{ "id": "4ac8860e-c57b-4d2c-b60a-238774239b77", "created_at": "2026-04-06T00:21:55.966225Z", "updated_at": "2026-04-10T03:38:06.33288Z", "deleted_at": null, "sha1_hash": "6bc8f6928136857afc21813e6ed5c27427f3d106", "title": "Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9290585, "plain_text": "Analysis of APT37 Attack Case Disguised as a Think Tank for\r\nNational Security Strategy in South Korea (Operation. ToyBox\r\nStory)\r\nBy Genians\r\nPublished: 2025-05-12 · Archived: 2026-04-05 22:56:13 UTC\r\n◈ Executive Summary\r\nDisguised the content as an academic forum invitation from a South Korean national security think tank to\r\nattract attention\r\nLured targets by referencing an actual event titled “Trump 2.0 Era: Prospects and South Korea’s Response”\r\nDelivered malicious LNK files via the Dropbox cloud platform\r\nAPT37 used Dropbox as a C2 server, following earlier use of pCloud and Yandex\r\nEDR-based anomaly hunting required to improve detection of fileless threats\r\n1. Overview\r\n○ In March 2025, the APT37 threat actor launched a spear phishing campaign targeting several activists focused\r\non North Korea. The email contained a Dropbox link leading to a compressed archive that included a malicious\r\nshortcut (LNK) file. When extracted and executed, the LNK file activated additional malware containing the\r\nkeyword “toy.”\r\n○ Based on the characteristics of the threat, Genians Security Center (GSC) named the campaign “Operation:\r\nToyBox Story” and began in-depth analysis.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 1 of 24\n\n[Figure 1] Flowchart of the APT37 Attack\r\n2. Background\r\n○ 'APT37' is widely known as a state-sponsored hacking group linked to North Korea. Genians Security Center\r\n(GSC) has observed that the group utilizes a variety of attack strategies:\r\nWatering Hole\r\nSpear Phishing\r\nSocial Network Service (SNS) Phishing\r\n○ They exploit legitimate cloud services as Command and Control (C2) servers—commonly referred to as\r\n“Living off Trusted Sites (LoTS).” This tactic is similar to Living off the Land (LotL) attacks, which rely on\r\nabusing tools already present in the system. In this case, however, the attackers leverage trusted public web\r\nservices to conceal their operations. These services are mostly global platforms, and Dropbox has been frequently\r\nused in recent cases.\r\nDropbox\r\npCloud\r\nYandex\r\nOneDrive\r\nGoogle Drive\r\n○The group has also been involved in various zero-day attacks, including the exploitation of Internet Explorer\r\nvulnerabilities such as CVE-2022-41128. Their operations have expanded beyond Windows to include Android-based malware (APK files) and attacks targeting macOS users.\r\n○In March 2025, GSC’s threat analyst identified a new attack campaign and carried out an in-depth investigation.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 2 of 24\n\n○ This report provides insight into an actual spear phishing case that impersonated a South Korean national\r\nsecurity think tank event, helping organizations prepare for similar threats in advance.\r\n3. Spear Phishing Analysis\r\n3-1. [Case A] Document Masquerading as Information on North Korean Troops Deployed to\r\nRussia\r\n○ The first observed spear phishing attack occurred on March 8, 2025.\r\n[Figure 2] Email containing information about North Korean troops deployed to Russia.\r\n○The attacker impersonated a North Korea-focused expert based in South Korea. The email used the subject line\r\n“러시아 전장에 투입된 인민군 장병들에게.hwp (To North Korean Soldiers Deployed to the Russian\r\nBattlefield.hwp),” and the attachment had the same file name.\r\n○ The attachment mimicked a Hangul (HWP) document using the icon image employed by Naver Mail.