Ricochet Chollima

Threat Actor updated 10 months ago (2024-11-29T14:05:25.672Z)

Download STIX

Preview STIX

Ricochet Chollima, also known as Ruby Sleet, ScarCruft, and APT37 among other names, is a threat actor associated with the Democratic People's Republic of Korea (DPRK). The group has been operational since at least 2016, primarily targeting the Republic of Korea (RoK), including government officials, non-governmental organizations, academics, and journalists. Ricochet Chollima's activities are largely centered around espionage operations, using spear-phishing attacks to deliver custom tools for intelligence gathering. In recent developments, multiple North Korean threat actors, including Ricochet Chollima, have targeted the Russian government and defense industry. In March 2023, Ricochet Chollima compromised an aerospace research institute in Russia, according to a report by Microsoft. The group also breached NPO Mashinostroyeniya, a Russian missile engineering firm, as highlighted by SentinelOne. These actions suggest a broadening of Ricochet Chollima's focus beyond South Korean targets, indicating a potential shift in the group's strategic objectives. Beyond its traditional focus on RoK and new interest in Russian entities, Ricochet Chollima has also been involved in operations related to Cambodian affairs. Using malicious emails written in Khmer, Cambodia's primary language, the group has attempted to lure targets into cyber traps. This diverse range of activities underscores Ricochet Chollima's adaptability and the global nature of its operations. Given these ongoing threats, it is essential for organizations and governments worldwide to remain vigilant against the potential risks posed by this and similar threat actors.

Description last updated: 2024-10-04T03:15:57.851Z

What's your take? (Question 1 of 0)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT37 is a possible alias for Ricochet Chollima. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Ricochet Chollima Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	18 days ago	North Korean Hackers Weaponize Seoul Intelligence Files
DARKReading	a year ago	DPRK's APT37 Targets Cambodia in Khmer
MITRE	2 years ago	Ricochet Chollima - crowdstrike.com
CERT-EU	2 years ago	Cyber Security Week in Review: September 8, 2023
CERT-EU	2 years ago	North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers
CERT-EU	2 years ago	North Korea's ScarCruft Deploys RokRAT Malware via LNK File Infection Chains
CERT-EU	2 years ago	Elite North Korean Hackers Breach Russian Missile Developer