{ "id": "e3e4c419-eb15-49e8-92f6-1aa36c4af12e", "created_at": "2026-04-06T00:17:22.330992Z", "updated_at": "2026-04-10T13:12:10.659015Z", "deleted_at": null, "sha1_hash": "630804f20b18fe8e958f866b096c13f1afdd6308", "title": "Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 202103, "plain_text": "Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin\r\nBy Filip Jurčacko\r\nArchived: 2026-04-05 15:50:36 UTC\r\nESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which\r\nwe named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and\r\nexfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. Its functionality is\r\nreserved for selected targets, to which the backdoor is deployed after initial compromise using less advanced malware. In\r\nline with other ScarCruft tools, Dolphin abuses cloud storage services – specifically Google Drive – for C\u0026C\r\ncommunication.\r\nDuring our investigation, we saw continued development of the backdoor and attempts by the malware authors to evade\r\ndetection. A notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in\r\nGoogle and Gmail accounts to lower their security, most likely to maintain access to victims’ email inboxes.\r\nIn this blogpost, we provide a technical analysis of the Dolphin backdoor and explain its connection to previously\r\ndocumented ScarCruft activity. We will present our findings about this new addition to ScarCruft’s toolset at the AVAR 2022\r\nconference.\r\nKey points in this blogpost:\r\nESET researchers analyzed Dolphin, a previously unreported backdoor used by the ScarCruft APT group.\r\nDolphin is deployed on selected targets only; it searches the drives of compromised systems for interesting files and\r\nexfiltrates them to Google Drive.\r\nThe backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on\r\na South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named\r\nBLUELIGHT.\r\nSince the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the\r\nbackdoor, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection.\r\nA notable feature of earlier Dolphin versions we analyzed is the ability to modify the settings of victims’ signed-in\r\nGoogle and Gmail accounts to lower their security.\r\nScarCruft profile\r\nScarCruft, also known as APT37 or Reaper, is an espionage group that has been operating since at least 2012. It primarily\r\nfocuses on South Korea, but other Asian countries also have been targeted. ScarCruft seems to be interested mainly in\r\ngovernment and military organizations, and companies in various industries linked to the interests of North Korea.\r\nDolphin overview\r\nIn 2021, ScarCruft conducted a watering-hole attack on a South Korean online newspaper focused on North Korea. The\r\nattack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named\r\nBLUELIGHT, reported by Volexity and Kaspersky.\r\nIn those reports, the BLUELIGHT backdoor was described as the attack’s final payload. However, when analyzing the\r\nattack, we discovered through ESET telemetry a second, more sophisticated backdoor, deployed on selected victims via\r\nBLUELIGHT. We named this backdoor Dolphin based on a PDB path found in the executable.\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 1 of 12\n\nWhile the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after\r\nexploitation, Dolphin is more sophisticated and manually deployed only against selected victims. Both backdoors are\r\ncapable of exfiltrating files from a path specified in a command, but Dolphin also actively searches drives and automatically\r\nexfiltrates files with extensions of interest to ScarCruft.\r\nFigure 1 provides an overview of the attack components leading to the execution of the Dolphin backdoor.\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 2 of 12\n\nFigure 1. Overview of the attack components leading to the execution of the Dolphin backdoor\r\nDolphin analysis\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 3 of 12\n\nAnalysis of Dolphin’s components and their capabilities is provided in the following section.\r\nThe analysis is based on the first version of the backdoor that we found, 1.9 (based on a string found in the code) with\r\nadditional information about changes in newer versions. A summarized description of the version changes can be found in\r\nthe Dolphin evolution section.\r\nDolphin installer\r\nEnsuing sections describe the installer and loader components responsible for the execution of the Dolphin backdoor in the\r\nanalyzed attack scenario.\r\nIt is worth noting that this installer and the deployed loader are not exclusive to Dolphin, and were previously seen used with\r\nother ScarCruft malware.