{ "id": "050d662b-0d3a-48bf-ba43-dd2e99ac59af", "created_at": "2026-04-06T00:09:44.293594Z", "updated_at": "2026-04-10T03:38:06.314884Z", "deleted_at": null, "sha1_hash": "9b5c40b8240164f3b0308b8066d3d67a95a33ec5", "title": "APT37 (Reaper) | The Overlooked North Korean Threat Actor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48163, "plain_text": "APT37 (Reaper) | The Overlooked North Korean Threat Actor\r\nBy Mandiant\r\nPublished: 2018-02-20 · Archived: 2026-04-05 13:44:57 UTC\r\nOn Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-\r\n4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper).\r\nOur analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and\r\nsophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware. We assess with\r\nhigh confidence that this activity is carried out on behalf of the North Korean government given malware\r\ndevelopment artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence\r\nbelieves that APT37 is aligned with the activity publicly reported as Scarcruft and Group123.\r\nRead our report, APT37 (Reaper): The Overlooked North Korean Actor, to learn more about our assessment that\r\nthis threat actor is working on behalf of the North Korean government, as well as various other details about their\r\noperations:\r\nTargeting: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry\r\nverticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.\r\nInitial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web\r\ncompromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to\r\ndistribute malware more indiscriminately.\r\nExploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as\r\nwell as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and\r\nthe ability to incorporate them into operations.\r\nCommand and Control Infrastructure: Compromised servers, messaging platforms, and cloud service\r\nproviders to avoid detection. The group has shown increasing sophistication by improving their operational\r\nsecurity over time.\r\nMalware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware\r\nused for espionage purposes, APT37 also has access to destructive malware.\r\nMore information on this threat actor is found in our report, APT37 (Reaper): The Overlooked North Korean\r\nActor. You can also register for our upcoming webinar for additional insights into this group.\r\nDownload Now\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nhttps://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html\r\nPage 1 of 2\n\nSource: https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html" ], "report_names": [ "apt37-overlooked-north-korean-actor.html" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434184, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b5c40b8240164f3b0308b8066d3d67a95a33ec5.pdf", "text": "https://archive.orkl.eu/9b5c40b8240164f3b0308b8066d3d67a95a33ec5.txt", "img": "https://archive.orkl.eu/9b5c40b8240164f3b0308b8066d3d67a95a33ec5.jpg" } }