{ "id": "ba465414-e968-46d4-864a-ea060f94a260", "created_at": "2026-04-06T00:22:14.335285Z", "updated_at": "2026-04-10T03:38:06.693449Z", "deleted_at": null, "sha1_hash": "809d2511cc72fc1d1433cc2fa5d9736013637b33", "title": "APT37 - RokRat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1321746, "plain_text": "APT37 - RokRat\r\nBy Mohamed Ezzat\r\nPublished: 2025-03-01 · Archived: 2026-04-05 17:59:29 UTC\r\n13 minute read\r\nMeet APT37 GroupPermalink\r\nAPT37, also known as ScarCruft, Reaper, and Red Eyes, is a North Korean state-sponsored hacking group that has\r\nbeen active since 2012. Originally, its operations focused on public and private sectors within South Korea,\r\nthough in 2017, it extended its targets to include Japan, Vietnam, the Middle East, and industries such as\r\nhealthcare and manufacturing. By 2023, APT37 had shifted to phishing campaigns targeting users on both\r\nWindows and Android platforms.\r\nThe group is known for leveraging various attack vectors, including malicious LNK files spread via group chat\r\nplatforms to infect victims.\r\nTechnical in PointsPermalink\r\nInfection Vector: The attack begins with phishing emails containing ZIP attachments that hide malicious\r\nLNK files, masquerading as documents related to North Korean affairs or trade agreements. When\r\nexecuted, the LNK file starts a multi-stage attack using batch scripts and PowerShell, finally having\r\nRokRat as the final payload.\r\nHost Profiling: RokRat collects detailed system information, including the OS version, computer name,\r\nlogged-in user, and executable path. It also retrieves hardware details, tracks system uptime, enumerates\r\nrunning processes and captures screenshots. This data is then exfiltrated to the Command-and-Control (C2)\r\nserver.\r\nC2 Communication: RokRat abuses cloud services like pCloud, Yandex, and Dropbox as its Command-and-Control (C2) channels, using their APIs to send, download, and delete files. It also embeds OAuth\r\ntokens within its code to facilitate seamless communication with these services.\r\nCommand Execution: RokRAT can execute commands on the infected system, allowing attackers to\r\nperform a wide range of activities, such as data exfiltration, system reconnaissance, and process\r\ntermination. It can execute remote commands via cmd.exe, collect and upload files, scan system drives,\r\ndelete specific files, and retrieve additional payloads from Command-and-Control (C2).\r\nInfection FlowPermalink\r\nThe infection starts with phishing emails that look critical, as attackers use real information from websites to make\r\nthem seem more believable. These emails contain ZIP files with malicious LNK files disguised as documents.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 1 of 21\n\nWhen executed, it launches the next stage of the attack.\r\nFigure(1): Infection Flow Diagram\r\nStage 1 - LNK filePermalink\r\nThe code embedded within the .lnk file executes commands that invoke PowerShell.\r\nFigure(2): LECmd output\r\nFirst, it checks if it’s running from System32 or Program Files. If so, it moves to the %temp% directory. It then\r\nuses a simple trick to read itself by searching for .lnk files with a size of 0x0DD4B11F bytes.\r\nOnce found, it extracts multiple payloads from the .lnk file and saves them in the %temp% directory.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 2 of 21\n\nThe extracted files are:\r\nAt offset 0x111E, extracts 0xAD36 bytes and saves it as .hwpx , which is executed immediately.\r\nAt offset 0xBE54, extracts 0xD9190 bytes and saves it as caption.dat .\r\nAt offset 0xE4FE4, extracts 0x0636 bytes and saves it as elephant.dat .\r\nAt offset 0xE561A, extracts 0x0147 bytes and saves it as sharkeba.bat , which is then executed.\r\nTo automate the extraction process, I wrote a quick script.