\r\nThe installer shellcode follows these main objectives:\r\nDownload and deploy a Python interpreter\r\nGenerate and deploy a loading chain with its payload\r\nEnsure persistence of the loading chain\r\nThe installer downloads a CAB file from OneDrive, containing a legitimate Python 2.7 interpreter. The CAB is unpacked to\r\n%APPDATA%, and depending on architecture, the interpreter ends up in one of the following directories:\r\n%appdata%\\Python27(32)\\\r\n%appdata%\\Python27(64)\\\r\nThe installer generates two file paths for loading-chain components, \u003cloader_step_1\u003e and \u003cloader_encrypted_step_2\u003e, with\r\nthe format \u003cbase_dir\u003e\\\u003cinf_name\u003e\\\u003cdll_name\u003e.\r\n\u003cbase_dir\u003e is randomly selected from\r\n%PROGRAMDATA%\r\n%PUBLIC%\r\n%APPDATA%\\Microsoft\r\n%APPDATA%\\Microsoft\\Windows\r\n%LOCALAPPDATA%\r\n%LOCALAPPDATA%\\Microsoft\r\n%LOCALAPPDATA%\\Microsoft\\Windows\r\n\u003cinf_name\u003e and \u003cdll_name\u003e are randomly selected from existing filenames (without extension) in %windir%\\inf\\*.inf and\r\n%windir%\\system32\\*.dll.\r\nTo generate Step 1 of Loader, it uses a script template that is filled with randomly generated names (variables, function). The\r\ntemplate with generated example is shown in Figure 2.\r\nFigure 2. Step 1 template and generated example\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 4 of 12\n\nThe script is then written to \u003cloader_step_1\u003e.\r\nStep 2 (embedded in the installer) containing the rest of the loading chain, including the payload, is encrypted with a one-byte XOR key derived from the current time and written to \u003cloader_encrypted_step_2\u003e.\r\nIn order to persist the start of the loading chain, the installer sets a Run registry value:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\n\u003crandom_run_name\u003e\\\"%appdata%\\Python27({32|64})\\pythonw.exe\" \"\u003cloader_step_1\u003e\" \"\u003cloader_encrypted_step_2\u003e\"\r\nThe \u003crandom_run_name\u003e is randomly selected from existing filenames matching %WINDIR%\\inf\\*.inf, discarding the .inf\r\nextension.\r\nTo start the loading chain after installation, it creates a one-time scheduled task.\r\nDolphin loader\r\nThe Dolphin loader consists of a Python script and shellcode.\r\nStep 1, the Python script, reads a specified file, XOR-decrypts its contents, and executes the resulting shellcode.\r\nStep 2, shellcode, creates a host process (random CLI executable from %WINDIR%\\System32\\*.exe), XOR-decrypts\r\nfurther shellcode carried within itself, and injects it into the created process.\r\nStep 3, another shellcode, XOR-decrypts an embedded PE file – the Dolphin backdoor – and loads and executes it using a\r\ncustom PE loader.\r\nDolphin backdoor\r\nDolphin is a backdoor that collects information and executes commands issued by its operators. The backdoor is a regular\r\nWindows executable, written in C++. It communicates with Google Drive cloud storage, which is used as its C\u0026C server.\r\nWe named the backdoor Dolphin based on a PDB path found in the executable:\r\nD:\\Development\\BACKDOOR\\Dolphin\\x64\\Release\\Dolphin.pdb\r\nPersistence\r\nThe backdoor periodically checks and creates its own persistence by making sure that Step 1 of the loader is run every time\r\nthe system is started, via a registry Run value, in the same way as in the installer:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\n\u003crandom_run_name\u003e\\\"%appdata%\\Python27({32|64})\\pythonw.exe\" \"\u003cloader_step_1\u003e\" \"\u003cloader_encrypted_step_2\u003e\"\r\nCapabilities\r\nThe following basic information about the computer and the backdoor is collected:\r\nCurrent backdoor configuration\r\nUsername\r\nComputer name\r\nLocal and external IP address\r\nList of installed security products\r\nRAM size and usage\r\nResult of check for debugger and other inspection tools (such as Wireshark)\r\nOS version\r\nCurrent time\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 5 of 12\n\nMalware version\r\nDolphin downloads commands, issued by its operators, from Google Drive storage and executes them. After execution, the\r\noutput of commands is uploaded. Most of Dolphin’s capabilities are controlled through commands.\r\nThe most relevant capabilities are described below.\r\nFile exfiltration\r\nBy default, Dolphin searches all non-fixed drives (USBs), creates directory listings and exfiltrates files by extension. This\r\nsearch can be extended to fixed drives (HDDs), via dedicated commands.