APT37

apt37 · primary source: MITRE · first observed 2011

KP · DPRKState-sponsoredModerate confidencelast cited Feb 19, 2018 · 8y ago

DPRK state-sponsored actor publicly attributed to North Korea's Ministry of State Security (MSS). Conducts espionage against South Korean public and private sector targets and, to a lesser extent, Japan, Vietnam, and the Middle East. Known for early adoption of zero-day exploits and the use of decoy documents exploiting Hangul Word Processor.

Aliases

ReaperOtherScarCruftOtherRicochet ChollimaCrowdStrikeInkySquidOtherOpal SleetMicrosoft

Motivations

espionage

Target sectors

governmentdefensemediaacademiadissidents

Target countries

KRJPVNKWBH

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

APT37
DPRK
espionage

Capability

Infrastructure

jquery.services

Victim

government
defense
media
KR
JP
+1 more

MITRE ATT&CK techniques

T1203 T1204.002 T1566.001 T1071.001

Timeline

1 event

ReportMedium2018-02-20·Mandiant (FireEye)
FireEye publicly names APT37 (Reaper) as a DPRK actor
FireEye published a comprehensive profile naming APT37 (Reaper) as a North Korean state-sponsored actor distinct from Lazarus, documenting its targeting beyond the Korean Peninsula and its early use of zero-day exploits in delivery chains.
attributiondprkzero-day

Indicators of compromise

3 indicators

defangedcsv

Type	Value	First seen	Source
SHA-256	5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6 family · BLUELIGHT BLUELIGHT backdoor sample published by Volexity on 17 August 2021 in the 'InkySquid' blog. BLUELIGHT uses the Microsoft Graph API (OneDrive appfolder) for C2 and was deployed via IE / legacy-Edge zero-days CVE-2020-1380 and CVE-2021-26411 from a strategic web compromise of dailynk.com. Volexity attributes InkySquid to APT37 / ScarCruft.	Aug 16, 2021	Volexity
Domain	jquery[.]services family · BLUELIGHT APT37 / InkySquid C2 root. Subdomains ui.jquery.services and storage.jquery.services served BLUELIGHT loader scripts via a strategic web compromise of South Korean news site dailynk.com starting April 2021. Reported by Volexity.	Mar 31, 2021	Volexity
SHA-256	b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e family · RokRAT RokRAT (DOGCALL) backdoor sample documented by Cisco Talos in 'ROKRAT Reloaded' (November 2017). RokRAT abuses legitimate cloud services (pCloud, Box, Dropbox, Yandex) as C2 and is consistently attributed to APT37 / ScarCruft / Reaper / Group 123 (DPRK MSS).	Nov 15, 2017	Cisco Talos

Related actors

shared ATT&CK techniques

CN · ChinaElderwood3 shared techniques
IR · IranAPT392 shared techniques
- T1071.001
- T1566.001
RU · RussiaGamaredon2 shared techniques
- T1071.001
- T1566.001
KP · DPRKLazarus Group2 shared techniques
- T1071.001
- T1566.001
CN · ChinaMustang Panda2 shared techniques
- T1071.001
- T1566.001
CN · ChinaNaikon2 shared techniques
- T1071.001
- T1566.001

References

G0067 — APT37
MITRE ATT&CK

cite this page

Threat Intel Tracker. (2026-05-19). APT37 — actor profile. Retrieved from https://threatintel.local/actors/apt37

latest cited activity · 2018-02-20 · 3 cataloged indicators