{
	"id": "23969a95-9728-4442-9418-8a33a135ca2a",
	"created_at": "2026-04-06T01:32:32.603072Z",
	"updated_at": "2026-04-10T03:38:06.528833Z",
	"deleted_at": null,
	"sha1_hash": "d39c5bdb806bb734306f86a05502bc8bd06a51f8",
	"title": "Reaper Group’s Updated Mobile Arsenal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78195,
	"plain_text": "Reaper Group’s Updated Mobile Arsenal\r\nBy Ruchna Nigam\r\nPublished: 2018-04-05 · Archived: 2026-04-06 00:27:40 UTC\r\nSummary\r\nA recent post from EST Security revealed the use of Android spyware in spear phishing email attachments linked to\r\nthe North Korean Reaper group (also known as APT37, Scarcruft, Group 123 or Red Eyes), highlighting a new\r\nmobile vector added to the threat group’s toolkit.\r\nUnit 42 has looked further into EST’s findings and found a more advanced variant of the Trojan mentioned in their\r\noriginal article. Talos has written on this variant and named it KevDroid.\r\nThis post provides our analysis of KevDroid., as well as details on the discovery of previously unknown trojanized\r\nversions of a Bitcoin Ticker Widget and a PyeongChang Winter Games application, that are downloaders for the\r\nspyware variants.\r\n  Background\r\nThe post by EST Security detailed an Android spyware disguising itself as an Anti-Virus app from Naver (the largest\r\nsearch and web portal service provider in South Korea). While hunting for similar samples, I came across two more\r\nversions of the same variant. One of those called home to cgalim[.]com, a domain that Palo Alto Networks had\r\nalready observed being used by the Reaper group in non-mobile attacks (IOCs in Appendix).\r\nTable 1: Additional samples found for the original Android spyware variant linked to the Reaper group\r\nPivoting on artefacts from the original variant led to the discovery of a more advanced variant of the same spyware,\r\nwhich is described in detail further below. In addition, I also stumbled upon two Android applications that serve as\r\ndownloaders for each of the two variants. They are discussed next.\r\n  Downloaders\r\nWhile investigating the Reaper group’s Android spyware variants, I found two applications that have the ability to\r\ndownload and install an application from hxxp://cgalim.com/admin/hr/1[.]apk. I also observed the same URL serving\r\nthe advanced variant of the Android spyware, confirming that these two applications served as downloaders for the\r\nReaper group’s Android spyware. The two applications are trojanized versions of popular applications available on\r\nthe Google Play Store. The two trojanized versions were not posted on Google Play.\r\nWhile both downloaders contacted the same URL to download their payloads, looking further into their code I found\r\nthat they were each written to respectively download and drop one specific variant of Reaper’s Android spyware.\r\nApp Name Icon SHA256\r\nDROPPED\r\nPAYLOAD\r\nPyeongChang\r\nWinter\r\nGames\r\n \r\n28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca\r\nNew\r\nvariant\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/\r\nPage 1 of 4\n\nBitcoin\r\nTicker\r\nWidget\r\n \r\n679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e\r\nOriginal\r\nvariant\r\nTable 2: Android downloaders used to drop spyware variants linked to the Reaper group\r\n \r\nBoth applications are signed with the same certificate thereby confirming their origins from the same author(s)\r\n1\r\n2\r\n3\r\n4\r\nOwner: CN=Jhon Phalccon, OU=Google Chrome, O=Google Chrome, L=Washington, ST=US, C=US\r\nIssuer: CN=Jhon Phalccon, OU=Google Chrome, O=Google Chrome, L=Washington, ST=US, C=US\r\nSerial number: 7b320fab\r\nValid from: Wed Jan 24 10:22:50 GMT 2018 until: Sun Jun 11 10:22:50 GMT 2045\r\nOnce these downloaders are installed, they display a message prompting the user to update the application. If the user\r\nfollows the prompts, the downloader retrieves the payload and saves it to the external device memory as\r\nAppName.apk. The payload is then loaded prompting the user again to confirm its installation before it is finally\r\ninstalled on the device. The next section provides an analysis of the newer, more advanced variant of these payloads.\r\n  Advanced Variant Analysis\r\nThe following sample was used for this analysis\r\nApp Name Icon SHA256\r\nPU (Blank) 990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209\r\nTable 3: New Android spyware variant discovered, linked to the Reaper group\r\nThis sample has the following abilities:\r\nRecord video (default duration is 10 mins)\r\nRecord audio (default duration is 5 mins, saved as 48_d[TS].amr)\r\nCapture screenshots (saved as 96_d[TS].jpg)\r\nGrab the phone’s file listing (saved as 128_d[TS].txt)\r\nFetch specific files\r\nDownload a list of commands\r\nGet device info - 64-bit Android ID, Phone number, System Properties etc (saved as 208_d[TS].json)\r\nRooting the device, using a binary called ‘poc’ in the package assets\r\n \r\nAdditionally, this advanced variant is capable of exfiltrating:\r\nVoice recordings from incoming and outgoing calls (saved as _p[Ph]_in_[D].amr or _p[Ph]_out_[D].amr)\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/\r\nPage 2 of 4\n\nCall logs (saved as 16_d[TS].json)\r\nSMS history (saved as 32_d[TS].json)\r\nContact lists (saved as 144_d[TS].json)\r\nInformation on registered accounts on the phone (saved as 160_d[TS].json),\r\nIn each of these cases, [TS] is the current timestamp in the format yyyyMMddkkmmss, [Ph] is the source or\r\ndestination phone number for a call, and [D] is the call duration.\r\nWhile these exfiltration capabilities are shared in common with the original variant, this new variant writes its own\r\ncall recording library as opposed to using the open source library that was used by its predecessor.\r\nAll exfiltrated information is written to the directory /sdcard/_pu on the phone and sent to\r\nhxxp://hakproperty.com/new/plat/pu[.]php?do=upload.\r\nBefore transmission, the files are AES-encrypted using the key “08D03B0B6BE7FBCD”. This encryption scheme\r\nand key is consistent across the two variants.\r\nPost-encryption the files are renamed with the addition of a suffix ‘x’. All created files are deleted after they are sent\r\nto the upload server.\r\nWhen commanded to fetch a list of commands, the list is fetched from\r\n1 hxxp://hakproperty.com/new/plat/pu[.]php?do=download_rc\u0026aid=\" + [64-bit android_id]\r\n \r\nConclusion\r\nThe emergence of a new attack vector, followed by the appearance of new variants disguising themselves as currently\r\nrelevant applications like the Winter Olympics, indicates expanding operations of the Reaper group that are actively\r\nin development.\r\nPalo Alto Networks customers benefit from the following protections against these attacks:\r\n1. AutoFocus customers can track the group’s activity using the Reaper tag.\r\n2. WildFire detects all related samples with malicious verdicts.\r\n3. Traps blocks all malicious files associated with this group.\r\n \r\nIOCs\r\nReaper Downloader APK samples\r\n28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca\r\n679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e\r\nAdvanced Variant sample\r\n990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209\r\nNon-APK Reaper-related samples making use of cgalim[.]com\r\n0de087ffb95c88a65e83bd99631d73d0176220e8b740785de78d2d79294f2303\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/\r\nPage 3 of 4\n\n6b1f2dfe805fa0e27139c5a4840042599262dbbf4511a118d3fba3d4ec35f2d7\r\n86887ce368d9a3e7fdf9aa62418cd68daeea62269d17afb059ab64201047e378\r\nd29895aa3f515ec9e345b05882ee02033f75745b15348030803f82372e83277a\r\nd5de09cc5d395919d2d2000f79326a6997f4ec079879b11b05c4d1a1a847ed00\r\nSource: https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/\r\nhttps://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/"
	],
	"report_names": [
		"unit42-reaper-groups-updated-mobile-arsenal"
	],
	"threat_actors": [
		{
			"id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e",
			"created_at": "2025-08-07T02:03:25.082908Z",
			"updated_at": "2026-04-10T02:00:03.744649Z",
			"deleted_at": null,
			"main_name": "NICKEL FOXCROFT",
			"aliases": [
				"APT37 ",
				"ATK4 ",
				"Group 123 ",
				"InkySquid ",
				"Moldy Pisces ",
				"Operation Daybreak ",
				"Operaton Erebus ",
				"RICOCHET CHOLLIMA ",
				"Reaper ",
				"ScarCruft ",
				"TA-RedAnt ",
				"Venus 121 "
			],
			"source_name": "Secureworks:NICKEL FOXCROFT",
			"tools": [
				"Bluelight",
				"Chinotto",
				"GOLDBACKDOOR",
				"KevDroid",
				"KoSpy",
				"PoorWeb",
				"ROKRAT",
				"final1stpy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bbe36874-34b7-4bfb-b38b-84a00b07042e",
			"created_at": "2022-10-25T15:50:23.375277Z",
			"updated_at": "2026-04-10T02:00:05.327922Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"APT37",
				"InkySquid",
				"ScarCruft",
				"Group123",
				"TEMP.Reaper",
				"Ricochet Chollima"
			],
			"source_name": "MITRE:APT37",
			"tools": [
				"BLUELIGHT",
				"CORALDECK",
				"KARAE",
				"SLOWDRIFT",
				"ROKRAT",
				"SHUTTERSPEED",
				"POORAIM",
				"HAPPYWORK",
				"Final1stspy",
				"Cobalt Strike",
				"NavRAT",
				"DOGCALL",
				"WINERACK"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "552ff939-52c3-421b-b6c9-749cbc21a794",
			"created_at": "2023-01-06T13:46:38.742547Z",
			"updated_at": "2026-04-10T02:00:03.08515Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"Operation Daybreak",
				"Red Eyes",
				"ScarCruft",
				"G0067",
				"Group123",
				"Reaper Group",
				"Ricochet Chollima",
				"ATK4",
				"APT 37",
				"Operation Erebus",
				"Moldy Pisces",
				"APT-C-28",
				"Group 123",
				"InkySquid",
				"Venus 121"
			],
			"source_name": "MISPGALAXY:APT37",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439152,
	"ts_updated_at": 1775792286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d39c5bdb806bb734306f86a05502bc8bd06a51f8.pdf",
		"text": "https://archive.orkl.eu/d39c5bdb806bb734306f86a05502bc8bd06a51f8.txt",
		"img": "https://archive.orkl.eu/d39c5bdb806bb734306f86a05502bc8bd06a51f8.jpg"
	}
}