\r\n○The threat actor used the HWP icon image from Naver Mail to make the attachment appear as a legitimate file\r\nlink. However, the actual download link pointed to Dropbox.\r\n○ The Dropbox link led to a ZIP archive named “러시아 전장에 투입된 인민군 장병들에게.zip”(To North\r\nKorean Soldiers Deployed to the Russian Battlefield.zip)\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 3 of 24\n\n3-2. [Case B] Fake Invitation to a National Security Conference\r\n○ The second spear phishing case, which occurred on March 11, 2025, involved a fake invitation to a national\r\nsecurity conference.\r\n[Figure 3] Email containing a national security–related conference poster\r\n○ The attacker lured recipients by impersonating a think tank event on national security strategy. The email was\r\ncrafted to resemble a shared conference poster, leading the recipient to download the attachment.\r\n○ Similar to the previous case, the email listed one attachment titled “관련 포스터.zip(Related Poster.zip).” The\r\nicon used was again the “other image” type used by Naver Mail.\r\n○ The download link for the attachment also pointed to Dropbox.\r\n3-3. Summary of Used Malicious Files\r\n○ The malicious files used in each case are summarized below. The archive “러시아 전장에 투입된 인민군 장병\r\n들에게.zip(To North Korean Soldiers Deployed to the Russian Battlefield.zip)” contains a single shortcut (LNK)\r\nfile. This LNK file executes malicious code and shares the same name as the ZIP archive, with only the file\r\nextension being different.\r\nNo ZIP Name File Name\r\nFile Size\r\n(Bytes)\r\n1 러시아 전장에 투입된 인민\r\n군 장병들에게.zip\r\n러시아 전장에 투입된 인민군 장병들에게.lnk\r\n(To North Korean Soldiers Deployed to the Russian\r\n824,819\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 4 of 24\n\n(To North Korean Soldiers\r\nDeployed to the Russian\r\nBattlefield.zip)\r\nBattlefield.lnk)\r\n2\r\n관련 포스터.zip\r\n(Related Poster.zip)\r\nhkais_1e9ce53a18e24ebc01b539ba7ba6bedd.lnk 12,145,612\r\nhkais_112ba70f4e2d696b6b0110218d8bcfc3.jpg 116,271\r\n[Table 1] ZIP Archive and Internal File Information\r\n○ The “관련 포스터.zip(Related Poster.zip)” archive contains a harmless JPG image and a malicious LNK\r\nshortcut. When the LNK file is executed, it runs a hidden PowerShell command embedded within the file,\r\ninitiating the malicious activity.\r\n○ For reference, both LNK files deliver the same final payload, RoKRAT. Therefore, we provide an integrated\r\nanalysis below.\r\n4.Malware Analysis\r\n4-1. 러시아 전장에 투입된 인민군 장병들에게.lnk(To North Korean Soldiers Deployed to the\r\nRussian Battlefield.lnk)\r\n○ The shortcut (LNK) file is configured to run PowerShell commands via embedded arguments, following a\r\ntypical malware execution pattern.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 5 of 24\n\n[Figure 4] Command Embedded in “러시아 전장에 투입된 인민군 장병들에게.lnk (To North Korean Soldiers\r\nDeployed to the Russian Battlefield.lnk)” File\r\n○Executing the malicious LNK file triggers a predefined command that launches a decoy HWP file, presenting a\r\nlegitimate-looking document to the user.\r\n○ In addition, 3 hidden files are created in the %Temp% directory, and a BAT (batch) file is executed. To evade\r\ndetection, the file disguises the “.bat” extension by breaking it into separate characters and recombining them\r\nusing the plus (+) operator at runtime.\r\n[Figure 5] Malicious LNK File Structure\r\n○ The decoy HWP document contains a letter addressed to North Korean soldiers deployed to Russia.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 6 of 24\n\n[Figure 6] Benign HWP File Used as a Decoy\r\n○When the PowerShell command in “toy03.bat” file is executed, it loads “toy02.dat” file created in temporary\r\nfolder, functioning as a loader.\r\n○ Next, the PowerShell command embedded in “toy02.dat” executes and loads “toy01.dat” from the same\r\ntemporary folder. During this stage, the data transformed using XOR logic is loaded into memory, and a new\r\nthread is created.