Fractured Statue

Fractured Statue is an alias used for a threat actor group that conducts cyber espionage operations. The group’s observed activity includes launching phishing campaigns that deliver malicious Microsoft Word attachments. Those attachments distribute the CARROTBALL and CARROTBAT malware droppers, which in turn deploy the SYSCON remote access trojan. SYSCON establishes persistent access via FTP‑based command‑and‑control, enabling data exfiltration from compromised systems. The targeting observed in the 2019‑07‑01 incident focused on a U.S. government agency and foreign nationals professionally linked to North Korean activities.

The operation has been attributed with moderate confidence to the KONNI threat group, which is aligned with North Korean interests. Fractured Statue’s tactics show evolution, such as embedding binary payloads and using architecture‑specific command execution within the malware. In later waves of the campaign the group employed decoy documents discussing North Korean geopolitical topics to lure victims. The activity occurred across multiple waves, indicating a capacity to refine delivery mechanisms while maintaining consistent objectives. No explicit information about the group’s size, organisational structure, ownership, or market reach is provided in the available sources.