\r\nThe following file extensions of interest, specific to media, documents, emails, and certificates, are specified in the default\r\nconfiguration:\r\njpg, doc, xls, ppt, hwp, url, csv, pdf, show, cell, eml, odt, rtf, nxl, amr, 3gp, m4a, txt, msg, key, der, cer, docx, xlsx, pptx, pfx,\r\nmp3\r\nBesides this automatic search, specific files can be exfiltrated.\r\nIn the newer versions, the default search was extended to fixed drives. The command to get specific files was improved, by\r\ncaching/storing it in the configuration until completion.\r\nPortable devices\r\nAmong regular drives, Dolphin also searches portable devices such as smartphones, using the Windows Portable Device\r\n(WPD) API. It creates directory listings and exfiltrates files. This functionality appeared to be under development in the first\r\nversion we found, for several reasons:\r\nRelying on a hardcoded path with a username that likely doesn’t exist on the victim’s computer\r\nMissing variable initialization – some variables are assumed to be zero-initialized, or dereferenced as pointers\r\nwithout initialization\r\nMissing extension filtering\r\nThe code is heavily based on Microsoft’s Portable Devices COM API code sample.\r\nApart from automatic search, the operators can specify individual files to be exfiltrated from portable devices.\r\nIn newer versions, this capability was finished and improved by adding extension filtering. For unknown reasons, the\r\ncommand to retrieve specific files from portable devices was removed.\r\nKeylogging and screenshots\r\nDolphin logs keystrokes for windows with titles containing substrings specified in its configuration. The defaults are chrome\r\nand internet explore (sic). This is done via the GetAsyncKeyState API, with keystrokes being logged along with the window\r\nname and current time. Screenshots are also taken at a configurable interval; the default is once every 30 seconds.\r\nScreenshots and keylogging are enabled by default, and can be toggled via a command.\r\nShellcode\r\nDolphin can receive shellcode for execution. The shellcode is stored in the registry, under one of the following keys:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\Classic\\\u003crandom_number\u003e\r\nHKCU\\Software\\Microsoft\\OneDrive\\Update\\\u003crandom_number\u003e\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\HttpsSoftware\\Microsoft\\Internet\r\nExplorer\\Zone\\\u003crandom_number\u003e (two subkeys as one, likely a coding error)\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 6 of 12\n\nIt can be executed either locally or in a specified separate process that is created and injected.\r\nIn the newer versions, the shellcode is stored in files instead of the registry, and the stored shellcode is loaded and executed\r\non Dolphin’s startup, which was not the case in version 1.9 (the original version we analyzed).\r\nShell commands\r\nDolphin can execute shell commands; this is done via the popen API and their output is retrieved.\r\nStealing credentials\r\nDolphin can retrieve credentials from browsers in the form of saved passwords and cookies. The following browsers are\r\nsupported:\r\nChrome\r\nEdge\r\nInternet Explorer\r\nIn version 2.2, this capability was removed, presumably to avoid detection. It was later restored in version 3.0, but in a\r\ndifferent form. It is now dynamically received from the C\u0026C in the form of shellcode.\r\nGoogle account\r\nAnother one of Dolphin’s commands modifies the settings of the currently logged-in Google account, lowering its security\r\nrelative to default settings. It steals the existing cookie of the logged-in account from the browser and crafts requests that\r\nmodify the settings.\r\nFirst, it enables access to Gmail via the IMAP protocol by sending an HTTP POST request to:\r\nhttps://mail.google.com/mail/u/0/?ik=\u003cGM_ID_KEY\u003e\u0026at=\u003cGM_ACTION_TOKEN\u003e\u0026view=up\u0026act=prefs\r\nThen it enables “less secure app access” by sending an undocumented RPC request via an HTTP POST to:\r\nhttps://myaccount.google.com/_/AccountSettingsUi/data/batchexecute\r\nThese modifications are referred to as “thunder access” in the backdoor, likely being a reference to the Thunderbird email\r\nclient. Accessing their victims’ inboxes with a third-party client via IMAP probably helps ScarCruft operators maintain\r\naccess to the victims’ emails after stealing credentials, which may not be enough on their own, due to Google’s detection of\r\nsuspicious login attempts.\r\nThis feature was found in versions 1.9 and 2.0 of the backdoor; it is not present in versions 2.2 or 3.0.