Ricochet Chollima

Ricochet Chollima, also known as Ruby Sleet, ScarCruft, and APT37 among other names, is a threat actor associated with the Democratic People's Republic of Korea (DPRK). The group has been operational since at least 2016, primarily targeting the Republic of Korea (RoK), including government officials, non-governmental organizations, academics, and journalists. Ricochet Chollima's activities are largely centered around espionage operations, using spear-phishing attacks to deliver custom tools for intelligence gathering. In recent developments, multiple North Korean threat actors, including Ricochet Chollima, have targeted the Russian government and defense industry. In March 2023, Ricochet Chollima compromised an aerospace research institute in Russia, according to a report by Microsoft. The group also breached NPO Mashinostroyeniya, a Russian missile engineering firm, as highlighted by SentinelOne. These actions suggest a broadening of Ricochet Chollima's focus beyond South Korean targets, indicating a potential shift in the group's strategic objectives. Beyond its traditional focus on RoK and new interest in Russian entities, Ricochet Chollima has also been involved in operations related to Cambodian affairs. Using malicious emails written in Khmer, Cambodia's primary language, the group has attempted to lure targets into cyber traps. This diverse range of activities underscores Ricochet Chollima's adaptability and the global nature of its operations. Given these ongoing threats, it is essential for organizations and governments worldwide to remain vigilant against the potential risks posed by this and similar threat actors.