North Korean APT InkySquid Infects Victims Using Browser Exploits

Volexity investigated a strategic web compromise of the Daily NK site (Mar–Jun 2021) attributed to InkySquid (aka ScarCruft/APT37). Attackers injected conditional JavaScript into legitimate site assets to redirect Internet Explorer users to exploit pages leveraging CVE-2020-1380 and CVE-2021-26411, delivered Cobalt Strike stagers, and ultimately deployed a custom backdoor named BLUELIGHT that uses Microsoft Graph/OneDrive for C2 and data exfiltration; IoCs and signatures are published alongside the analysis.