North Korea🇰🇵 KP34 malware familiesExploits CVEs in the wild

APT37

Also known asAPT37Group123InkySquidReaperRicochet ChollimaScarCruftTEMP.Reaper

APT37, also known as ScarCruft, Reaper, InkySquid, Ricochet Chollima, Group123, and TEMP.Reaper, is a North Korean state-sponsored threat actor linked to cyber-espionage activity. The group was first identified in 2016 and is described as targeting North Korean defectors, journalists covering North Korea-related issues, government entities, South Korean activists, media organizations, high-profile experts in North Korean affairs, and in some reporting Russian diplomatic and defense-related targets. Its operations initially focused on South Korea and later expanded to Japan, Vietnam, Russia, Nepal, and several countries in the Middle East. The reporting consistently describes APT37 as using spear-phishing for initial access, including lures impersonating Microsoft Account security notifications, cybersecurity advisories, think-tank invitations, and North Korea-related documents. Delivery methods include ZIP and RAR archives, malicious LNK shortcut files, HWP documents with embedded OLE objects, and staged batch or PowerShell scripts. Observed tradecraft includes hidden PowerShell execution, fileless or in-memory payload execution, scheduled-task persistence, victim username and system information collection, and use of HTTPS for command-and-control concealment. Malware and tooling associated with the group in the provided content include RokRAT, NarwhalRAT, FadeStealer, Chinotto, NubSpy, LightPeek, TxPyLoader, CHILLYCHINO, and VCD Ransomware. RokRAT was described in a March 2025 campaign dubbed Operation ToyBox Story targeting South Korean activists and North Korea-focused experts, using Dropbox API endpoints for command-and-control and exfiltration. NarwhalRAT was delivered through Microsoft-themed phishing and is described as a compiled Python-based RAT capable of keylogging, screenshot capture, audio recording, USB data collection, active-window collection, file upload, and remote command execution; it used Korean relay sites and the pCloud API as part of a dead-drop or multi-channel C2 architecture. Historical and related ScarCruft reporting also notes abuse of cloud and messaging services including Dropbox, pCloud, Yandex Cloud, PubNub, Ably, and Microsoft Graph API for command-and-control. The content also references a ScarCruft subgroup tracked by S2W as ChinopuNK, associated with Chinotto malware distribution and a campaign targeting South Korean users via a malicious LNK in a RAR archive. That campaign reportedly deployed a stealer, ransomware, and backdoor components, which researchers assessed as an evolution from ScarCruft’s traditionally espionage-focused activity.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Non-Governmental Organizations
Academia & Research
Military

Where they target

Geographies tied to known operations.

🇰🇷 South Korea

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

47 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics73 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

