Group123

Threat Actor updated 4 months ago (2024-05-04T20:51:46.815Z)

Download STIX

Preview STIX

Group123, also known as Inky Squid or APT37, is a threat actor group suspected of executing malicious cyber activities. They are known for their technical capabilities and innovative intrusion techniques. Over the past 18 months, they have been associated with a series of attacks that utilize shellcode similar to their previous campaigns. The final payload in these attacks is typically malicious shellcode hidden in an image hosted on a compromised website, with the authors using open platforms as command-and-control (C2) servers. Their primary targets appear to be government entities. NavRAT is a malware campaign that has been linked to Group123 with medium confidence. The malware developer for NavRAT is believed to be a different person within Group123's team, but the infection framework and operating mode align closely with the group's known tactics. Despite lacking non-obvious false flags, there is sufficient evidence to suggest that NavRAT is not related to non-Group123 actors. This assessment is based on the similarities in the approach and execution of the attacks. Mandiant Threat Intelligence has reported that APT37 is aligned with Scarcruft and Group123 activities. As we delve deeper into the Korean malware landscape, questions persist about possible links with Group123. However, due to the consistent alignment of attack methodologies and target selection, it is assessed with medium confidence that NavRAT and other associated campaigns can be attributed to Group123. This group continues to pose a significant threat, particularly to government targets, and requires ongoing vigilance.

Description last updated: 2024-05-04T20:30:14.059Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT37	3	APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
ScarCruft	3	ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Group123 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Comrades in Arms? \| North Korea Compromises Sanctioned Russian Missile Engineering Company
MITRE	2 years ago	Korea In The Crosshairs
MITRE	2 years ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
MITRE	2 years ago	NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea
Securityaffairs	a year ago	North Korea-linked ScarCruft APT uses large LNK files in infection chains
CERT-EU	a year ago	North Korea-linked ScarCruft APT uses large LNK files in infection chains \| IT Security News