\r\nimport os\r\nimport sys\r\ndef extract_embedded_files(lnk_path, output_dir):\r\n try:\r\n if not os.path.exists(output_dir):\r\n os.makedirs(output_dir)\r\n with open(lnk_path, 'rb') as lnk_file:\r\n \r\n lnk_file.seek(0x0000111E)\r\n hwpx_data = lnk_file.read(0x0000AD36)\r\n hwpx_path = os.path.join(output_dir, \"extracted.hwpx\")\r\n with open(hwpx_path, 'wb') as f:\r\n f.write(hwpx_data)\r\n print(f\"HWPX file extracted\")\r\n \r\n lnk_file.seek(0x0000BE54)\r\n exe_data = lnk_file.read(0x000D9190)\r\n exe_path = os.path.join(output_dir, \"caption.dat\")\r\n with open(exe_path, 'wb') as f:\r\n f.write(exe_data)\r\n print(f\"Caption.dat extracted\")\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 3 of 21\n\nlnk_file.seek(0x000E4FE4)\r\n string_data = lnk_file.read(0x00000636)\r\n string_path = os.path.join(output_dir, \"elephant.dat\")\r\n with open(string_path, 'wb') as f:\r\n f.write(string_data)\r\n print(f\"Elephant.dat extracted\")\r\n \r\n lnk_file.seek(0x000E561A)\r\n bat_data = lnk_file.read(0x00000147)\r\n bat_path = os.path.join(output_dir, \"sharke.bat\")\r\n with open(bat_path, 'wb') as f:\r\n f.write(bat_data)\r\n print(f\"Batch file extracted\")\r\n \r\n except :\r\n print(f\"Error occured \")\r\ndef main():\r\n lnk_path = ''\r\n output_dir = ''\r\n extract_embedded_files(lnk_path, output_dir)\r\nif __name__ == \"__main__\":\r\n main()\r\nFinally, it deletes the original .lnk file to cover its tracks.\r\nStage 2 - The dropped filesPermalink\r\nHWPX documentPermalink\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 4 of 21\n\nFigure(3): The HWPX document on VT\r\nThis is a decoy document to make victims think they have opened a normal file while the real attack runs in the\r\nbackground. It appears to be a public service record form, commonly used in South Korea for official\r\nrecommendations and recognitions.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 5 of 21\n\nFigure(4): content of HWPX document\r\nshark.batPermalink\r\nStarted by analyzing shark.bat , which is extracted and executed. This batch script launches PowerShell in a\r\nminimized, hidden window. It then reads elephant.dat from the %temp% directory, loads it into memory, and\r\nexecutes it using Invoke-Command .\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 6 of 21\n\nFigure(5): The used script\r\nelephant.datPermalink\r\nDespite its name, this is another PowerShell script designed to load and execute a payload in memory. It reads an\r\nencrypted file caption.dat (the fourth extracted file) from the %temp% directory and decrypts it using a single-byte XOR key ‘d’ to obtain executable content.\r\nOnce decrypted, the script loads the necessary functions from kernel32.dll to execute the payload in memory.\r\nIt allocates memory and creates a thread to run the decrypted payload.\r\nStage 3 - shellcodePermalink\r\nThe decrypted shellcode decrypts the PE file from the hardcoded encrypted data.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 7 of 21\n\nFigure(6): The decrypted shellcode.\r\nThe shellcode reads data from memory at offset 0x58B, where the first byte is the XOR key, the next four bytes\r\ngive the encrypted data length, and the rest is the encrypted PE file. It decrypts the PE by XORing each byte with\r\nthe key, loads it into memory, resolves imports and executes.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 8 of 21\n\nFigure(7): The structure of the encrypted data\r\nwe can dump that decrypted PE file using this IDApython script .\r\ndef save_to_file(file_path, data):\r\n with open(file_path, 'wb') as file:\r\n file.write(data)\r\naddr = 0x58B\r\nxor_key = idc.get_bytes(addr, 1)\r\ndata_size = idc.get_wide_dword(addr + 1) # read 4-byte data size\r\nenc_data = idc.get_bytes(addr + 5, data_size) # get encrypted data\r\ndec_data = bytes(b ^ xor_key for b in enc_data)\r\nsave_to_file('dump_file.bin', dec_data)\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 9 of 21\n\nFinal payload - RokRatPermalink\r\nThe final payload is RokRat, a remote access Trojan (RAT) primarily used by the APT37 threat group. This\r\nsample was compiled in October 2024 and was previously seen in another attack in December 2024.\r\nFigure(8): Rokrat on VT.\r\nAnti analysisPermalink\r\nEncrypted stringsPermalink\r\nRokrat uses two custom string decryption techniques to hide its strings.