>samit_hota
Back to adversary profiles
G0067CriticalActive

APT37 (ScarCruft): North Korea's Evolving Cyber Espionage Group

Samit Hota·
Suspected Origin
North Korea
Motivation
Espionage, Financial Gain, Strategic Intelligence Gathering
Aliases
InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, Ricochet Chollima
Target Sectors
Government, Defense, Healthcare, Technology, Finance, Media, Human Rights, Aerospace, Automotive, Manufacturing, Chemicals, Electronics, Think Tanks, NGOs
Associated Malware
ROKRAT, BLUELIGHT, DOLPHIN, KONNI, RUHYPOS, BabyShark, Gold Dragon, LATEOP, ZUMKONG, SOUNDWAVE, Freenki, RICECURRY, KARAE, POORAIM, SHUTTERSPEED, RUHAPPY, VCD, LightPeek, FadeStealer, NubSpy, Chinotto, ChillyChino, Rustonotto, KoSpy, BirdCall, RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE
#threat-actor#g0067

Overview

APT37, also tracked as G0067, is a formidable North Korean state-sponsored cyber espionage group that has been actively operating since at least 2012. Known by a multitude of aliases including InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, Ricochet Chollima, RedEyes, THALLIUM, Venus 121, ATK4, Ruby Sleet, Velvet Chollima, Moldy Pisces, Crooked Pisces, Osmium, Opal Sleet, and TA-RedAnt, this group is widely believed to operate under the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence agency. Its primary mission is covert intelligence gathering to support the Democratic People’s Republic of Korea’s (DPRK) strategic political, military, and economic objectives.

While historically concentrating its efforts on South Korean public and private entities, including government agencies, military, defense industrial base, and media sectors, APT37 has significantly broadened its operational scope since 2017. Its targeting now extends globally, encompassing Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, parts of the Middle East, and even the United States. The group’s victimology includes diverse sectors such as defense, healthcare, technology, finance, chemicals, electronics, manufacturing, aerospace, automotive, human rights organizations, NGOs, think tanks, and individuals specializing in North Korean affairs or those considered defectors. In recent years, APT37’s motivation has shown a slight diversification, with limited financially motivated activities designed to evade sanctions or fund regime operations. There are also indications of a potential shift towards more disruptive or extortion-driven tactics, including the deployment of ransomware.

Tactics & Techniques

APT37 employs a sophisticated and evolving arsenal of tactics, techniques, and procedures (TTPs) to achieve its objectives.

Initial Access is frequently gained through spear-phishing campaigns, often utilizing highly personalized emails with geopolitically themed lures. These emails typically contain malicious attachments, such as Hangul Word Processor (HWP) or Microsoft Office documents, or links to malicious websites. The group also extensively leverages vulnerabilities in popular software, including Adobe Flash, Hangul Word Processor, Microsoft Word, Internet Explorer, and Microsoft Edge, sometimes exploiting zero-day flaws. Strategic web compromises, commonly known as watering hole attacks, are another prevalent method, where legitimate websites popular with targets (particularly South Korean news portals) are compromised to serve malicious code. Torrent file-sharing sites have been used for more indiscriminate malware dissemination. More recently, APT37 has integrated social networking sites like Facebook and Telegram for reconnaissance and social engineering to identify and screen targets. They have also engaged in supply chain attacks, compromising gaming platforms and distributing trojanized software updates or installers. The use of malicious Windows shortcut (LNK) files is a consistent initial vector, launching PowerShell commands and carving embedded payloads.

For Execution, APT37 utilizes various scripting languages such as Ruby and Python, along with the command-line interface, shellcode, and VBA scripts. They employ DLL side-loading, Windows DDE, and process injection techniques, often leveraging Windows API calls like VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread().

Persistence mechanisms include modifying Windows Registry keys, creating scheduled tasks, utilizing DLL sideloading, and abusing cloud authorization tokens for stealthy re-entry into compromised environments.

Defense Evasion is a key capability. APT37 frequently obfuscates strings and payloads, employs steganography to embed shellcode within images, and bypasses Windows User Account Control (UAC). Their malware often includes anti-analysis techniques, such as checking for virtual machine (VM) tools, and is designed to hide malicious code within legitimate code to avoid detection by security solutions.

