APT37

Threat Actor updated 4 months ago (2024-05-04T19:56:44.118Z)
Download STIX
Preview STIX
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare. The group was first reported by Talos in 2017 when it identified the ROKRAT malware, consistently attributed to APT37. Additionally, the group has access to destructive malware and uses custom malware for espionage purposes. The group was first discovered in 2021 and has been continually developing its malicious capabilities. In our report, we detail various infection chains and lures used by APT37 in their recent attacks, resulting in the deployment of payloads like ROKRAT and Amadey. The group has also developed a specific malware named CloudMensis, which seeks to identify where SIP is disabled to load its own malicious database. While another report provides a technical analysis of one of the ROKRAT campaigns, our report offers further insights into additional campaigns by APT37 and a deeper analysis of the ROKRAT malware. Over the past year, APT37 has been involved in significant cyber campaigns against Russia, including an attack on a Russian defense enterprise that resulted in a data leak. Despite Russia and North Korea's close ties, North Korean cyberespionage groups such as the Konni Group, Kimsuky Group, and APT37 have frequently targeted Russian government organizations. These activities indicate a complex and evolving threat landscape involving multiple actors and groups, with APT37 playing a crucial role.
Description last updated: 2024-05-02T13:16:07.864Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ScarCruft
8
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
Reaper
6
Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
Kimsuky
4
Kimsuky, a threat actor linked to North Korea, has been increasingly active in conducting cyber espionage and malicious attacks. This group, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, was first identified by Kaspersky researchers in 2013. In recent de
Group123
3
Group123, also known as Inky Squid or APT37, is a threat actor group suspected of executing malicious cyber activities. They are known for their technical capabilities and innovative intrusion techniques. Over the past 18 months, they have been associated with a series of attacks that utilize shellc
Redeyes
2
RedEyes, also known as APT37, StarCruft, Reaper, or BadRAT, is a threat actor group known for its malicious cyber activities. This group recently deployed a new malware named FadeStealer to extract information from targeted systems. They have also been observed using CloudMensis, a malware that seek
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Korean
Exploit
Phishing
Apt
State Sponso...
Backdoor
Espionage
Microsoft
exploited
Vulnerability
Reconnaissance
Russia
Rat
Zero Day
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
ROKRATUnspecified
6
RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However,
KONNIUnspecified
4
Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian Emba
AmadeyUnspecified
3
Amadey is a sophisticated malware that has been identified as being used in various malicious campaigns. The malware is typically delivered through GuLoader, a loader known for its use in protecting payloads against antivirus detection. Analysis of the infection chains revealed encrypted Amadey payl
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
3
The Lazarus Group, also known as APT38, is a notorious threat actor believed to be backed by the North Korean regime. This group has been associated with several high-profile cyber attacks and thefts, including the infamous $600 million Ronin sidechain exploit in 2022. Known for their sophisticated
Apt43Unspecified
2
APT43, also known as Kimsuky, Sparkling Pisces, Emerald Sleet, and Velvet Chollima among other names, is a North Korean state-sponsored advanced persistent threat (APT) group involved in cybercrime and espionage. This threat actor conducts intelligence collection and uses cybercrime to fund its espi
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
CVE-2022-41128Unspecified
2
None
Source Document References
Information about the APT37 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
4 months ago
Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft
DARKReading
5 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
DARKReading
5 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
CERT-EU
6 months ago
Russia and Belarus targeted by at least 14 nation-state hacker groups, researchers say | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
BankInfoSecurity
7 months ago
North Korean Group Seen Snooping on Russian Foreign Ministry
Recorded Future
8 months ago
North Korea’s Cyber Strategy | Recorded Future
MITRE
9 months ago
Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? | McAfee Blog
CERT-EU
a year ago
Trojanized VNC apps leveraged in defense-targeted Lazarus Group attacks
CERT-EU
a year ago
Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps
CERT-EU
a year ago
North Korean defectors' group leader attacked by state-backed hackers
CERT-EU
a year ago
North Korean Hackers Continue to Refine Their Arsenal of Tactics & Techniques
DARKReading
a year ago
North Korea's State-Sponsored APTs Organize & Align
Recorded Future
a year ago
Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities | Recorded Future
CERT-EU
a year ago
Microsoft: North Korean hackers target Russian govt, defense orgs
CERT-EU
a year ago
Russian missile manufacturer subjected to North Korean APT attack
CERT-EU
a year ago
Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company
CERT-EU
a year ago
North Korean Hackers Targets Russian Missile Engineering Firm
BankInfoSecurity
a year ago
North Korean Hackers Phishing With US Army Job Lures
BankInfoSecurity
a year ago
N Korean Hackers Phishing With US Army Job Lures
CERT-EU
a year ago
Stark#Mule Malware Campaign Targets Koreans, Uses US Army Documents