsoft's subsequent patches — a surgical refinement, not a reinvention. The joint investigation by South Korea's National Cyber Security Center and AhnLab has illuminated the full mechanics of the attack, but the deeper problem endures: deprecated software does not vanish. It waits, embedded in the infrastructure of daily life, for someone willing to look closely enough.
South Korea's cybersecurity authorities have uncovered a sophisticated campaign by North Korean state-linked hackers that weaponized something as mundane as a pop-up advertisement to silently infect thousands of computers with surveillance malware. The attack, which researchers have named "Code on Toast," represents a particularly insidious approach to mass compromise: the hackers didn't need victims to click anything. The infections happened invisibly, in the background, while people went about their day.
The operation was orchestrated by ScarCruft, a North Korean state-sponsored hacking group also known as APT37 or RedEyes. For years, this outfit has built a reputation for precision targeting—focusing on South Korean human rights activists, North Korean defectors, and political organizations across Europe. They've long favored advanced techniques like phishing campaigns and watering hole attacks, but this latest operation showed a willingness to scale up and innovate. The group compromised a South Korean advertising agency's server and used it to push malicious toast notifications—those small pop-up windows that appear from antivirus software or free utility programs—through a widely used but unnamed piece of free software installed on many South Korean computers.
Embedded within these seemingly ordinary ads was a carefully constructed iframe that triggered a JavaScript payload. That payload exploited a previously unknown vulnerability in Internet Explorer, tracked as CVE-2024-38178 and rated as high-severity with a score of 7.5. The flaw lives in Internet Explorer's JScript9.dll file, part of its Chakra JavaScript engine, and allows attackers to execute arbitrary code on a victim's machine. What made this particularly effective was that Internet Explorer, officially retired by Microsoft in 2022, still has components embedded throughout Windows and in third-party software. Those legacy pieces remain vulnerable and widely exposed.
Once a system was compromised, ScarCruft deployed RokRAT, a malware purpose-built for espionage and data theft. The malware hunts for sensitive documents—Word files, Excel spreadsheets, PowerPoint presentations, and others—and exfiltrates them to a Yandex cloud server every thirty minutes. But RokRAT does far more than steal files. It functions as a comprehensive surveillance tool, capturing keystrokes, monitoring clipboard contents, and taking screenshots every three minutes. The malware uses a four-stage infection process, injecting each payload into the explorer.exe process to hide from detection. If it finds popular antivirus tools like Avast or Symantec installed, it adapts by injecting itself into a random executable buried in the Windows system folder instead. To maintain persistence, the malware plants a final component called rubyw.exe into the Windows startup folder and schedules it to run every four minutes.
What's particularly striking is how closely this attack mirrors a previous ScarCruft operation from 2022 that exploited a different Internet Explorer vulnerability. The new version adds just three lines of code—a surgical modification designed to bypass Microsoft's earlier security patches. This suggests a group that studies its own past successes and refines them incrementally, rather than starting from scratch. The campaign was uncovered through a joint investigation by South Korea's National Cyber Security Center and AhnLab, a major cybersecurity firm. Their analysis revealed the full scope of the operation and the mechanics of how a simple pop-up ad became a vector for mass surveillance.
The implications extend beyond the immediate victims. Internet Explorer may be officially dead, but its ghost haunts millions of machines. Organizations and individuals who haven't fully migrated away from legacy systems, or who rely on older software that still uses Internet Explorer components, remain exposed. ScarCruft's willingness to invest in finding and exploiting these vulnerabilities suggests that state-sponsored actors see them as reliable attack surfaces—low-hanging fruit that still yields access to valuable targets. For South Korean citizens, activists, and officials, the threat is immediate and ongoing. For everyone else, it's a reminder that deprecated software doesn't simply disappear; it lingers in the background of modern systems, waiting to be weaponized.
Citas Notables
The vulnerability exists in Internet Explorer's JScript9.dll file, part of its Chakra engine, and allows remote code execution if exploited— South Korea's National Cyber Security Center and AhnLab analysis
La Conversación del Hearth Otra perspectiva de la historia
Why would North Korean hackers focus on South Korea specifically? Isn't that obvious?
It's not just geography. They're targeting a specific ecosystem—human rights activists who fled the North, defectors, political organizations. These are people with information about regime vulnerabilities. South Korea is also technologically sophisticated, which means the data is valuable and the targets are worth the effort.
But why use toast notifications? Why not just send a phishing email like everyone else?
Because toast ads are trusted. They come from software you already use. You see them constantly, so your brain stops registering them as unusual. A phishing email sits in your inbox where you might scrutinize it. A toast notification pops up and disappears. It's ambient.
The malware takes screenshots every three minutes. That's constant surveillance.
Relentless. It's not looking for one piece of information. It's building a complete picture of what you do, who you communicate with, what documents you access. Over weeks and months, that becomes a full dossier.
Internet Explorer has been officially retired for two years. How is it still a viable attack vector?
Because retirement isn't the same as removal. The code is still embedded in Windows. Third-party software still uses its components. Microsoft can't just delete it without breaking thousands of applications. So the vulnerability persists, and attackers know it.
The malware only adds three lines of code to bypass previous patches. That seems almost lazy.
It's the opposite of lazy. It's precise. They studied their own 2022 attack, understood exactly what Microsoft patched, and made the minimal change needed to slip through again. That's not desperation—that's confidence.