top of page

Threat Actor Profile - APT37

**The following is an example of the APT Threat Actor Profiles available exclusively to Premium Members**

Threat Actor: APT37; AKA "Ricochet Chollima", "RedEyes", "InkySquid", "ScarCruft", "Reaper", "Group123", "TEMP.Reaper", "THALLIUM", "Venus 121", "ATK4", "G0067", "Moldy Pisces"

Date of Activity: ~2012 - Present

Area of Operations: Global

Overview: APT37 is a highly sophisticated hacking group that is believed to be based in North Korea. The group has been active for several years and has been linked to various cyber-attacks around the world. The group has been known to use a wide range of attack techniques and tools, including malware such as backdoors, keyloggers, and remote access trojans (RATs). They have targeted a variety of industries, including government agencies, military organizations, and critical infrastructure.

This group is known for its highly targeted attacks on a range of organizations across multiple industries. From the government and military sectors to healthcare and technology companies, APT37's objective is clear: to steal sensitive information that can be used for financial gain and intelligence gathering.

International entities within the defense, government, healthcare, technology, and finance sectors have all been targeted by APT37. Its operations have been spotted in several nations, including South Korea, Japan, Vietnam, the Middle East, Russia, China, Romania, and the United States.

The primary goal of APT37 is intelligence gathering for the North Korean government. This involves the theft of trade secrets, financial data, and intellectual property from businesses and governments. Also, the group has been seen launching attacks aimed at sabotaging their targets' ability to function normally.


  • Spear-phishing: APT37 uses targeted spear-phishing emails to deliver malware to their targets. These emails are often crafted to look like legitimate messages, but contain malicious attachments or links.

  • Watering hole attacks: APT37 has been known to compromise legitimate websites frequented by their targets in order to deliver malware.

  • Zero-day exploits: APT37 has been known to exploit software vulnerabilities for which no patch or update is yet available, in order to gain access to target networks.

  • Use of malware: APT37 has developed and used a range of malware, including backdoors, keyloggers, and remote access trojans (RATs), to gain and maintain access to target systems.

  • Supply chain attacks: APT37 has been known to target software supply chains, compromising legitimate software and distributing it to their targets with backdoors and other malicious functionality embedded.

  • Infrastructure and network exploitation: APT37 has been known to conduct network reconnaissance and use various tools and techniques to maintain persistence in target networks, such as password cracking, lateral movement, and data exfiltration.

APT37 is also known to exploit known software vulnerabilities to gain access to targeted systems. The group has been known to make use of zero-day vulnerabilities. APT37 also frequently uses custom-built malware tools to maintain persistence and steal sensitive data. SLOWDRIFT, DOGCALL, and, most recently, M2RAT are some of the most commonly used malware tools associated with APT37.

Recent Activity:

  • In January 2023, the group sent phishing emails containing malicious attachments to their targets, triggering the exploitation of an old EPS vulnerability (CVE-2017-8291) in the Hangul word processor commonly used in South Korea. This exploit caused a shellcode to run on a victim's computer that downloaded and executed a malicious executable stored within a JPEG image. For persistence on the system, the malware added a new value ("RyPO") in the "Run" Registry key, with commands to execute a PowerShell script via "cmd.exe." M2RAT is an evasive malware that scans portable devices for documents and voice recording files and copies them to the PC for exfiltration to the attacker's server. It uses a shared memory section for command and control communication, data exfiltration, and direct transfer of stolen data to the C2 without storing them in the compromised system.

  • Another attack attributed to APT37 included deploying the RokRat Trojan in a spear-phishing campaign targeting the South Korean government. Malwarebytes identified a malicious document last December that contains an embedded macro that uses a VBA self-decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. This suggests a change in tactics for APT37, with the group using RokRat for a number of campaigns since 2016. The Microsoft VBA document uploaded to VirusTotal in December purported to be a meeting request dated January 23, 2020, implying that attacks took place almost a year ago. A Windows-based backdoor distributed via trojanized documents is capable of capturing screenshots, logging keystrokes, evading anti-virtual machine detections, and leveraging cloud storage APIs. In 2019, it gained additional features to steal Bluetooth device information.