For Credential Access and Discovery, the group utilizes custom tools like ZUMKONG to steal usernames and passwords from browsers. They collect extensive system information, including computer name, BIOS model, execution paths, usernames, local IP addresses, OS versions, process lists, installed antivirus products, and Bluetooth device information. Recursive file system enumeration is also a common discovery technique.

Collection efforts are broad, encompassing audio capturing with utilities like SOUNDWAVE, keylogging, clipboard data harvesting, and taking screenshots. They are adept at collecting specific file types, documents, SMS messages, call logs, location data, media files, and even private keys from victim systems.

Command and Control (C2) communications are often concealed using HTTPS. A distinguishing characteristic of APT37 is its extensive abuse of legitimate cloud storage platforms such as Dropbox, Google Drive, Zoho WorkDrive, Yandex, Mediafire, pCloud, Box, AOL, and GitHub for C2 infrastructure, making network-based detection more challenging. They also leverage compromised servers, messaging platforms, and in some cases, even platforms like PubNub for C2. Recent campaigns indicate the use of lightweight, file-based PHP backend C2 scripts and two-stage C2 architectures utilizing services like Firebase.

Exfiltration typically occurs via the same abused cloud services used for C2, sometimes over encrypted channels. In terms of Impact, APT37 has access to destructive malware like RUHAPPY, capable of wiping a machine’s Master Boot Record (MBR), causing system failure. More recently, the group has been observed deploying ransomware, signaling a potential shift towards disruptive or extortion-driven objectives.

A significant development in their TTPs is the ability to compromise air-gapped networks. Recent campaigns have deployed specialized tools like RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE that leverage removable media, particularly USB drives, to infect and transfer data between isolated and internet-connected systems. THUMBSBD, for instance, utilizes hidden $RECYCLE.BIN directories on USB drives as a covert C2 channel to exfiltrate data and issue commands to air-gapped systems.

Notable Campaigns

APT37 has been linked to numerous campaigns, many with evocative names that highlight their evolving strategies:

  • Operation Daybreak (2016-2018): This campaign targeted defense, technology, and finance sectors, employing spear-phishing, social engineering, and software flaws to gather sensitive information.
  • Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018 (2016-2018): These campaigns were part of the group’s active period targeting various entities, particularly in South Korea, often utilizing spear-phishing and watering hole attacks.
  • “Zero-Day Reaper” Campaign (2017): This operation notably showcased the group’s advanced capability to incorporate and exploit zero-day vulnerabilities.
  • 2018 Adobe Flash Vulnerability Attack (CVE-2018-4878): APT37 was observed actively exploiting this Flash zero-day, demonstrating their access to advanced exploits and expanding sophistication.
  • Campaigns targeting security researchers and think tanks (2023): This included the use of BLUELIGHT and DOLPHIN malware, indicating a focus on understanding the cybersecurity landscape and those analyzing North Korean threats.
  • Persistent targeting of media organizations and high-profile experts in North Korean affairs (late 2023-early 2024): These campaigns used new infection chains, including decoy documents related to threat research, showcasing adaptability and continued focus on strategic intelligence gathering.
  • VCD Ransomware Campaign (August 2025): In a significant departure from pure espionage, ScarCruft was observed deploying a new ransomware variant, VCD, suggesting a potential shift towards disruptive or financially motivated activities.
  • “Ruby Jumper” Campaign (discovered December 2025, active into 2026): This highly sophisticated campaign leverages LNK files, PowerShell, and a suite of newly identified tools (RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT) to target and compromise air-gapped networks via removable media. Zoho WorkDrive is abused for C2, and decoy documents related to geopolitical conflicts are used.
  • Supply Chain Attack on a Gaming Platform (likely active since late 2024, reported May/June 2026): APT37 compromised Windows and Android components of a video gaming platform popular among ethnic Koreans in China’s Yanbian region. This attack distributed RokRAT and the multiplatform BirdCall backdoor, primarily aimed at collecting personal data from individuals of interest to the North Korean regime, such as refugees and defectors.
  • Social Engineering Campaign via Facebook and Telegram (April 2026): This recent campaign involves using social media for target identification and trust-building, moving conversations to encrypted messengers, and deploying a RokRAT-like backdoor via a trojanized Wondershare PDFelement installer.