\r\n○ As a result, the shellcode is loaded into memory and the memory area becomes executable.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 7 of 24\n\n○ Then, a new thread is created to execute the memory-resident code. This technique is a fileless approach used\r\nfor dynamic code execution or runtime malware injection.\r\n[Figure 7] Shellcode Transformation via PowerShell Command\r\n○ By analyzing the shellcode loaded into memory, its detailed behavior can be identified. It follows a typical\r\nshellcode flow involving stack frame setup, function calls, and value assignments.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 8 of 24\n\n[Figure 8] PE File Transformation via Shellcode XOR Logic\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 9 of 24\n\n○ The PE file embedded within the shellcode is decrypted using XOR logic and executed in memory. This file is a\r\ntypical example of the RoKRAT malware family.\r\n4-2. RoKRAT Behavior Analysis\r\n○ One defining trait of the RoKRAT malware family is that it collects system information from the infected host\r\nbefore executing its core malicious routines via the main function (WinMain).\r\n[Figure 9] RoKRAT Main Function Code Section\r\n○ Before executing the CreateThread routine, the main function calls ‘sub_40F0E7()’, which is responsible for\r\ncollecting system information.\r\n[Figure 10] System Information Collection Routine\r\n○ The gathered information is stored at the memory location labeled ‘rokrat_4CFCC8’ and includes the following\r\nsystem attributes:\r\nCollected Key System Information\r\nWindows OS Build Version\r\nComputer Device Name\r\nUser Name\r\nCurrent Process Path (Execution Path)\r\nSystem Manufacturer\r\nSystem Model\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 10 of 24\n\nSystem BIOS Version\r\n[Figure 11] System Information Collection Routine\r\n○ The function ‘sub_40F0E7()’ not only collects system information from the infected host, but also generates the\r\ndata required to communicate with the cloud-based C2 server.\r\n○ Subsequently, the main thread at the entry point is executed, which calls the function ‘sub_40F569()’. This\r\nfunction uses a switch statement to execute commands defined for each case.\r\n○ Representative commands include process termination and deletion of malicious scripts (to remove attack\r\ntraces), and storing information about removable drives. The malware also performs various actions such as\r\ncommunicating with the C2 server and executing ‘cmd.exe’ commands. Notably, it exhibits a unique RoKRAT\r\nbehavior of storing file data received from the C2 server into a file named ‘KB400928_doc.exe’ and executing it.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 11 of 24\n\n[Figure 12] Commands Executed via switch-case Conditions\r\n○ RoKRAT captures real-time screenshots from the infected system and saves them in JPEG format.\r\n[Figure 13] Screenshot Collection\r\n○ The screenshot is saved in the temporary folder (%Temp%) with a “.tmp” extension. The filename is generated\r\nin hexadecimal format based on the specified pattern “%s%04X%04X.tmp”, where a random string is assigned to\r\na buffer variable. As a result, the filename takes the form of an 8-character hexadecimal value created by repeating\r\na random 4-character string.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 12 of 24\n\n○ Collected system information, screenshots, and process details are bundled and transmitted to the C2 server as a\r\nunified dataset. First, a 4-byte value hardcoded in RoKRAT is added.\r\nFixed 4-byte Value:\r\n0xFA\r\n0xDE\r\n0xAD\r\n0xBA\r\n[Figure 14] Fixed 4-Byte Value\r\n○ The collected information is encrypted using a 4-byte random key generated by a pseudo-random number\r\ngenerator (PRNG) via an XOR operation. However, since the threat actor already knows the fixed 4-byte value,\r\nreverse decryption is possible.