\r\nOne technique involves storing strings as stack strings, encrypted using a simple subtraction-based transformation\r\nusing the first character as a key, which is subtracted from each subsequent character along with a fixed value\r\n(2048).\r\nAnother method encrypts strings by using the first byte as a key. Each character is processed two bytes at a time,\r\nwith the key subtracted from each to get the original text.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 10 of 21\n\nFigure(9): Encrypted algorithms used.\r\nHere is the full decrypted string list :\r\nExpand to see more\r\n  IsWow64Process\r\n  C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\r\n  HARDWARE\\DESCRIPTION\\System\r\nAnti-vmPermalink\r\nRokrat detects the existence of VMware Tools through vmtoolsd.exe. It first checks whether the executable exists\r\nin its default installation path and then retrieves its version details. If the file is found and its metadata is\r\nsuccessfully extracted, it is assumed to be running inside a VMware virtual machine.\r\nFigure(10): Anti vm used.\r\nDetect sandboxPermalink\r\nThe function creates and then deletes a random file in C:\\Windows, a common technique in malware and sandbox\r\ndetection to test file system write permissions or introduce execution delays .\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 11 of 21\n\nFigure(11): Detect sandbox.\r\nAlso, Rokrat checks for a debugger using IsDebuggerPresent.\r\nGather host infoPermalink\r\nRokRat gathers detailed information about the compromised system. It first retrieves the system version and\r\ndetermines whether the process is running under WOW64 .\r\nAlso, it collects system-related details such as the computer name, the logged-in username, and the full path of\r\nthe executable.\r\nIt retrieves extra system details from the registry and determines the system’s uptime in milliseconds, excluding\r\nsleep time.\r\nFigure(12): Gathered Information.\r\nIt also extracts system details from the registry, including the SystemBiosVersion.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 12 of 21\n\nFigure(13): Get hardware Info from registry.\r\nProcess EnumerationPermalink\r\nRokRat gathers details about running processes, including their Process ID (PID), executable name, and file path.\r\nThe information is formatted as \"%spid:%d,name:%s,path:%s%s\" , stored and prepared for exfiltration.\r\nFigure(14): Process Enumeration function.\r\nCapture a screenshot.Permalink\r\nRokRat captures a screenshot, processes the image (converting it to JPEG), and prepares it for exfiltration.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 13 of 21\n\nC2 CommunicationsPermalink\r\nRokRat abuses legitimate cloud services such as pCloud, Yandex, and Dropbox as command and control (C2)\r\nchannels. By using these platforms’ APIs, RokRat can seamlessly exfiltrate stolen data, download additional\r\npayloads, and execute commands, all while mixing into normal network traffic. Also, it features a test mode that\r\nlets it run on the local machine.\r\nOperation\r\nCloud\r\nProvider\r\nAPI\r\nUpload File Dropbox https://content.dropboxapi.com/2/files/upload\r\n  Yandex Disk\r\nhttps://cloud-api.yandex.net/v1/disk/resources/upload?\r\npath=%s\u0026overwrite=%s\r\n  pCloud https://api.pcloud.com/uploadfile?path=%s\u0026filename=%s\u0026nopartial=1\r\nDownload\r\nFile\r\nDropbox https://content.dropboxapi.com/2/files/download\r\n  Yandex Disk https://cloud-api.yandex.net/v1/disk/resources/download?path=%s\r\n  pCloud\r\nhttps://api.pcloud.com/getfilelink?\r\npath=%s\u0026forcedownload=1\u0026skipfilename=1\r\nList Folder Dropbox https://api.dropboxapi.com/2/files/list_folder\r\n  Yandex Disk https://cloud-api.yandex.net/v1/disk/resources?path=%s\u0026limit=500\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 14 of 21\n\nOperation\r\nCloud\r\nProvider\r\nAPI\r\n  pCloud https://api.pcloud.com/listfolder?path=%s\r\nDelete File Dropbox https://api.dropboxapi.com/2/files/delete\r\n  Yandex Disk\r\nhttps://cloud-api.yandex.net/v1/disk/resources?