Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

LightPeek

LightPeek is an information-stealing malware family written in PowerShell. In the provided reporting, it is described as a stealer that captures screenshots and collects file lists. It was identified by S2W TALON as one of more than nine malware samples used in a campaign targeting South Korean users and organizations. That campaign used phishing lures themed as postal-code or address update notices, with a malicious LNK file embedded in a RAR archive as the initial infection vector; execution led to an AutoIt loader that retrieved additional payloads from an external server. LightPeek was deployed alongside other malware including FadeStealer, NubSpy, CHILLYCHINO, TxPyLoader, and VCD ransomware. The activity is attributed by the cited researchers to ChinopuNK, a subgroup of ScarCruft/APT37, a North Korean state-sponsored threat actor. High-confidence behaviors directly mentioned for LightPeek are screenshot capture and file-list collection; no specific indicators of compromise are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT37

LightPeek : An information stealer written in PowerShell.

via medium s2wblogmedium.com
ChinopuNK

LightPeek : An information stealer written in PowerShell.

via medium s2wblogmedium.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

Upon execution, the LNK dropped an AutoIt loader, which then fetched and executed additional payloads including a stealer, ransomware, and backdoor from an external server.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
medium s2wblogNews
Sep 3, 2025
ScarCruft’s New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware | by S2W | S2W BLOG | Medium

PowerShell-based information stealer.

Read more
dark readingNews
Aug 14, 2025
North Korea Attacks South Koreans With Ransomware

PowerShell-based infostealer that captures screenshots and collects file lists from infected systems.

Read more
the hacker newsNews
Aug 11, 2025
⚡ Weekly Recap: BadCam Attack, WinRAR 0-Day, EDR Killer, NVIDIA Flaws, Ransomware Attacks & More

LightPeek is a stealer malware used to exfiltrate sensitive information from compromised systems, observed in campaigns linked to North Korean threat actors.

Read more
hackreadNews
Aug 11, 2025
North Korean Group ScarCruft Expands From Spying to Ransomware Attacks

Information-stealing malware used to exfiltrate sensitive data from infected systems.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.