Group123

Threat Actor updated 23 days ago (2024-11-29T14:49:13.319Z)
Download STIX
Preview STIX
Group123, also known as APT37, RedAnt, RedEyes, ScarCruft, Inky Squid, and Reaper, is a threat actor group associated with North Korea. This group has demonstrated a variety of technical capabilities in their intrusions, primarily targeting government entities. Mandiant Threat Intelligence and AhnLab Security Intelligence Center (ASEC) have identified Group123's alignment with the activity publicly reported as Scarcruft. The group's modus operandi includes using malicious shellcode located in images hosted on compromised websites, leveraging open platforms as command and control servers, and exploiting vulnerabilities in popular software. Recently, Group123 exploited an Internet Explorer zero-day vulnerability, tracked as CVE-2024-38178 (CVSS score 7.5), in a supply chain attack specifically targeting a Toast ad program that is usually installed alongside various free software. This approach closely aligns with Group123's previously observed and documented techniques over the past 18 months. The malware developer within the group appears to be a different individual, but the infection framework and operating mode remain consistent with Group123's known activities. There is medium confidence in the assessment that NavRAT, a malicious campaign, is linked to Group123. Despite the lack of non-obvious false flags in NavRAT, its connection to Group123 is supported by the similarities in execution and intent. However, it's important to note that these assessments are based on current available data and may change as further information becomes available.
Description last updated: 2024-11-15T16:18:40.428Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT37 is a possible alias for Group123. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and
4
ScarCruft is a possible alias for Group123. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery me
3
Redant is a possible alias for Group123.
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Group123 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more