APT37

Threat Actor updated 14 days ago (2024-10-04T04:00:58.289Z)
Download STIX
Preview STIX
APT37, also known as InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima, is a threat actor suspected to be backed by North Korea. It primarily targets South Korea, but its activities have extended to Japan, Vietnam, the Middle East, and recently Cambodia, across various industry verticals including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare. APT37 utilizes custom malware for espionage purposes and has access to destructive malware. Notably, it uses ROKRAT and Amadey payloads, first reported by Talos in April 2017 and consistently attributed to APT37. APT37's recent attacks reveal various infection chains and lures. The group has been spreading malicious emails related to Cambodian affairs in the Khmer language to lure targets. Its malicious payload, named "VeilShell" by Securonix, is notable for its blend of living-off-the-land and proprietary tools, impressive persistence, and stealth mechanism. In addition, APT37 gives its shortcut files PDF and Excel icons, assigning them double extensions like ".pdf.lnk," or ".xls.lnk," to deceive users. This threat actor has also developed a novel backdoor dubbed "VeilShell," targeting nations with which North Korea has complex relations, such as Cambodia. Despite the ongoing tracking and analysis by cybersecurity entities, APT37 continues to alter its infection chains and use its tools. For instance, it was involved in an attack on a Russian defense enterprise, resulting in a data leak, and has frequently targeted Russian government organizations. These actions indicate that APT37 remains a significant threat requiring continuous monitoring and robust defensive measures.
Description last updated: 2024-10-04T03:15:43.696Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
ScarCruft is a possible alias for APT37. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
8
Reaper is a possible alias for APT37. Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
6
Kimsuky is a possible alias for APT37. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group first identified by Kaspersky researchers in 2013. The group has been involved in various cyber espionage activities against global targ
4
Group123 is a possible alias for APT37. Group123, also known as Inky Squid or APT37, is a threat actor group suspected of executing malicious cyber activities. They are known for their technical capabilities and innovative intrusion techniques. Over the past 18 months, they have been associated with a series of attacks that utilize shellc
3
Redeyes is a possible alias for APT37. RedEyes, also known as APT37, StarCruft, Reaper, InkSquid, BadRAT, ScarCruft, and Ricochet Chollima, is a threat actor group known for its malicious activities. The group has recently deployed a new malware called FadeStealer to pilfer data from compromised systems, which it then sends to a command-
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Korean
State Sponso...
Exploit
Phishing
Backdoor
Apt
Espionage
Microsoft
exploited
Vulnerability
Reconnaissance
Russia
Rat
Zero Day
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The ROKRAT Malware is associated with APT37. RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However, Unspecified
6
The KONNI Malware is associated with APT37. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian EmbaUnspecified
4
The Amadey Malware is associated with APT37. Amadey is a form of malware, a malicious software designed to exploit and damage computer systems. This particular malware is distributed via the Amadey loader, which can be disseminated through phishing emails or downloads from compromised sites. It has been observed that the individual behind the Unspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with APT37. The Lazarus Group, a notorious threat actor attributed to North Korea, has been implicated in a series of high-profile cyberattacks and illicit activities. The group is known for its sophisticated operations, including Operation DreamJob, which targeted Spain with a high level of confidence. Over thUnspecified
3
The Apt43 Threat Actor is associated with APT37. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELAUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2022-41128 is associated with APT37. Unspecified
2
Source Document References
Information about the APT37 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
14 days ago
DARKReading
6 months ago
DARKReading
6 months ago
DARKReading
6 months ago
CERT-EU
8 months ago
BankInfoSecurity
8 months ago
Recorded Future
9 months ago
MITRE
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
Recorded Future
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
BankInfoSecurity
a year ago