{ "id": "67f04c11-e856-4aef-a4c9-e48164b2c676", "created_at": "2026-04-06T00:08:30.864292Z", "updated_at": "2026-04-10T13:11:28.916388Z", "deleted_at": null, "sha1_hash": "09362bed4083f504be1d4a7b60852fd6d41ac608", "title": "Lookout Discovers North Korean APT37 Mobile Spyware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 512402, "plain_text": "Lookout Discovers North Korean APT37 Mobile Spyware\r\nBy Lookout\r\nPublished: 2025-03-12 · Archived: 2026-04-05 16:53:10 UTC\r\nLookout Threat Lab researchers have discovered a novel Android surveillance tool, dubbed KoSpy, which appears to target\r\nKorean and English-speaking users. The spyware, attributed with medium confidence to the North Korean APT group\r\nScarCruft (also known as APT37), is a relatively new family with early samples going back to March 2022. The most recent\r\nsamples were acquired in March 2024.\r\nKoSpy has been observed using fake utility application lures, such as \"File Manager\", \"Software Update Utility\" and\r\n\"Kakao Security,\" to infect devices. The spyware leveraged the Google Play Store and Firebase Firestore to distribute the\r\napp and receive configuration data. All the apps mentioned in the report have been removed from Google Play, and the\r\nassociated Firebase projects have been deactivated by Google.\r\nScarCruft is a North Korean state-sponsored cyber espionage group active since 2012. While primarily targeting South\r\nKorea, it has also conducted operations in countries including Japan, Vietnam, Russia, Nepal, China, India, Romania,\r\nKuwait, and several Middle Eastern nations. \r\nKoSpy\r\nKoSpy samples in Lookout’s corpus masquerade as five different apps: 휴대폰 관리자 (Phone Manager), File Manager, 스\r\n마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security) and Software Update Utility. The samples with utility\r\napplication lures have basic interfaces which open up the related internal phone settings view. For instance, the Software\r\nUpdate Utility opens up the Software Update screen under the System settings. The File Manager app functions as a simple\r\nfile browser with some additional features. Kakao Security app on the other hand, doesn’t have any useful functionality and\r\ndisplays a fake system window and requests multiple permissions.\r\nMost KoSpy samples offer some basic functionality except the Kakao Security app which gets stuck at a fake\r\npermission request screen.\r\nBehind the basic interface, KoSpy starts the spyware functionality by first getting a simple configuration from Firebase\r\nFirestore. This encrypted configuration contains two parameters: an “on”/”off” switch and the Command and Control (C2)\r\nserver address. This two-staged C2 management approach provides the threat actor with flexibility and resiliency. They can\r\nenable or disable the spyware and change C2 addresses at any time in the case of a C2 being detected or blocked.\r\nAfter retrieving the C2 address, KoSpy ensures the device is not an emulator and that the current date is past the hardcoded\r\nactivation date. This activation date check ensures that the spyware does not reveal its malicious intent prematurely.\r\nC2 Communication and Infrastructure\r\nKoSpy sends two different types of requests to the C2 address. One downloads plugins while the other retrieves\r\nconfigurations for the surveillance functions. The plugin request is supposed to receive an encrypted, compressed binary;\r\nhowever, this could not be confirmed since no C2 was active during the analysis. The configuration request is set to receive\r\nhttps://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37\r\nPage 1 of 4\n\na JSON document which configures the following settings: C2 ping frequency, messages to show the user in Korean and\r\nEnglish, URL to download a plugin and the class name to dynamically load.\r\nSome KoSpy C2 domains are still online however they don’t respond to client requests.\r\nAn example of a “conf” request can be seen in the image above. The request is an HTTP POST request and the payload is in\r\nJSON format. Values in the JSON are encrypted and Base64 encoded while the field names are clear text. The “vtr” field\r\ncontains the unique victim ID generated from the hardware fingerprint and Android ID. The “type” field can be one of\r\n“conf” or “code” which determines the type of C2 request. The “pref” field is a composite field and contains information\r\nsuch as package name, app version, device language, hardware details and a list of enabled permissions.\r\nKoSpy can collect an extensive amount of sensitive information on the victim devices with the help of the dynamically\r\nloaded plugins. These capabilities include:\r\nCollecting SMS messages\r\nCollecting call logs\r\nRetrieving device location\r\nAccessing files and folders on the local storage\r\nRecording audio and taking photos with the cameras\r\nCapturing screenshots or recording the screen while in use\r\nRecording key strokes by abusing accessibility services\r\nCollecting wifi network details\r\nCompiling a list of installed applications\r\nThe collected data is sent to the C2 servers after getting encrypted with a hardcoded AES key. Lookout researchers observed\r\nfive different Firebase projects and five different C2 servers during the analysis of the available KoSpy samples which can\r\nbe seen in the indicators of compromise section.