Hackers Exploit Seoul Halloween Tragedy in Zero-Day Attack

April 23, 2023

North Korean hackers took advantage and exploit the Seoul Halloween tragedy to spread malware to South Korea, Google’s Threat Analysis Group (TAG) has discovered. The malicious software was hidden inside an official-looking document entitled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx”.

Researchers discovered a malicious Word file exploited the CVE-2022-41128 zero-day vulnerability in Internet Explorer’s JScript engine, which had previously been reported. When opened, the document downloaded a remote template rich text file which rendered HTML content using IE on the device.

Google’s Threat Analysis Group (TAG)

Google’s Threat Analysis Group (TAG) recently identified North Korean hackers utilizing the Seoul Halloween tragedy in a zero-day attack that targeted users in South Korea. The malware was embedded into an MS Word document that appeared to be related to the crowd crush that claimed 158 lives on October 29 in Itaewon neighborhood of Seoul.

Google reported that hackers exploited a zero-day vulnerability in Internet Explorer to spread malware to victims’ devices. Furthermore, the document contained Java script code which allowed attackers to remotely execute code on their targets’ computers.

Google’s report states that APT37, a group of North Korean government-backed hackers, has been involved in past attacks that targeted users, defectors and policymakers. The hacker collective has used implants that grant them access to their target’s computer system in the past.

TAG also discovered Russia-backed threat actors like Callisto Group (codename COLDRIVER by Google) have launched DDoS attacks and phishing campaigns against entities. These “advanced” campaigns allowed these criminals to obtain data, information or credentials through various methods.

North Korea’s illicit nuclear weapons program has been linked to hundreds of millions of dollars in losses due to these threats, suggesting the country cannot finance its missile tests through traditional budgetary means and instead relies on crypto theft for funding.

Google’s threat analysis team believes the attackers are a hack-for-hire group. These operators possess advanced hacking abilities and typically work as freelance threat actors, stealing data and invading systems from governments, businesses, politicians, journalists, activists and more around the world.

Google’s TAG first identified APT37 in October 2017, and it has a history of targeting South Korean users, North Korean defectors and policymakers with malware-infected computers. This campaign employed an unknown zero-day vulnerability in Internet Explorer to install malicious documents onto victims’ devices – this vulnerability being first reported to Microsoft on October 31 and patches released the following day, November 8.


Google’s Threat Analysis Group (TAG) recently identified ScarCruft, a North Korean hacking group also known as APT37, InkySquid, Reaper and Ricochet Chollima, exploiting an Internet Explorer vulnerability to target South Korean users. These individuals and groups have historically targeted South Koreans including defectors from North Korea, policy makers, journalists and human rights activists with impunity, according to TAG reports.

This attack utilizes a malicious Microsoft Word document that references the October 29 incident in Seoul’s Itaewon Ward and leverages public interest in the tragedy to exploit a zero-day flaw in JScript9 JavaScript engine, which Microsoft patched last month. The document attempts to fetch an RTF remote template which then downloads remote HTML content which Office renders using Internet Explorer; however, users must disable “Protected View” feature within Office in order to download this template.

Once exploited, the document is sent to a command-and-control server. There, it executes shellcode which deletes all traces by clearing out Internet Explorer cache and history before downloading the next stage payload.

Security researchers at ESET have discovered that this malware is only capable of infecting computers running Windows, but it can also be distributed via email and social media. Furthermore, attackers have been observed using a backdoor known as Dolphin to launch attacks against specific targets.

Kaspersky Lab recently reported that the ScarCruft group had been dispersing malware through steganography, or hiding malicious files within seemingly innocent image files. This technique is often employed to avoid detection and avoid prosecution.

ScarCruft also uses a backdoor that grants them access to compromised systems on Google Drive and files they desire. This backdoor enables them to conduct cyberespionage, steal personal information and harvest mobile device data.

