Redeyes

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
RedEyes, also known as APT37, StarCruft, Reaper, or BadRAT, is a threat actor group known for its malicious cyber activities. This group recently deployed a new malware named FadeStealer to extract information from targeted systems. They have also been observed using CloudMensis, a malware that seeks out systems where SIP (System Integrity Protection) is disabled to load its own malicious database. RedEyes has been specifically targeting individuals such as North Korean defectors, human rights activists, and university professors. In May 2023, the RedEyes group was found distributing an infostealer with wiretapping capabilities, which had previously been unidentified, along with a backdoor developed using GoLang that exploits the Ably platform. The malware is designed to steal various types of information from compromised machines, serving as stepping-stones for future attacks. Once the system's information is compromised, the malware transmits it to a command-and-control (C2) server. The cybersecurity community, including organizations like ASEC, is actively monitoring the activities of the RedEyes group and taking measures to mitigate further damage. RedEyes typically initiates their attacks through spear-phishing emails containing a Compiled HTML Help File (CHM) disguised as a password-protected document. Despite the malware not being considered highly sophisticated, it poses a significant threat due to its ability to gather sensitive information and enable more advanced attacks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Reaper
3
Reaper, also known as APT37, Inky Squid, RedEyes, or ScarCruft, is a threat actor group attributed to North Korea. It deploys ROKRAT, a malicious tool that has been used in cyber exploitation since the 1970s. This group is also tied to the NOKKI malware family, which originated from research surroun
APT37
2
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
ScarCruft
2
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
Cloudmensis
1
CloudMensis, a form of malware specifically designed to exploit macOS systems, was first brought to light by ESET in July 2022. The software infiltrates devices primarily through email attachments, causing significant security breaches once inside. Once installed, CloudMensis works diligently to ide
Badrat
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
State Sponso...
Infostealer
Apt
Phishing
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
InksquidUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Redeyes Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
3 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
DARKReading
3 months ago
DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
CERT-EU
a year ago
North Korean APT37 Exploits New FadeStealer Malware
CERT-EU
a year ago
ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks
CERT-EU
a year ago
ThirdEye Infostealer Poses New Threat to Windows Users
CERT-EU
a year ago
ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks
CERT-EU
a year ago
North Korean APT targets defectors, activists with infostealer malware
InfoSecurity-magazine
a year ago
RedEyes Group Targets Individuals with Wiretapping Malware