\r\nData staging\r\nDolphin exfiltrates data to Google Drive storage, staging the data in encrypted ZIP archives before upload. The backdoor\r\nalso maintains a list of files in the form of MD5 hashes, in order to avoid uploading the same file multiple times. This list\r\ncan be reset via a dedicated command.\r\nConfiguration\r\nThe backdoor contains an initial default configuration that is persisted on first run and loaded on subsequent runs. It is stored\r\nin the file %ProgramData%\\\u003cvariable_cfg_name\u003e.inf, where \u003cvariable_cfg_name\u003e is randomly selected from existing\r\nfilenames matching %windir%\\inf\\*.inf. The content is encrypted using AES CBC with random 16-byte keys and IVs,\r\nwhich are stored at the file’s beginning. The configuration uses JSON format, with hash-like keys. An example of a\r\ndecrypted configuration is shown in Figure 3.\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 7 of 12\n\nFigure 3. Dolphin backdoor configuration\r\nThe configuration can be modified through commands. It contains, among others, the following:\r\nEncryption keys\r\nCredentials for Google Drive API access\r\nWindow titles to keylog\r\nList of file extensions to exfiltrate\r\nDolphin evolution\r\nSince the initial discovery of Dolphin in April 2021, we have observed multiple versions of the backdoor, in which the threat\r\nactors improved the backdoor’s capabilities and made attempts to evade detection. Figure 4 summarizes the versions seen; a\r\nmore detailed description of the version changes is provided below.\r\nFigure 4. Dolphin evolution timeline\r\nNovember 2021 – version 2.0\r\nVersion 2.0 introduced the following changes to the version found in April 2021:\r\nDynamic resolution of suspicious APIs instead of static imports (for example GetAsyncKeyState) added\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 8 of 12\n\nShellcode capability finished and improved\r\nPersisted shellcode stored in files instead of registry\r\nPersisted shellcode loaded and executed on Dolphin startup (previously missing)\r\nPortable device file exfiltration capability finished and improved\r\nExfiltration by extensions added\r\nRecognition of internal memory and SD cards (from device ID) added\r\nCommand to get files from portable devices effectively a NOP\r\nDevice/drive detection and file exfiltration improved\r\nDolphin now unconditionally creates directory listings and exfiltrates files by extension every 30 minutes for\r\nall drives and devices (fixed drives, removable drives, portable devices). Previously, it was just for removable\r\ndrives; fixed drives were disabled by default and the code used for accessing portable devices was buggy and\r\nbroken.\r\nDecember 2021 – version 2.2\r\nChanges introduced in version 2.2 focused mainly on detection evasion. The credential-stealing capability and commands\r\nrelated to it – the credential stealing and Google account commands – were removed. Most strings in this version are base64\r\nencoded.\r\nJanuary 2022 – version 3.0\r\nIn version 3.0, the code was reorganized and classes renamed, with capabilities remaining unchanged. The base64-encoded\r\nstrings were plaintext again in this version. We observed the following additional changes:\r\nCommand to steal credentials restored in a different form; it now executes shellcode from the C\u0026C\r\nCommand to get files from portable devices completely removed\r\nCommand to get files from drives is now cached/stored in the configuration until completion. If interrupted (for\r\nexample by computer shutdown), it is done on the next run. This is also useful in the case of removable drives that\r\nmay not be connected when the command is issued.\r\nInternet connection check added (https://www.microsoft.com); no malicious code is executed if offline\r\nThe differences between versions 2.2 and 3.0, especially the discrepancy in string encoding, suggest the possibility that the\r\nversions were being developed in parallel by different people.\r\nConclusion\r\nDolphin is another addition to ScarCruft’s extensive arsenal of backdoors abusing cloud storage services. After being\r\ndeployed on selected targets, it searches the drives of compromised systems for interesting files and exfiltrates them to\r\nGoogle Drive. One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’\r\nGoogle and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors.\r\nDuring our analysis of multiple versions of the Dolphin backdoor, we saw continued development and attempts to evade\r\ndetection.