ScarCruft group has been active since 2012 and is responsible for numerous APT campaigns, such as Operation Daybreak. This operation exploited spear phishing emails and an unknown zero-day Adobe Flash Player flaw to launch attacks against South Korea. Other actions taken against a South Korean digital newspaper and with zero-day Internet Explorer exploits also occurred.

Internet Explorer

Google’s Threat Analysis Group (TAG) recently identified a North Korean government-backed hacking group known as APT37 or ScarCruft exploiting an Internet Explorer zero-day vulnerability to target South Korean users. Researchers discovered the malware in late October when multiple people in South Korea uploaded an unfamiliar Microsoft Office document to VirusTotal, an online file-scanning tool operated by Google’s TAG team.

The fake report, entitled “221031 Seoul Yongsan Itaewon accident response situation (06:00.docx,” contained information regarding a deadly Halloween crush that took place in Seoul’s Itaewon nightlife district on October 29. As thousands of young revellers packed into narrow alleyways to celebrate, 158 died.

After inspecting the malicious document, TAG discovered it was exploiting a zero-day flaw in JavaScript engine of Internet Explorer to install backdoors on victims’ computers. It reported this vulnerability to Microsoft within hours and patches for fixing it were released five days later.

APT37 is a well-known North Korean government-backed hacking group that targets South Koreans, North Korean defectors, policy makers, journalists and human rights activists worldwide. Additionally, APT37 has spread several types of backdoors which enable its hackers to take control of devices.

TAG’s technical analysis team determined that the malicious document took advantage of a zero-day flaw in Internet Explorer to exploit JavaScript engine. This flaw was assigned CVE-2022-41128 by Microsoft, who quickly patched it to protect users.

The TAG team reported that attackers used an IE zero-day exploit to infect South Korean targets with malware by loading a remote HTML template that caused Internet Explorer to render content remotely. Once loaded on victims’ devices, these malicious actors could then inject rogue code into the targeted system for whatever malicious purpose they desired.

Additionally, since this attack leveraged a zero-day flaw in Internet Explorer, victims didn’t need to have it set as their default browser. This approach has been employed since 2017 to distribute IE exploits without mandating they use Internet Explorer as their go-to application.

Microsoft Word

Google’s Threat Analysis Group (TAG) has discovered that a North Korean hacking group exploited the Seoul Halloween tragedy to distribute malicious software in South Korea. The hackers infiltrated malware into documents purporting to be government reports, according to TAG’s report.

North Korean hackers used a zero-day vulnerability in Microsoft Word to spread malware, the company reported. A “zero-day” is an attack that occurs when there is an unknown flaw in a system which cannot be fixed before being exploited by malicious actors, such as North Korean hackers.

Researchers found the attackers used a document that referenced an October 29 incident in Seoul’s Itaewon nightlife district, where 158 people perished due to a crowd crush. This event had been widely reported on, and hackers used it as bait to trick people into opening malicious files, Google’s blog post noted.

When users opened corrupted documents, they downloaded a rich text file (RTF) which then grabbed remote HTML content – an approach commonly used by threat actors to steal information from vulnerable devices, according to Google’s Threat Analysis Group (TAG).

The documents also exposed a zero-day vulnerability in JavaScript engine, part of Internet Explorer. Microsoft patched this flaw shortly after Google’s TAG discovered it a week earlier.

These vulnerabilities are frequently combined with backdoors that steal information from compromised PCs, the TAG blog noted. Hackers then have the ability to access other computers on the network and collect data without requiring the user’s consent, according to TAG blog postings.

On November 8, 2016, multiple South Korean users uploaded the document to VirusTotal, which analyzes suspicious files, alerting the TAG team of an exploit. Microsoft quickly issued a patch on that same day to fix the issue, according to Google’s blog post.

North Korean hackers utilized a document to download a malicious file, which could then be executed on devices running Windows 8.1 or 10. This exploit allowed for the installation of a remote template that would grab content injected through an internet connection – an approach used by threat actors since at least 2017, according to TAG blog post.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us