Apt37

APT37 is a North Korean state-sponsored cyber espionage group active since at least 2012, also known by aliases such as ScarCruft, Reaper, and Group123. The group primarily targets South Korea but has expanded operations to Japan, Vietnam, Russia, the Middle East, and other regions. APT37 is believed to operate under North Korea’s Ministry of State Security and is known for targeting government, defense, technology, telecommunications, and academic sectors.

Key Characteristics

• Primary Targets: South Korean government, military, academia, and national security organizations, with additional campaigns against targets in Japan, Vietnam, Russia, and the Middle East.
• Motivations: Espionage, intelligence gathering, and surveillance of political, military, and economic developments.
• Recent Activity: In 2025, APT37 has been linked to spear-phishing campaigns targeting South Korean think tanks and activists, often using Dropbox and other cloud services to deliver malicious payloads.

Attack Techniques and Tactics

• Spear Phishing: APT37 uses highly targeted phishing emails, often disguised as invitations to academic forums or national security events, to lure victims into opening malicious attachments or links.
• Fileless Malware: The group increasingly employs fileless techniques, such as malicious LNK (shortcut) files and PowerShell commands, to deploy malware like RoKRAT without leaving traditional file-based traces.
• Cloud Service Abuse: APT37 leverages trusted cloud platforms (Dropbox, Yandex, OneDrive, Google Drive) for command and control (C2) and data exfiltration, making detection and blocking more difficult.
• Living off Trusted Sites (LoTS): By using legitimate services for C2 and payload delivery, APT37 blends malicious traffic with normal user activity.
• Zero-Day Exploits: The group has demonstrated access to and use of zero-day vulnerabilities, including those in Hangul Word Processor (HWP), Adobe Flash, and Microsoft Office.

Malware Arsenal

APT37 utilizes a diverse suite of custom and open-source malware, including:
• RoKRAT: Remote access trojan for system information gathering, screenshot capture, and data exfiltration.
• Chinotto: PowerShell-based backdoor for espionage and surveillance.
• BLUELIGHT, Dolphin, GOLDBACKDOOR, M2RAT, NOKKI: Tools for remote access, credential theft, keylogging, and data exfiltration.
• KoSpy: Android surveillance spyware attributed to APT37.

Indicators of Compromise (IOCs)

APT37’s infrastructure is highly dynamic, but recent public reports have identified the following IP addresses and domains associated with their operations: