APT37

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare. The group was first reported by Talos in 2017 when it identified the ROKRAT malware, consistently attributed to APT37. Additionally, the group has access to destructive malware and uses custom malware for espionage purposes. The group was first discovered in 2021 and has been continually developing its malicious capabilities. In our report, we detail various infection chains and lures used by APT37 in their recent attacks, resulting in the deployment of payloads like ROKRAT and Amadey. The group has also developed a specific malware named CloudMensis, which seeks to identify where SIP is disabled to load its own malicious database. While another report provides a technical analysis of one of the ROKRAT campaigns, our report offers further insights into additional campaigns by APT37 and a deeper analysis of the ROKRAT malware. Over the past year, APT37 has been involved in significant cyber campaigns against Russia, including an attack on a Russian defense enterprise that resulted in a data leak. Despite Russia and North Korea's close ties, North Korean cyberespionage groups such as the Konni Group, Kimsuky Group, and APT37 have frequently targeted Russian government organizations. These activities indicate a complex and evolving threat landscape involving multiple actors and groups, with APT37 playing a crucial role.
What's your take? (Question 1 of 5)
408c8e81-6c79-4cfd-a1fc-ad735a2479c3 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ScarCruft
8
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
Reaper
6
Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
Kimsuky
4
Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a threat actor linked to North Korea and has been active since it was first identified by a Kaspersky researcher in 2013. The group is known for its cyberespionage activities and has been involved
Group123
3
Group123, also known as Inky Squid or APT37, is a threat actor group suspected of executing malicious cyber activities. They are known for their technical capabilities and innovative intrusion techniques. Over the past 18 months, they have been associated with a series of attacks that utilize shellc
Redeyes
2
RedEyes, also known as APT37, StarCruft, Reaper, or BadRAT, is a threat actor group known for its malicious cyber activities. This group recently deployed a new malware named FadeStealer to extract information from targeted systems. They have also been observed using CloudMensis, a malware that seek
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Korean
Exploit
Phishing
Apt
State Sponso...
Backdoor
Espionage
Microsoft
exploited
Vulnerability
Reconnaissance
Russia
Rat
Zero Day
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ROKRATUnspecified
6
RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However,
KONNIUnspecified
4
Konni is a type of malware, malicious software designed to infiltrate and damage computer systems without the user's knowledge. It can infect systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage f
AmadeyUnspecified
3
Amadey is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems via suspicious downloads, emails, or websites without user knowledge, then proceeds to steal personal information, disrupt operations, or even hold data for ransom. Our investigation has
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
3
The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in a series of sophisticated cyber-attacks and illegal activities. The group is known for its exploitation activities aimed at establishing kernel read/write primitives. A notable attack orchestrated by the
Apt43Unspecified
2
APT43, also known as Kimsuky, is a North Korean state-sponsored advanced persistent threat (APT) group that has been actively involved in cybercrime and espionage. The group has been implicated in a series of attacks exploiting vulnerabilities, which have drawn the attention of various cybersecurity
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-41128Unspecified
2
None
Source Document References
Information about the APT37 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
a year ago
Chain Reaction: ROKRAT’s Missing Link - Check Point Research
CERT-EU
a year ago
安全事件周报 (02.13-02.19) - 360CERT
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
Securityaffairs
a year ago
North Korea-linked ScarCruft APT uses large LNK files in infection chains
MITRE
a year ago
North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
DARKReading
a year ago
North Korean APT Gets Around Macro-Blocking With LNK Switch-Up
CERT-EU
a year ago
Северокорейские хакеры рассылают JPEG-картинки, способные взломать Windows
Checkpoint
a year ago
27th March – Threat Intelligence Report - Check Point Research
BankInfoSecurity
10 months ago
North Korean Hackers Phishing With US Army Job Lures
BankInfoSecurity
10 months ago
N Korean Hackers Phishing With US Army Job Lures
CERT-EU
a year ago
North Korean APT37 Exploits New FadeStealer Malware
MITRE
a year ago
North Korean APT InkySquid Infects Victims Using Browser Exploits
MITRE
a year ago
New variant of Konni malware used in campaign targetting Russia
DARKReading
a year ago
Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products
CERT-EU
a year ago
Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption
CERT-EU
8 months ago
North Korean Hackers Continue to Refine Their Arsenal of Tactics & Techniques
CERT-EU
a year ago
North Korean APT targets defectors, activists with infostealer malware
CERT-EU
a year ago
Microsoft and Fortra to Take Down Malicious Cobalt Strike Infrastructure
CSO Online
a year ago
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
ESET
a year ago
Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin | WeLiveSecurity