\r\npath=%s\u0026permanently=%s\r\n  pCloud https://api.pcloud.com/deletefile?path=%s\r\nIt also contains OAuth tokens within its code to enable communication with these cloud services.\r\nMainly using pCloud for its Command-and-Control (C2) operations. It authenticates with pCloud via an HTTP\r\nrequest that contains a hardcoded OAuth token: JINs7ZDb7OvfloXrYZt8wH7kZ7LjAjGKBckj4kTgWSBiDSVWF1fKX\r\nIt also hides its HTTP traffic by spoofing its User-Agent string, making it appear as a legitimate Googlebot\r\nrequest: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\nFigure(15): Example of Http request .\r\nRokRat uses a combination of XOR obfuscation and RSA encryption before exfiltrating data. It first uses XOR\r\nencryption using randomly generated keys to obfuscate the data, making it less recognizable. Then, it encrypts the\r\nobfuscated data using RSA, ensuring that only the attacker, who owns the private key, can decrypt it.\r\nCommandsPermalink\r\nRokRat retrieves encrypted commands from its Command-and-Control (C2) server, using AES-CBC mode for\r\nencryption. It then decrypts the commands locally and executes them on the system.\r\ncommand ‘0’Permalink\r\nThis command sets the sent data flag to 0 (false), meaning that data collection should stop.\r\nCommand - ‘i’Permalink\r\nThis command sets the sent data flag to 1 (true), meaning that the collected information is ready to be sent to the\r\ncommand and control (C2) server.\r\nCommand - ‘j’ or ‘b’Permalink\r\nThis creates a termination process, forcing the malware to stop running and exit.\r\nCommand - ‘d’Permalink\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 15 of 21\n\nThis command performs a deletion operation to remove different script and shortcut files from the Windows\r\nStartup folder and the AppData directory. It targets .VBS (VBScript), .CMD , .BAT (batch scripts), .LNK\r\n(shortcuts), and any additional files created during execution.\r\n del \"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.VBS\"\r\n \"%appdata%\\*.CMD\"\r\n \"%appdata%\\*.BAT\"\r\n \"%appdata%\\*01\"\r\n \"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.lnk\"\r\n \"%allusersprofile%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*.lnk\" /F /Q\r\nOnce the deletion is complete, the command starts a termination process to shut down the RAT.\r\nCommand - ‘f’Permalink\r\nThis command is similar to the previous one, but it does not target .lnk (shortcut) files.\r\ndel \\\"%appdata%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*.VBS\\\"\\\r\n \"%appdata%\\\\*.CMD\\\" \\\r\n \"%appdata%\\\\*.BAT\\\" \\\r\n \"%appdata%\\\\*01\\\" /F /Q\"\r\nOnce the deletion is complete, the command also starts a termination process to shut down the RAT.\r\nCommand - ‘g’Permalink\r\nThis command simply resets the memory and erases it, making it ready for another operation.\r\nCommand - ‘h’Permalink\r\nThis command scans all logical drives, including fixed, removable, and network drives, listing their contents\r\nrecursively and saving the results in a temporary file. The file is then uploaded to the command and control (C2)\r\nserver before being deleted to remove any traces.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 16 of 21\n\nFigure(16): function scans all logical drives.\r\nCommand - ‘e’Permalink\r\nThis command executes a received instruction from the C2 server via cmd.exe, allowing remote execution of\r\nsystem commands.\r\nFigure(17): Command e.\r\nCommand - ‘c’Permalink\r\nThis command receives a path from the C2 server and checks whether it’s a file or a directory. If the path is a\r\ndirectory, the function reads its files, processes them, encrypts their contents, and then uploads them to the C2\r\ncloud server.\r\nIf the path is a file, a filtering is applied based on file extensions. When the filter is set to “Normal,” it specifically\r\ntargets document-related file types such as .XLS , .DOC , .PPT , .TXT , .M4A , .AMR , .PDF , and .HWP .\r\nHowever, if the filter is set to “All,” it collects and uploads files of any type.