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 13 of 24\n\n[Figure 15] Encryption Routine Using Random Key\r\n○ After the initial XOR obfuscation, the data undergoes additional encryption using AES-CBC-128. The AES key\r\nitself is encrypted via RSA and prefixed to the data.\r\n[Figure 16] Partial View of AES-CBC-128 Encryption Routine\r\n○ The encrypted file, after passing through multiple encryption stages, is exfiltrated to a designated C2 server by\r\nthe attacker. The exfiltration addresses are as follows.\r\n○ The RoKRAT family typically uses 3 cloud-based API services and tokens. The most common examples are\r\nlisted below.\r\nCloud Services Used for C2\r\napi.pcloud[.]com\r\ncloud-api.yandex[.]net\r\napi.dropboxapi[.]com\r\nName Action API URL\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 14 of 24\n\npcloud\r\nlistfolder https://api.pcloud[.]com/listfolder?path=%s\r\nuploadfile https://api.pcloud[.]com/uploadfile?path=%s\u0026filename=%s\u0026nopartial=1\r\ngetfilelink https://api.pcloud[.]com/getfilelink?path=%s\u0026forcedownload=1\u0026skipfilename=1\r\ndeletefile https://api.pcloud[.]com/deletefile?path=%s\r\nyandex\r\nlimit https://cloud-api.yandex[.]net/v1/disk/resources?path=%s\u0026limit=500\r\nupload https://cloud-api.yandex[.]net/v1/disk/resources/upload?path=%s\u0026overwrite=%s\r\ndownload https://cloud-api.yandex[.]net/v1/disk/resources/download?path=%s\r\npermanently https://cloud-api.yandex.net/v1/disk/resources?path=%s\u0026permanently=%s\r\ndropbox\r\nlist_folder https://api.dropboxapi[.]com/2/files/list_folder\r\nupload https://content.dropboxapi[.]com/2/files/upload\r\ndownload https://content.dropboxapi[.]com/2/files/download\r\ndelete https://api.dropboxapi[.]com/2/files/delete\r\n[Table 2] Cloud C2 API Communication Addresses\r\n○ In this case, C2 communication is conducted via Dropbox authentication. 2 access tokens used for credential-based authorization were observed.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 15 of 24\n\n[Figure 17] Dropbox Access Tokens\r\nAccess Token\r\nqpIH7aCNxGUAAAAAAAAAAbvHIsHbphV6aB6THhpP-8t30a_TXE14lh4kLBHEl6Cp\r\n2SufkFqeegMAAAAAAAAAAXBHNzzqhiDRu4wvncLkI7VIkC8Zd3YkJWlqZbpL8afr\r\nE-Mail\r\nrolf.gehrung@yandex.com\r\nekta.sahasi@yandex.com\r\n○ Each access token is associated with registrant information as shown above, and both tokens are linked to\r\nRussian Yandex accounts.\r\n4-3. RoKRAT Similarity Analysis\r\n○ On February 3rd, Genians published a report titled “APT37’s Malicious HWP Document Delivered via K-Messenger.” The case involved the distribution of malicious HWP files through popular instant messaging\r\nplatforms in South Korea and specific group chats.\r\n○At the time, filenames related to automobile brands and transportation were used for the malicious documents. A\r\ncomparison between the RoKRAT sample from the ToyBox Story case and the earlier variant revealed significant\r\ncode similarities.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 16 of 24\n\n[Figure 18] Comparative Analysis of RoKRAT Encryption Routine Similarities\r\n○ “Capa,” an open-source tool developed by Google’s Mandiant FLARE team, features over 890 predefined rules\r\nthat can be used to identify functionalities within executable files. It is useful for static malware analysis and is\r\ncontinuously updated with new capabilities. It can also be used to assess functional similarities across related\r\nmalware samples.\r\n○ Unlike Yara, which relies on byte sequence matching, Capa identifies behavior-based patterns tied to specific\r\nfunctionalities. In particular, it analyzes embedded API calls, registry references, and various strings to determine\r\ncapabilities and provides ATT\u0026CK mapping data as well.