Associated Malware & Tools

APT37 maintains a diverse and constantly updated malware arsenal. Key custom tools and malware families include:

  • ROKRAT: A versatile cloud-hosted Remote Access Trojan (RAT) used for remote access and data exfiltration. Also known as DOGCALL.
  • BLUELIGHT: A custom, full-featured remote access tool that utilizes cloud services for C2 and is known for its evasive techniques.
  • DOLPHIN: Used for remote access and data exfiltration.
  • KONNI & RUHYPOS: Known malware signatures associated with the group.
  • BabyShark, Gold Dragon, LATEOP: Additional malware families leveraged by APT37.
  • ZUMKONG: A credential stealer specifically designed to harvest usernames and passwords from web browsers.
  • SOUNDWAVE: An audio capturing utility that records microphone input.
  • Freenki: Malware used to list running processes on a compromised system.
  • RICECURRY: A JavaScript-based profiler used to fingerprint victim web browsers and deliver tailored malicious code.
  • KARAE & POORAIM: Older malware strains, with POORAIM notably using AOL Instant Messenger for C2.
  • SHUTTERSPEED: A backdoor that enables screenshots and further malicious application deployment.
  • RUHAPPY: A destructive wiper malware capable of overwriting the Master Boot Record (MBR).
  • VCD: A newly observed ransomware variant, used in 2025 campaigns.
  • LightPeek & FadeStealer: Information stealers, with FadeStealer specifically capable of audio recording, keylogging, and data collection from connected devices.
  • NubSpy: A backdoor that covertly uses the legitimate PubNub real-time messaging platform for C2 communications.
  • Chinotto & ChillyChino: Malware capable of exfiltrating system information, with Chinotto supporting both Windows and Android systems, and ChillyChino being a newer variant.
  • Rustonotto: A recently identified Rust-based backdoor, showcasing the group’s adoption of new programming languages.
  • KoSpy: A novel Android surveillance tool, masquerading as utility apps and active since at least March 2022, capable of extensive data collection from mobile devices.
  • BirdCall: A multiplatform (Windows and Android) backdoor with broad spying capabilities, including screenshots, keylogging, credential/file theft, and sensitive data collection, often leveraging cloud storage for C2.
  • Ruby Jumper Toolkit: A suite of newly discovered tools used in the 2025-2026 “Ruby Jumper” campaign:
    • RESTLEAF: Profiles the compromised system, establishes persistence, and retrieves subsequent components from cloud services like Zoho WorkDrive.
    • SNAKEDROPPER: A loader responsible for decrypting and deploying additional malicious modules directly into memory, minimizing disk artifacts.
    • THUMBSBD: A tool designed for propagation via removable media (USB drives), monitoring for connected devices, copying infection packages, and serving as a covert C2 channel for air-gapped systems.
    • VIRUSTASK: A lightweight backdoor and removable media propagation component that collects system information and stages data for exfiltration.
    • FOOTWINE: A reconnaissance and collection utility focused on harvesting documents and monitoring activity on removable drives.

Current Status

APT37 remains a highly active, dangerous, and adaptive threat actor. Its operations in late 2024 and early 2025 indicate a continuous evolution in tactics and techniques, notably moving beyond mere data exfiltration to using cloud platforms for persistence to hinder remediation efforts. There are also increasing signs of collaboration with other financially motivated DPRK-nexus clusters, such as QRN29, suggesting a convergence of espionage and revenue-generating missions, possibly to circumvent international sanctions.

Recent campaigns, including the “Ruby Jumper” operation (discovered December 2025 and active into 2026), highlight their sophisticated capabilities, such as breaching air-gapped networks using specialized USB-based malware. The supply chain attack on a gaming platform (active since late 2024) and ongoing social engineering campaigns abusing popular communication platforms like Facebook and Telegram (April 2026) further underscore their persistent and innovative nature.

As of 2025 and extending into 2026, APT37 is considered a high-priority threat, expected to continue hybridizing global espionage with potentially financially motivated and disruptive campaigns, posing a significant challenge to governments and enterprises worldwide.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call