\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 17 of 21\n\nCommands [1-9]Permalink\r\nThese commands download a payload and execute it:\r\nDownload (Commands 1, 2, 5, 6):\r\nThese commands fetch secondary payloads dynamically from attacker-specified URLs. The process involves\r\nopening an HTTP connection to the URL and downloading the data without any additional decryption.\r\nFigure(18): Download file from internet.\r\nDownload (Commands 3, 4, 7, 8, 9):\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 18 of 21\n\nThese commands download a payload from C2 cloud services. Once downloaded, the payload is decrypted, and\r\nits integrity is verified through checks.\r\nExecution (Commands 1, 2, 3, 4):\r\nIn this case, the code checks if the download is successful. If it is, the code creates a new thread to execute the\r\npayload. If the execution is successful, it writes “OK” to a temporary text file (%temp%\\r.txt) . If the execution\r\nfails, it writes “BD” to the same file.\r\nAdditionally, a batch script is executed to gather system information, including :\r\nA list of running processes\r\nStartup items\r\nSystem configuration\r\nRouting details\r\nThis information is saved into the same temporary text file (r.txt), encrypted, and then exfiltrated to the C2 server.\r\nAfter exfiltration, the file is deleted .\r\nExecution (Commands 5, 6, 7, 8, 9):\r\nIn this case, it also checks if the download is successful. If it is, it constructs a file path. Then, it creates a\r\ntemporary file named KB400928_doc.exe , writes the extracted data to it, and executes the file using\r\nShellExecuteA .\r\nYARA RulePermalink\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 19 of 21\n\nrule detct_RokRat\r\n{\r\n meta:\r\n description = \"Detects Rokrat payload using some of the hardcoded strings \"\r\n author = \"Mohamed Ezzat (@ZW01f)\"\r\n hash1 = \"09a4adef9a7374616851e5e2a7d9539e1b9808e153538af94ad1d6d73a3a1232\"\r\n hash2 = \"94159655fa0bfb1eff092835d8922d3e18ca5c73884fd0d8b78f42c8511047b6\"\r\n strings:\r\n // apis used\r\n $s0 = \"https://api.pcloud.com/deletefile?path=%s\" wide\r\n $s1 = \"https://api.dropboxapi.com/2/files/list_folder\" wide\r\n $s3 = \"https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s\u0026overwrite=%s\" wide\r\n $s4 = \"https://cloud-api.yandex.net/v1/disk/resources?path=%s\u0026limit=500\" wide\r\n $s5 = \"https://cloud-api.yandex.net/v1/disk/resources?path=%s\u0026permanently=%s\" wide\r\n // file it use for download payloads .\r\n $s6 = \"KB400928_doc.exe\"\r\n $s7 = \"%04d%02d%02d %02d%02d%02d\" wide\r\n condition:\r\n uint16(0) == 0x5A4D and all of ($s*)\r\n}\r\nIoCsPermalink\r\nStage Hash\r\nZip file cfc814a16547dd4e92607bd42d2722cc567492e88d2830d7d28a0cc20bf3950c\r\nLnk file 7df7ad7b88887a06b559cd453e7b65230d0cccff1a403328a521d8753000c6c9\r\nhwpx document 9d96e4816a59475768d461a71cecf20fd99215ce289ecae8c865cf45feeb8802\r\nshark.bat 5306582c8a24508b594fed478d5abaa5544389c86ba507d8ebf98c5c7edde451\r\nelephant.dat 2b6928101efa6ededc7da18e7894866710c10794b8cbaf43b48c721e9731c41a\r\ncaption.dat 6d790df4a2c81e104db10f5e47eb663ca520a456b1305e74f18b2f20758ea4e1\r\nshellcode - stage 3 1c4cd06ebece62c796ea517bf26cc869fa71213d17e30feb0f91c8a4cfa7ef1b\r\nRokRat - final payload 09a4adef9a7374616851e5e2a7d9539e1b9808e153538af94ad1d6d73a3a1232\r\nReferencesPermalink\r\nAPT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware\r\nThreat Actor Profile: ScarCruft / APT37\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 20 of 21\n\nSource: https://zw01f.github.io/malware%20analysis/apt37/\r\nhttps://zw01f.github.io/malware%20analysis/apt37/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://zw01f.github.io/malware%20analysis/apt37/" ], "report_names": [ "apt37" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434934, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/809d2511cc72fc1d1433cc2fa5d9736013637b33.pdf", "text": "https://archive.orkl.eu/809d2511cc72fc1d1433cc2fa5d9736013637b33.txt", "img": "https://archive.orkl.eu/809d2511cc72fc1d1433cc2fa5d9736013637b33.jpg" } }