{ "id": "83ebb7cb-2b7f-4e0c-9e95-6f20453fbda0", "created_at": "2026-04-06T00:17:52.234653Z", "updated_at": "2026-04-10T13:12:08.208462Z", "deleted_at": null, "sha1_hash": "af4f41e1e3097e46a2c3eb7691da949ff289f791", "title": "Ricochet Chollima Adversary Profile | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1031343, "plain_text": "Ricochet Chollima Adversary Profile | CrowdStrike\r\nArchived: 2026-04-05 19:35:44 UTC\r\nDiscover the adversaries targeting your industry\r\n Back to Adversary Universe\r\nRICOCHET CHOLLIMA is a Democratic Peoples’ Republic of Korea (DPRK)-nexus targeted intrusion adversary\r\nthat has been involved in espionage operations since at least 2016. RICOCHET CHOLLIMA’s observed\r\noperations have almost exclusively targeted the Republic of Korea (ROK) and are assessed to be focused on ROK\r\ngovernment officials, non-governmental organizations (NGOs), academics, journalists, and D...\r\nhttps://www.crowdstrike.com/adversaries/ricochet-chollima/\r\nPage 1 of 3\n\nRicochet Chollima\r\nNorth Korea, East Asia, Asia\r\nCommunity Identifiers\r\nScarCruft, APT37, Group123, Venus121, Inky Squid, Moldy Pisces, TA-RedAnt, Pearl Sleet, Red Eyes, ITG10\r\nObjective\r\nIntelligence Gathering\r\nMotivation\r\nState-Sponsored\r\nWho's targeting your industry?\r\nToday's adversaries are faster, smarter, and better resourced. Know who they are and how to stop them.\r\nView adversaries\r\nhttps://www.crowdstrike.com/adversaries/ricochet-chollima/\r\nPage 2 of 3\n\nCrowdStrike 2025 Threat Hunting Report\r\nAdversaries weaponize and target AI at scale.\r\nSource: https://www.crowdstrike.com/adversaries/ricochet-chollima/\r\nhttps://www.crowdstrike.com/adversaries/ricochet-chollima/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/adversaries/ricochet-chollima/" ], "report_names": [ "ricochet-chollima" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b344633-90b3-416a-ae54-fb69dd2f833e", "created_at": "2024-02-02T02:00:04.023636Z", "updated_at": "2026-04-10T02:00:03.528581Z", "deleted_at": null, "main_name": "Pearl Sleet", "aliases": [ "DEV-0215", "LAWRENCIUM" ], "source_name": "MISPGALAXY:Pearl Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434672, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/af4f41e1e3097e46a2c3eb7691da949ff289f791.pdf", "text": "https://archive.orkl.eu/af4f41e1e3097e46a2c3eb7691da949ff289f791.txt", "img": "https://archive.orkl.eu/af4f41e1e3097e46a2c3eb7691da949ff289f791.jpg" } }