Background
APT37, tracked by different vendors as ScarCruft, Reaper, and Ricochet Chollima, is a North Korean state-sponsored espionage group distinct from and subordinate to Lazarus Group. The group is attributed to Bureau 121, North Korea's primary cyber warfare unit under the Reconnaissance General Bureau (RGB), with specific focus on the Ministry of State Security (MSS) โ North Korea's domestic and foreign intelligence service โ rather than the military-focused Lazarus Group.
APT37's operational mandate centers on domestic counterintelligence against North Korean dissidents, defectors, and human rights organizations, alongside intelligence collection against South Korea's government, military, and strategic industries. The group is particularly focused on monitoring and suppressing North Korean defector communities in South Korea, Japan, and the United States, reflecting the regime's intense fear of organized defector networks exposing regime abuses.
What distinguishes APT37 from Lazarus is its focus on surveillance and suppression of civilian targets โ journalists covering North Korea, human rights activists, defectors, and religious organizations โ alongside traditional military and government espionage. The group has demonstrated willingness to target Android mobile devices, reflecting the prevalence of mobile communications among its South Korean civilian targets. APT37 has also been linked to the development and use of zero-day exploits against Internet Explorer and Adobe Flash Player, demonstrating technical capabilities beyond what its mission profile might suggest.
Notable Campaigns
Operation Daybreak / Operation Erebus (2016) โ APT37 conducted dual watering hole attacks exploiting zero-day vulnerabilities in Adobe Flash Player. The campaigns targeted South Korean users visiting websites related to North Korean human rights issues and defector support organizations. ROKRAT was deployed via these zero-days, marking one of the group's most technically sophisticated documented operations.
Operation Reaper (2017) โ A campaign targeting South Korean government organizations and defense entities, using Hangul Word Processor (HWP) documents as lures. The campaign exploited an HWP zero-day vulnerability and deployed the ROKRAT backdoor. HWP targeting reflects APT37's specific focus on South Korean organizations, where HWP is the de facto government document standard.
InkySquid / Browser Exploit Campaign (2021) โ Volexity documented APT37 using the InkySquid watering hole technique to compromise the Daily NK website, a Seoul-based news outlet covering North Korean affairs. The group injected malicious JavaScript exploiting Internet Explorer (CVE-2020-1380) and Edge vulnerabilities to install BLUELIGHT malware on visitors' systems.
South Korean Defector Community Targeting (2022-2024) โ APT37 has maintained a sustained surveillance campaign against North Korean defectors in South Korea. The group impersonates Korean government officials, humanitarian workers, and university researchers to approach defectors via email and messaging apps, delivering spearphishing payloads disguised as interview requests, academic surveys, and support organization communications.
Tactics, Techniques & Procedures
Spearphishing with HWP Exploit Documents โ APT37's signature initial access technique involves Hangul Word Processor documents exploiting HWP-specific vulnerabilities (T1566.001). HWP is widely used in South Korean government and corporate environments, making HWP lures highly effective against Korean targets. The group maintains consistent targeting of South Korean users, tailoring lures to Korean political events, holidays, and news cycles.
Watering Hole Attacks โ APT37 has repeatedly compromised websites serving South Korean defector communities, human rights organizations, and North Korea-focused news outlets (T1189 implied via browser exploits). Malicious JavaScript injected into these sites exploits browser vulnerabilities to deliver malware without user interaction beyond visiting the page.
Cloud Service Abuse for C2 โ A notable APT37 tradecraft is the use of legitimate cloud services โ particularly Dropbox, Google Drive, and Yandex cloud storage โ for command and control (T1071.003). This approach makes C2 traffic indistinguishable from legitimate cloud service usage and bypasses many network-level detection mechanisms.
Android Surveillance โ APT37 deploys Android malware (KONNI) through malicious APK files distributed via social engineering to defectors who primarily use mobile devices. These implants provide comprehensive device surveillance including SMS interception, GPS tracking, contact and call log exfiltration, and microphone/camera access.
Tools & Malware
- ROKRAT โ APT37's signature custom RAT, distributed via weaponized HWP documents. Provides keylogging, screenshot capture, file exfiltration, and remote command execution. Uses cloud services (Dropbox, Google Drive, pCloud, Yandex) for C2 to evade network detection.
- DOGCALL โ A backdoor with cloud-based C2 via Dropbox or Box, deployed as a secondary access tool and used for reconnaissance and data collection.
- BLUELIGHT โ A lightweight backdoor designed for targeted intelligence collection, deployed via watering hole attacks. Performs system profiling and downloads additional payloads based on victim characteristics.
- GOLDBACKDOOR โ A successor to BLUELIGHT, featuring enhanced evasion, persistence via scheduled tasks, and cloud-based C2 using Microsoft Graph API.
- Chinotto โ A multi-stage malware framework targeting Windows, macOS, and Android platforms. Deployed against South Korean defectors and journalists, using SMS phishing for mobile delivery.
- KONNI (MosuSu) โ An Android RAT used for mobile surveillance of North Korean defectors, providing comprehensive device access and persistent monitoring capabilities.
- POORWEB โ A backdoor with anti-analysis features that performs system reconnaissance and communicates to attacker infrastructure via HTTP.
- SHUTTERSPEED โ A screenshot capture tool deployed alongside other APT37 backdoors for periodic visual reconnaissance of victim systems.
Indicators & Detection
Human Rights and Defector Community Awareness โ Organizations working with North Korean defectors, covering DPRK affairs, or involved in Korean Peninsula policy must treat APT37 as an active threat. Any new contacts claiming to be journalists, academics, or officials interested in interviews or collaboration should be independently verified through established channels before any file exchange.
HWP Document Security โ South Korean organizations should implement application whitelisting to restrict HWP macro execution and ensure HWP software is fully patched. Alert on HWP processes that spawn cmd.exe, PowerShell, or other shell processes. Monitor for HWP documents that make network connections during rendering.
Cloud Service Monitoring โ Implement DLP policies to monitor and restrict unauthorized cloud service usage on corporate networks. APT37's cloud-based C2 is difficult to detect at the network level without application-layer inspection. Monitor for Dropbox and Google Drive clients executing from unusual paths or with unusual parent processes.
Android Security โ Defectors and journalists covering North Korea should use hardened Android configurations, avoid third-party APK installations, and consider using a separate device for North Korean contacts. Google Play Protect provides basic protection but is insufficient against targeted government-grade malware. Consider Pixel devices with verified boot for highest-risk individuals.