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nSHA-1 Filename ESET detection name Description\r\nF9F6C0184CEE9C1E4E15C2A73E56D7B927EA685B N/A Win64/Agent.MS Dolphin backdoor version 1.9 (x\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 9 of 12\n\nSHA-1 Filename ESET detection name Description\r\n5B70453AB58824A65ED0B6175C903AA022A87D6A N/A Win32/Spy.Agent.QET Dolphin backdoor version 2.0 (x\r\n21CA0287EC5EAEE8FB2F5D0542E378267D6CA0A6 N/A Win64/Agent.MS Dolphin backdoor version 2.0 (x\r\nD9A369E328EA4F1B8304B6E11B50275F798E9D6B N/A Win32/Agent.UYO Dolphin backdoor version 3.0 (x\r\n2C6CC71B7E7E4B28C2C176B504BC5BDB687C4D41 N/A Win64/Agent.MS Dolphin backdoor version 3.0 (x\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access T1189 Drive-by Compromise\r\nScarCruft uses watering-hole attacks to\r\ncompromise victims.\r\nExecution\r\nT1059.006\r\nCommand and Scripting Interpreter:\r\nPython\r\nThe Dolphin loader a uses Python script.\r\nT1059.007\r\nCommand and Scripting Interpreter:\r\nJavaScript\r\nScarCruft used malicious JavaScript for a\r\nwatering-hole attack.\r\nT1203 Exploitation for Client Execution\r\nScarCruft exploits CVE-2020-1380 to\r\ncompromise victims.\r\nT1106 Native API\r\nDolphin uses Windows API functions to\r\nexecute files and inject processes.\r\nPersistence\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nDolphin uses a temporary scheduled task to\r\nstart after installation.\r\nT1547.001\r\nBoot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\nDolphin uses Run keys for persistence of its\r\nloader.\r\nDefense\r\nEvasion\r\nT1055.002\r\nProcess Injection: Portable\r\nExecutable Injection\r\nDolphin can inject into other processes.\r\nT1027 Obfuscated Files or Information Dolphin has encrypted components.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\nDolphin can obtain saved passwords from\r\nbrowsers.\r\nT1539 Steal Web Session Cookie Dolphin can obtain cookies from browsers.\r\nDiscovery\r\nT1010 Application Window Discovery\r\nDolphin captures the title of the active\r\nwindow.\r\nT1083 File and Directory Discovery Dolphin can obtain file and directory listings.\r\nT1518.001\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nDolphin obtains a list of installed security\r\nsoftware.\r\nT1082 System Information Discovery\r\nDolphin obtains various system information\r\nincluding OS version, computer name and\r\nRAM size.\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 10 of 12\n\nTactic ID Name Description\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nDolphin obtains the device’s local and\r\nexternal IP address.\r\nT1016.001\r\nSystem Network Configuration\r\nDiscovery: Internet Connection\r\nDiscovery\r\nDolphin checks internet connectivity.\r\nT1033 System Owner/User Discovery Dolphin obtains the victim’s username.\r\nT1124 System Time Discovery Dolphin obtains the victim’s current time.\r\nCollection\r\nT1056.001 Input Capture: Keylogging Dolphin can log keystrokes.\r\nT1560.002\r\nArchive Collected Data: Archive via\r\nLibrary\r\nUsing the Zipper library, Dolphin\r\ncompresses and encrypts collected data\r\nbefore exfiltration.\r\nT1119 Automated Collection\r\nDolphin periodically collects files with\r\ncertain extensions from drives.\r\nT1005 Data from Local System Dolphin can collect files from local drives.\r\nT1025 Data from Removable Media\r\nDolphin can collect files from removable\r\ndrives.\r\nT1074.001 Data Staged: Local Data Staging\r\nDolphin stages collected data in a directory\r\nbefore exfiltration.\r\nT1113 Screen Capture Dolphin can capture screenshots.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nDolphin uses HTTPS to communicate with\r\nGoogle Drive.\r\nT1102.002\r\nWeb Service: Bidirectional\r\nCommunication\r\nDolphin communicates with Google Drive to\r\ndownload commands and exfiltrate data.\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nDolphin periodically exfiltrates collected\r\ndata.\r\nT1567.002\r\nExfiltration Over Web Service:\r\nExfiltration to Cloud Storage\r\nDolphin exfiltrates data to Google Drive.\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 11 of 12\n\nSource: https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nhttps://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/" ], "report_names": [ "whos-swimming-south-korean-waters-meet-scarcrufts-dolphin" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434642, "ts_updated_at": 1775826730, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/630804f20b18fe8e958f866b096c13f1afdd6308.pdf", "text": "https://archive.orkl.eu/630804f20b18fe8e958f866b096c13f1afdd6308.txt", "img": "https://archive.orkl.eu/630804f20b18fe8e958f866b096c13f1afdd6308.jpg" } }