\r\nTargeting and Distribution\r\nLookout researchers assess that this KoSpy campaign was targeted at Korean and English speaking users. More than half of\r\nthe apps have Korean language titles and the UI supports two languages: English and Korean. The messages and text fields\r\nin the app are shown in Korean if the device language is set to Korean and in English otherwise. \r\nKoSpy has language support for Korean language,\r\nSome of the samples of KoSpy were available for download from the Google Play Store alongside the third party app store\r\nApkpure. However, no app is currently publicly available on Google Play Store. A cached snapshot of the Play Store listing\r\npage1 for the File Manager app (com.file.exploer) shows that the app was publicly available for a while and was\r\ndownloaded more than ten times. The snapshot also reveals that the developer account was named “Android Utility\r\nhttps://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37\r\nPage 2 of 4\n\nDeveloper” and the developer contact email address was mlyqwl@gmail[.]com. The related privacy policy page was set to\r\nhttps://goldensnakeblog.blogspot[.]com/2023/02/privacy-policy.html. The listing also contained an embedded Youtube video\r\nto promote the app. The video was uploaded to the @filemanager-android channel2 and the channel also contained a\r\nYoutube Shorts video.\r\nAttribution\r\nLookout researchers observed that this KoSpy activity has connections to previous malicious activities attributed to two\r\nNorth Korean threat groups: APT43 and APT37. One of the C2 domains of KoSpy, st0746[.]net, resolves3 to the IP address\r\n27.255.79[.]225 located in South Korea. This IP address was associated with many potentially malicious Korea-related\r\ndomain names in the past:\r\nKoSpy C2 domains are tied to suspicious domains by shared infrastructure.\r\nThe domain names naverfiles[.]com and mailcorp[.]center have been reported4 to be involved in attacks targeting Korean\r\nusers using the Konni desktop malware. Konni5 is a Windows RAT family linked to the APT376 threat actor.\r\nAnother domain tied to the same IP address, nidlogon[.]com, was reported7 to be part of the command and control\r\ninfrastructure of Thallium (a.k.a. Kimsuky, APT43) by Microsoft.\r\nIn addition to its ties to APT37, this KoSpy campaign also has ties to infrastructure used by APT43 - another North Korean\r\nhacking group.  North Korean threat actors are known to have overlapping  infrastructure, targeting and TTPs which makes\r\nattribution to a specific actor more difficult. Based on the aforementioned shared infrastructure, common targeting and\r\nconnection recency, Lookout researchers attribute this KoSpy activity to APT37 with medium confidence.\r\nIndicators of Compromise\r\nFiles\r\nhttps://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37\r\nPage 3 of 4\n\n911d9f05e1c57a745cb0c669f3e1b67ac4a08601\r\ncd62a9ab320b4f6be49be11c9b1d2d5519cc4860\r\n2d1537e92878a3a14b5b3f55b32c91b099513ae0\r\nf08f036a0c79a53f6b0c9ad84fb6eac1ac79c168\r\ndf39ab90c89aa77a92295721688b18e7f1fdb38d\r\nea6d12e4a465a7a44cbad12659ade8a4999d64d1\r\n1cc97e490b5f8a582b6b03bdba58cb5f1a389e78\r\n1a167b65be75fd0651bbda072c856628973a3c1e\r\n985fd1f74eb617b1fea17095f9e991dcaceec170\r\n744e5181e76c68b8b23a19b939942de9e1db1daa\r\n062a869caac496d0182decfadc57a23057caa4ab\r\nb84604cad2f3a80fb50415aa069cce7af381e249\r\n3278324744e14ddf4f4312d375f82b31026f51b5\r\n5639fa1fa389ed32f8a8d1ebada8bbbe03ac5171\r\nC2 Domains\r\njoinupvts[.]org\r\nresolveissue[.]org\r\ncrowdon[.]info\r\nst0746[.]net\r\nFirebase Projects\r\nmydb-a1554\r\nproject-27ef0\r\nproject-75f80\r\nsmart-743cf\r\nversion-25b53\r\nCitations\r\n1 https://play.google.com/store/apps/details?id=com.file.exploer\r\n2https://www.youtube.com/@filemanager-android\r\n3https://www.virustotal.com/gui/ip-address/27.255.79.225/relations\r\n4https://www.kisia.or.kr/bucket/uploads/2022/12/09/%EC%82%AC%EC%9D%B4%EB%B2%84%EB%B3%B4%EC%95%88%20%EB%8C%80%EC%\r\n5https://malpedia.caad.fkie.fraunhofer.de/details/win.konni\r\n6https://malpedia.caad.fkie.fraunhofer.de/actor/apt37\r\n7https://noticeofpleadings.com/thallium/files/Ghaffari%20Declaration%20in%20Support%20of%20Motion%20for%20TRO%20and%20Preliminary%20\r\nSource: https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37\r\nhttps://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37" ], "report_names": [ "lookout-discovers-new-spyware-by-north-korean-apt37" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434110, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/09362bed4083f504be1d4a7b60852fd6d41ac608.pdf", "text": "https://archive.orkl.eu/09362bed4083f504be1d4a7b60852fd6d41ac608.txt", "img": "https://archive.orkl.eu/09362bed4083f504be1d4a7b60852fd6d41ac608.jpg" } }