{ "id": "3437febf-0da5-4b3f-9e22-894e90059b01", "created_at": "2026-04-06T00:22:10.854112Z", "updated_at": "2026-04-10T03:38:06.69492Z", "deleted_at": null, "sha1_hash": "afbbddaea4f11c3657c5de1a201deeccd5c30347", "title": "RedEyes hackers use new malware to steal data from Windows, phones", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1558832, "plain_text": "RedEyes hackers use new malware to steal data from Windows, phones\r\nBy Bill Toulas\r\nPublished: 2023-02-14 · Archived: 2026-04-05 13:52:01 UTC\r\nThe APT37 threat group uses a new evasive 'M2RAT' malware and steganography to target individuals for intelligence\r\ncollection.\r\nAPT37, also known as 'RedEyes' or 'ScarCruft,' is a North Korean cyber espionage hacking group believed to be state-supported.\r\nIn 2022, the hacking group was seen exploiting Internet Explorer zero-days and distributing a wide assortment of malware\r\nagainst targeted entities and individuals.\r\nhttps://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nFor example, the threat actors targeted EU-based organizations with a new version of their mobile backdoor named\r\n'Dolphin,' deployed a custom RAT (remote access trojan) called 'Konni,' and targeted U.S. journalists with a highly-customizable malware named 'Goldbackdoor.'\r\nIn a new report released today by AhnLab Security Emergency response Center (ASEC), researchers explain how APT37 is\r\nnow using a new malware strain called 'M2RAT' that uses a shared memory section for commands and data exfiltration and\r\nleaves very few operational traces on the infected machine.\r\nStarts with phishing\r\nThe recent attacks observed by ASEC started in January 2023, when the hacking group sent phishing emails containing a\r\nmalicious attachment to their targets.\r\nOpening the attachment triggers the exploitation of an old EPS vulnerability (CVE-2017-8291) in the Hangul word\r\nprocessor commonly used in South Korea. The exploit will cause shellcode to run on a victim's computer that downloads\r\nand executes a malicious executed stored within a JPEG image.\r\nThis JPG image file uses steganography, a technique that allows hiding code inside files, to stealthily introduce the M2RAT\r\nexecutable (\"lskdjfei.exe\") onto the system and inject it into \"explorer.exe.\"\r\nMalware code hiding in the JPEG file (ASEC)\r\nFor persistence on the system, the malware adds a new value (\"RyPO\") in the \"Run\" Registry key, with commands to\r\nexecute a PowerShell script via \"cmd.exe.\" This same command was also seen in a 2021 Kaspersky report about APT37.\r\nhttps://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/\r\nPage 3 of 5\n\nAPT37 attack flow (ASEC)\r\nM2RAT steals from Windows and phones\r\nThe M2RAT backdoor acts as a basic remote access trojan that performs keylogging, data theft, command execution, and the\r\ntaking of screenshots from the desktop.\r\nThe screenshot-snapping function is activated periodically and works autonomously without requiring a specific operator\r\ncommand.\r\nThe malware supports the following commands, which collect information from the infected device and then send it back to\r\nthe C2 server for the attackers to review.\r\nSupported CMD commands (ASEC)\r\nThe malware's ability to scan for portable devices connected to the Windows computer, such as smartphones or tablets, is\r\nparticularly interesting.\r\nIf a portable device is detected, it will scan the device's contents for documents and voice recording files and, if found, copy\r\nthem to the PC for exfiltration to the attacker's server.\r\nBefore exfiltration, the stolen data is compressed in a password-protected RAR archive, and the local copy is wiped from\r\nmemory to eliminate any traces.\r\nAnother interesting feature of M2RAT is that it uses a shared memory section for command and control (C2)\r\ncommunication, data exfiltration, and the direct transfer of stolen data to the C2 without storing them in the compromised\r\nsystem.\r\nUsing a memory section on the host for the above functions minimizes the exchange with the C2 and makes analysis harder,\r\nas security researchers have to analyze the memory of infected devices to retrieve the commands and data used by the\r\nmalware.\r\nIn conclusion, APT37 continues to refresh its custom toolset with evasive malware that is challenging to detect and analyze.\r\nThis is especially true when the targets are individuals, like in the recent campaign spotted by ASEC, who lack larger\r\norganizations' sophisticated threat detection tools.\r\nhttps://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/\r\nhttps://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/" ], "report_names": [ "redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434930, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/afbbddaea4f11c3657c5de1a201deeccd5c30347.pdf", "text": "https://archive.orkl.eu/afbbddaea4f11c3657c5de1a201deeccd5c30347.txt", "img": "https://archive.orkl.eu/afbbddaea4f11c3657c5de1a201deeccd5c30347.jpg" } }