\r\n[Figure 19] Similarity Analysis Using Capa Static Analysis\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 17 of 24\n\n○ Analysis of the RoKRAT file using the Capa tool revealed consistent mappings to MITRE ATT\u0026CK tactics and\r\ntechniques, suggesting a strong behavioral correlation.\r\n○ The Malware Behavior Catalog (MBC) classifies malware behavior based on static analysis results, though\r\ndiscrepancies may exist when compared to runtime behavior.\r\n○ The results for both “MBC Objective” and “MBC Behavior” also follow the same pattern. This shows that\r\nalthough the RoKRAT module continues to be used over time, there have been few changes to its code structure.\r\n○ APT37 appears to employ the RoKRAT module in fileless attacks, enabling it to evade antivirus detection\r\nwithout significant code changes. Consequently, detection and response via EDR solutions are more effective.\r\n5. Threat Attribution\r\n5-1. Traces of the Threat Actor\r\n○ GSC collected threat actor information through HUMINT, intelligence-sharing partnerships (both domestic and\r\ninternational), and threat intelligence analysis.\r\n○ During the investigation of infrastructure used to issue malicious file commands, several Russian Yandex email\r\naccounts were identified.\r\nYandex Email Addresses\r\nrolf.gehrung@yandex.com\r\nekta.sahasi@yandex.com\r\ngursimran.bindra@yandex.com\r\nsneha.geethakrishnan@yandex.com\r\n○ In addition, a previous report published on November 6, 2024, titled “Cyber Reconnaissance Activities\r\nAttributed to APT37,” disclosed five Gmail accounts used by the threat actor.\r\nGmail Addresses\r\ntanessha.samuel@gmail.com\r\ntianling0315@gmail.com\r\nw.sarah0808@gmail.com\r\nsoftpower21cs@gmail.com\r\nsandozmessi@gmail.com\r\n○ Username searches based on the Yandex email addresses returned LinkedIn profiles with matching names.\r\nHowever, it is unclear whether these are mere coincidences, cases of identity theft, or impersonation. The\r\ninvestigation is ongoing.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 18 of 24\n\n[Figure 20] LinkedIn Profiles Matching Yandex Email Usernames\r\n5-2. Threat Infrastructure Similarity\r\n○ Following the release of the report “Rise in Fileless RoKRAT Attacks by the APT37 Group,” similar threat\r\ncampaigns have continued to surface. In particular, the group continues to use LNK and HWP files containing\r\nembedded commands to initiate fileless RoKRAT attacks.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 19 of 24\n\n[Figure 21] Relationship Diagram of APT37 Campaigns\r\n○ A review of APT37’s campaign infrastructure shows that the group frequently leverages legitimate cloud storage\r\nservices as command and control (C2) servers.\r\n○ The actor also utilizes services like NordVPN and AstrillVPN to obfuscate their network origin. Notably, the\r\nuse of AstrillVPN was previously mentioned in Google’s threat intelligence report, “Staying a Step Ahead:\r\nMitigating the DPRK IT Worker Threat.”\r\n6. Conclusion and Response\r\n○ This report examined a recent APT37 campaign that masqueraded as content related to North Korean troop\r\ndeployments in Russia and an academic forum organized by a South Korean national security think tank.\r\n○ The threat actors exploited legitimate cloud services as C2 infrastructure and continued to modify shortcut\r\n(LNK) files while focusing on fileless attack techniques to evade detection by anti-virus software installed on\r\ntarget endpoints.\r\n○ When pattern-based security products fail to detect the initial intrusion, they may allow threats to advance and\r\ncause unexpected damage. As a precaution, users should refrain from opening any LNK files attached to emails,\r\nespecially those contained in compressed archives.