  • APT37 hackers exploited a zero-day vulnerability to target South Korean users by capitalizing on the Itaewon Halloween crowd crush. The attack chain involves the use of a malicious Microsoft Word document uploaded to VirusTotal on October 31, 2022. The exploit focuses on an Internet Explorer zero-day flaw in the JScript9 JavaScript engine, CVE-2022-41128, that was patched by Microsoft.

  • In November 2021, Kaspersky uncovered evidence of the hacking crew delivering a previously undocumented implant called Chinotto as part of a new wave of highly-targeted surveillance attacks. Stairwell's investigation into the campaign revealed that the lure messages were sent from a personal email address belonging to a former South Korean intelligence official, leading to the deployment of a backdoor in a multi-stage infection process. The backdoor is a Portable Executable file capable of retrieving commands from a remote server, uploading and downloading files, recording files, and remotely uninstalling itself from compromised machines. Utilizing an undocumented backdoor called Dolphin, APT37 was able to spy on South Korean targets. ESET researcher Filip Jurčacko found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021. Stairwell disclosed details of a spear-phishing attack targeting journalists covering the country with the ultimate goal of deploying a malware dubbed GOLDBACKDOOR, which shares tactical overlaps with BLUELIGHT. ESET's findings shed light on a second, more sophisticated backdoor, Dolphin, which is more sophisticated and manually deployed only against selected victims. It is able to search removable devices and connected smartphones, and exfiltrate files of interest, such as media, documents, emails, and certificates. It has undergone three successive iterations and has the ability to modify the settings of victims' Google and Gmail accounts to lower security.

APT 37 also has a long history of attacks and has been associated with the following campaigns between 2016-2018:

Operation Daybreak

Operation Daybreak is a North Korean cyber espionage campaign that targets industries such as defense, technology, and finance. The campaign employs a number of attack methods, including spear-phishing, social engineering, and exploiting known software flaws. The operation's purpose was to gather sensitive information from targeted systems. The campaign has been responsible for a number of high-profile attacks, including the compromise of a South Korean defense firm.

To deceive their targets into clicking on a malicious link or attachment, the attackers used spear-phishing and social engineering techniques. The attacker has access to the system after the target clicks on the link or attachment. They then used known software flaws to install malware or escalate their privileges. This enabled them to move laterally within the network and gain access to sensitive information.

Operations Erebus, FreeMilk, Evil New Year (2016), Evil New Year (2018), and Golden Time

These campaigns are all similar in that they used spear-phishing and watering hole attacks to gain access to systems, and all targeted organizations and agencies within the South Korean government. The attackers used advanced malware to take crucial information after they gained access to the systems they targeted.

Spear-phishing is a technique used to trick a target into opening a malicious link or attachment. The attackers customized the email or message to appear legitimate and trustworthy to the target. Watering hole attacks involve compromising a legitimate website and then redirecting visitors to a malicious site where malware can be installed.

Are you Happy?

"Are you Happy?" was a North Korean cyber-espionage program discovered in 2018. The campaign was aimed at South Korean government institutions and organizations, as well as private-sector individuals. To obtain access to targeted systems, the attackers utilized spear-phishing and watering hole assaults, and then deployed custom-built malware to steal sensitive information.

The attackers employed sophisticated malware designed to avoid detection and remain undetected for extended periods of time. After gaining access to a system, the attackers can exploit it to travel laterally throughout the network and steal other sensitive information.

North Korean Human Rights

North Korean Human Rights is a cyber-espionage effort that targeted organizations and individuals in North Korea who advocate for human rights. To obtain access to targeted systems, the campaign employed spear-phishing and watering hole attacks. Once the attackers have gained access to the system, they used malware to steal sensitive data.

The attackers employed sophisticated malware designed to avoid detection and remain undetected for extended periods of time. The campaign's purpose is to gather information on North Korean individuals and groups that advocate for human rights. This information can then be utilized to target and potentially hurt these persons and organizations.

187 views0 comments

The Latest