Ricochet Chollima

Threat Actor updated 9 months ago (2024-11-29T14:05:25.672Z)
Download STIX
Preview STIX
Ricochet Chollima, also known as Ruby Sleet, ScarCruft, and APT37 among other names, is a threat actor associated with the Democratic People's Republic of Korea (DPRK). The group has been operational since at least 2016, primarily targeting the Republic of Korea (RoK), including government officials, non-governmental organizations, academics, and journalists. Ricochet Chollima's activities are largely centered around espionage operations, using spear-phishing attacks to deliver custom tools for intelligence gathering. In recent developments, multiple North Korean threat actors, including Ricochet Chollima, have targeted the Russian government and defense industry. In March 2023, Ricochet Chollima compromised an aerospace research institute in Russia, according to a report by Microsoft. The group also breached NPO Mashinostroyeniya, a Russian missile engineering firm, as highlighted by SentinelOne. These actions suggest a broadening of Ricochet Chollima's focus beyond South Korean targets, indicating a potential shift in the group's strategic objectives. Beyond its traditional focus on RoK and new interest in Russian entities, Ricochet Chollima has also been involved in operations related to Cambodian affairs. Using malicious emails written in Khmer, Cambodia's primary language, the group has attempted to lure targets into cyber traps. This diverse range of activities underscores Ricochet Chollima's adaptability and the global nature of its operations. Given these ongoing threats, it is essential for organizations and governments worldwide to remain vigilant against the potential risks posed by this and similar threat actors.
Description last updated: 2024-10-04T03:15:57.851Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT37 is a possible alias for Ricochet Chollima. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Ricochet Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more