\r\n○ In practice, it is often unrealistic to enforce knowledge-based security rules consistently across all users.\r\nConsequently, security teams must rely on endpoint monitoring and proactive threat hunting to mitigate risk.\r\nGenian EDR detects such threats in real time and blocks them before they can spread within the internal network.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 20 of 24\n\n[Figure 22] Threat Detection via Genian EDR Event Analysis\r\n○ Based on the attack scenario described in this report, we can simulate how the incident would unfold in a real-world environment. When a user on an endpoint equipped with the Genian EDR agent receives a phishing email\r\nand extracts the attached ZIP archive, the embedded LNK file is immediately flagged as a threat.\r\n○ Genian EDR not only detects the threat but also provides administrators with immediate insight into the delivery\r\nvector and execution path. This enables deeper investigation and supports proactive measures to strengthen\r\norganizational security and prevent recurrence.\r\n[Figure 23] PowerShell Command Line View\r\n○ Genian EDR’s attack storyline feature provides clear visibility into parent-child process relationships on the\r\ncompromised endpoint.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 21 of 24\n\n○ Analysts can examine command-line arguments passed to intermediary processes like cmd.exe and\r\npowershell.exe, offering critical visibility for threat analysis.\r\n○ Beyond execution tracking, Genian EDR enables proactive threat hunting through granular event analysis and\r\nLIVE search, tailored per endpoint.\r\n[Figure 24] Genian EDR Interface Showing Detected C2 Cloud Communication\r\n○ Security administrators in both enterprise and public environments can efficiently monitor and manage\r\nabnormal behaviors on specific endpoints through EDR activity logs.\r\n○ In particular, determining whether access to legitimate cloud services is malicious cannot rely on connection\r\ndata alone. However, Genian EDR leverages its accumulated threat intelligence and proprietary anomaly detection\r\nengine, XBA, to detect malicious API-layer communications with cloud services.\r\n○ In addition, Genian EDR integrates MITRE ATT\u0026CK mapping to enable more precise threat classification and\r\nstructured response workflows.\r\n7. Indicator of Compromise\r\nMD5\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 22 of 24\n\n81c08366ea7fc0f933f368b120104384\r\n723f80d1843315717bc56e9e58e89be5\r\n7822e53536c1cf86c3e44e31e77bd088\r\n324688238c42d7190a2b50303cbc6a3c\r\na635bd019674b25038cd8f02e15eebd2\r\nbeeaca6a34fb05e73a6d8b7d2b8c2ee3\r\nd5d48f044ff16ef6a4d5bde060ed5cee\r\nd77c8449f1efc4bfb9ebff496442bbbc\r\n2f431c4e65af9908d2182c6a093bf262\r\n7cc8ce5374ff9eacd38491b75cbedf89\r\n8f339a09f0d0202cfaffbd38469490ec\r\n46ca088d5c052738d42bbd6231cc0ed5\r\nC2\r\n89.147.101[.]65\r\n89.147.101[.]71\r\n37.120.210[.]2\r\nE-Mail\r\nrolf.gehrung@yandex.com\r\nekta.sahasi@yandex.com\r\ngursimran.bindra@yandex.com\r\nsneha.geethakrishnan@yandex.com\r\ntanessha.samuel@gmail.com\r\ntianling0315@gmail.com\r\nw.sarah0808@gmail.com\r\nsoftpower21cs@gmail.com\r\nsandozmessi@gmail.com\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 23 of 24\n\ntiger.man.1999@mail.ru\r\nnavermail_noreply@mail.ru\r\nSource: https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/toybox-story\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story" ], "report_names": [ "toybox-story" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434915, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6bc8f6928136857afc21813e6ed5c27427f3d106.pdf", "text": "https://archive.orkl.eu/6bc8f6928136857afc21813e6ed5c27427f3d106.txt", "img": "https://archive.orkl.eu/6bc8f6928136857afc21813e6ed5c27427f3d106.jpg" } }