RedEyes

Threat Actor updated a month ago (2024-10-21T09:00:55.571Z)
Download STIX
Preview STIX
RedEyes, also known as APT37, TA-RedAnt, Reaper, ScarCruft, Group123, InkSquid, BadRAT, and Ricochet Chollima, is a North Korea-linked threat actor known for its malicious cyber activities. It recently exploited an Internet Explorer zero-day vulnerability (CVE-2024-38178 with a CVSS score of 7.5) in a supply chain attack. The group has been observed using a new malware called FadeStealer to steal information from targeted systems and send it to a command-and-control (C2) server. RedEyes' attacks are typically aimed at specific individuals such as North Korean defectors, human rights activists, and university professors. In addition to exploiting vulnerabilities, the group has been spreading malicious emails related to Cambodian affairs in the Khmer language to lure targets. This strategy suggests a shift in tactics and demonstrates their adaptability. Moreover, they have been deploying CloudMensis malware that attempts to identify where SIP is disabled in order to load its own malicious database. While not considered highly sophisticated, this malware is designed to steal various information from compromised machines that can be used as stepping-stones for future attacks. ASEC and Securonix, among other cybersecurity entities, are actively monitoring the activities of the RedEyes group and taking steps to mitigate further damage. The state-sponsored group's recent use of an infostealer targeting North Korean defectors, human rights activists, and university professors underscores the persistent threat they pose. As these attacks continue, organizations are urged to remain vigilant and proactive in their cybersecurity measures to counteract the ongoing threats posed by RedEyes.
Description last updated: 2024-10-21T08:39:13.340Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Reaper is a possible alias for RedEyes. Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
3
APT37 is a possible alias for RedEyes. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and
3
ScarCruft is a possible alias for RedEyes. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery me
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
State Sponso...
Infostealer
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the RedEyes Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
DARKReading
2 months ago
DARKReading
7 months ago
DARKReading
7 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago