Reaper, APT 37, Ricochet Chollima, ScarCruft Archived: 2026-04-05 21:13:57 UTC Home > List all groups > Reaper, APT 37, Ricochet Chollima, ScarCruft APT group: Reaper, APT 37, Ricochet Chollima, ScarCruft Names Reaper (FireEye) TEMP.Reaper (FireEye) APT 37 (Mandiant) Ricochet Chollima (CrowdStrike) ScarCruft (Kaspersky) Cerium (Microsoft) Group 123 (Talos) Red Eyes (AhnLab) Geumseong121 (ESRC) Venus 121 (ESRC) Hermit (Tencent) InkySquid (Volexity) ATK 4 (Thales) ITG10 (IBM) Ruby Sleet (Microsoft) Crooked Pisces (Palo Alto) Moldy Pisces (Palo Alto) Osmium (Microsoft) Opal Sleet (Microsoft) TA-RedAnt (AhnLab) G0067 (MITRE) Country North Korea Sponsor State-sponsored Motivation Information theft and espionage First seen 2012 Description Some research organizations link this group to Lazarus Group, Hidden Cobra, Labyrinth Chollima. (FireEye) Read our report, APT37 (Reaper): The Overlooked North Korean Actor, to learn more about our assessment actor is working on behalf of the North Korean government, as well as various other details about their operations: • Targeting: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, in chemicals, electronics, manufacturing, aerospace, automotive, and healthcare. • Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises targeted cyberespionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately • Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adob group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into o • Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avo The group has shown increasing sophistication by improving their operational security over time. • Malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espion APT37 also has access to destructive malware. Observed Sectors: Aerospace, Automotive, Chemical, Education, Financial, Government, Healthcare, High-Tech, Manufacturing Technology, Transportation. Countries: Cambodia, China, Czech, Hong Kong, India, Japan, Kuwait, Laos, Nepal, Poland, Romania, Russia, South K Thailand, UK, USA, Vietnam. https://apt.etda.or.th/cgi-bin/showcard.cgi?u=be6e7cee-7c2c-4298-941d-01b2106284e6 Page 1 of 5 Tools used BLUELIGHT, CARROTBALL, CARROTBAT, Cobalt Strike, CORALDECK, DOGCALL, Dolphin, Erebus, Final1st Loader, GELCAPSULE, GOLDBACKDOOR, GreezeBackdoor, HAPPYWORK, KARAE, KevDroid, Konni, MILKD N1stAgent, NavRAT, Nokki, Oceansalt, PoohMilk Loader, POORAIM, RokRAT, RICECURRY, RUHAPPY, ScarCruf SHUTTERSPEED, SLOWDRIFT, SOUNDWAVE, Syscon, VeilShell, WINERACK, ZUMKONG and several 0-day F Office exploits. Operations performed 2012 Spying on South Korean users. 2016 Operation “Erebus” Mar 2016 Operation “Daybreak” Target: High profile victims. Method: Previously unknown (0-day) Adobe Flash Player exploit. It is also possible that the group deplo zero day exploit, CVE-2016-0147, which was patched in April. Note: not the same operation as DarkHotel’s Operation “Daybreak”. Aug 2016 Operation “Golden Time” Target: South Korean users. Method: spear-phishing emails combined with malicious HWP documents created using Hancom Hangu Nov 2016 Operation “Evil New Year” Target: South Korean users. Method: spear-phishing emails combined with malicious HWP documents created using Hancom Hangu Mar 2017 Operation “Are You Happy?” Target: South Korean users. Method: Not only to gain access to the remote infected systems but to also wipe the first sectors of the de May 2017 Operation “FreeMilk” Target: Several non-Korean financial institutions. Method: A malicious Microsoft Office document, a deviation from their normal use of Hancom documen Nov 2017 Operation “North Korean Human Right” Target: South Korean users. Method: Spear-phishing emails combined with malicious HWP documents created using Hancom Hangu Dec 2017 Operation “Fractured Block” Jan 2018 Operation “Evil New Year 2018” Target: South Korean users. Method: Spear-phishing emails combined with malicious HWP documents created using Hancom Hangu Mar 2018 Operation “Battle Cruiser” Apr 2018 Operation “Star Cruiser” May 2018 Operation “Onezero” Aug 2018 Operation “Rocket Man” https://apt.etda.or.th/cgi-bin/showcard.cgi?u=be6e7cee-7c2c-4298-941d-01b2106284e6 Page 2 of 5 Jan 2019 Operation “Holiday Wiper” Mar 2019 Operation “Golden Bird” Mar 2019 Operation “High Expert” Apr 2019 Operation “Black Banner” Jul 2019 Operation “Fractured Statue” Sep 2019 Operation “Dragon messenger” Jan 2020 North Korean APT used VBA self decode technique to inject RokRat Mar 2020 Operation “Spy Cloud” Dec 2020 North Korean software supply chain attack targets stock investors Mar 2021 ScarCruft surveilling North Korean defectors and human rights activists Apr 2021 North Korean APT InkySquid Infects Victims Using Browser Exploits Apr 2021 Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin Dec 2021 North Korean hackers target Russian diplomats using New Year greetings Jan 2022 KONNI evolves into stealthier RAT Mar 2022 The ink-stained trail of GOLDBACKDOOR Mar 2022 Lookout Discovers New Spyware by North Korean APT37 engineering-company/> Jul 2022 Operation “STIFF#BIZON” The Securonix Threat Research (STR) team has been observing and investigating a new attack campaign high-value targets, including Czech Republic, Poland, and other countries. Sep 2022 Meeting the “Ministrer” Oct 2022 Internet Explorer 0-day exploited by North Korean actor APT37 Feb 2023 HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) Mar 2023 CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) Apr 2023 RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft) Apr 2023 ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea May 2023 Tracking Traces of Malware Disguised as Hancom Office Document File and Being Distributed (RedEye May 2023 RedEyes Group Wiretapping Individuals (APT37) Jul 2023 Operation “STARK#MULE” Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document L Sep 2023 Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft) Sep 2023 RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release Dec 2023 Distribution of Phishing Email Under the Guise of Personal Data Leak (Konni) Dec 2023 ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals Aug 2024 AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-381 Sep 2024 Kimsuky-linked hackers use similar tactics to attack Russia and South Korea, researchers say Sep 2024 Operation “SHROUDED#SLEEP” SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia Mar 2025 Operation “ToyBox Story” Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea https://apt.etda.or.th/cgi-bin/showcard.cgi?u=be6e7cee-7c2c-4298-941d-01b2106284e6 Page 4 of 5 ToyBox Story) Counter operations Dec 2019 On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to di cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our c against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court or Microsoft to take control of 50 domains that the group uses to conduct its operations. Information MITRE ATT&CK Playbook Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=be6e7cee-7c2c-4298-941d-01b2106284e6 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=be6e7cee-7c2c-4298-941d-01b2106284e6 Page 5 of 5