4 techniques

T1078

Valid Accounts

T1078.001

Default Accounts

T1190

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1195.002

Compromise Software Supply Chain

T1566

Phishing

T1566.001×5

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005×3

Scheduled Task

T1059×4

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.003×3

Windows Command Shell

T1059.005

Visual Basic

T1059.006

Python

T1204

User Execution

T1204.002×9

Malicious File

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1053.005×3

Scheduled Task

T1078

Valid Accounts

T1078.001

Default Accounts

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

4 techniques

T1053

Scheduled Task/Job

T1053.005×3

Scheduled Task

T1055

Process Injection

T1078

Valid Accounts

T1078.001

Default Accounts

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

TA0005

Stealth

9 techniques

T1027×3

Obfuscated Files or Information

T1036×4

Masquerading

T1055

Process Injection

T1070

Indicator Removal

T1070.004

File Deletion

T1078

Valid Accounts

T1078.001

Default Accounts

T1140×2

Deobfuscate/Decode Files or Information

T1218

System Binary Proxy Execution

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1620×3

Reflective Code Loading

TA0006

Credential Access

3 techniques

T1056

Input Capture

T1056.001×3

Keylogging

T1539

Steal Web Session Cookie

T1555

Credentials from Password Stores

TA0007

Discovery

7 techniques

T1016

System Network Configuration Discovery

T1016.001

Internet Connection Discovery

T1033

System Owner/User Discovery

T1082×2

System Information Discovery

T1083×2

File and Directory Discovery

T1120×2

Peripheral Device Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1518

Software Discovery

TA0009

Collection

8 techniques

T1005

Data from Local System

T1025×2

Data from Removable Media

T1056

Input Capture

T1056.001×3

Keylogging

T1113×4

Screen Capture

T1114

Email Collection

T1115

Clipboard Data

T1123×2

Audio Capture

T1560×3

Archive Collected Data

TA0011

Command and Control

3 techniques

T1071×5

Application Layer Protocol

T1071.001

Web Protocols

T1102×2

Web Service

T1102.001×3

Dead Drop Resolver

T1105×4

Ingress Tool Transfer

TA0010

Exfiltration

2 techniques

T1041

Exfiltration Over C2 Channel

T1567

Exfiltration Over Web Service

T1567.002×2

Exfiltration to Cloud Storage

TA0040

Impact

1 technique

T1486×2

Data Encrypted for Impact

ARSENAL

Associated malware families

34 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

ROKRATThe campaign is known as Operation ToyBox Story, the malware is called RokRAT ... Their signature tool, RokRAT, is a highly sophisticated RAT (Remote Access Trojan).25Jun 26, 2026

BirdCallTrojanized game with Android BirdCall version 2.0.8May 26, 2026

FadeStealerFadeStealer : A previously documented ScarCruft-linked malware designed for data exfiltration.6Jun 25, 2026

NarwhalRATvictims unknowingly download the APT37 NarwhalRAT malware. This Python backdoor then executes directly in the system’s memory.6Jun 19, 2026

BLUELIGHTStairwell found a new malware sample named “Goldbackdoor,” which was assessed as a successor of “Bluelight.”5May 26, 2026

29 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

14 CVEs this actor has used in observed campaigns. 14 of them exploited in the wild.

CVE-2018-4878Adobe Flash Player Primetime SDK use-after-free RCEIn the wildEvidence5

Scarcruft ... Attack using Flash Zero Day (CVE-2016-4171, CVE-2018-4878)

CVE-2020-1380Internet Explorer JScript use-after-free remote code executionIn the wildEvidence3

ScarCruft exploits CVE-2020-1380 to compromise victims.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence3

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2016-4117Adobe Flash Player arbitrary code execution in 21.0.0.226 and earlierIn the wildEvidence2

APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878)...

CVE-2017-0199Microsoft Office/WordPad Remote Code Execution VulnerabilityIn the wildEvidence2

...used exploits for... Word (CVE-2017-0199)...

9 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

165 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

165 IOCsView more in app

Domains

54 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+46

hash.sha1

40 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+32

ip.v4

21 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+13

Email addresses

17 total

••••@•••••.••••••••@••••••.•••••••••@•••••••.••••••••••@••••••••.•••••••••••@•••••.•••••••@••••••.••••••••@•••••••.•••••••••@••••••••.•••+9

uri

17 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+9

hash.md5

14 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+6

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

osint team blogNews

Jun 26, 2026

The Spy Group Hiding Their Orders Inside a Dropbox Folder | by Pop123 | Jun, 2026 | OSINT Team

North Korea-linked espionage group behind Operation ToyBox Story, targeting South Korean activists and North Korea-focused individuals using phishing and the RokRAT malware with Dropbox-based command-and-control.

security online infoNews

Jun 19, 2026

APT37 NarwhalRAT Malware: A Python Backdoor Threat

Conducting a spear-phishing campaign targeting Korean users with Microsoft-themed security advisory lures to deliver the NarwhalRAT Python backdoor for espionage and information theft.

scworldNews

Jun 16, 2026

North Korean hackers use fake Microsoft alerts to deploy NarwhalRAT malware | brief | SC Media

Conducting spear-phishing campaigns impersonating Microsoft security notifications to deliver NarwhalRAT via malicious ZIP/LNK attachments and a multi-stage infection chain.

the hacker newsNews

Jun 16, 2026

Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware

Conducting spear-phishing campaigns impersonating Microsoft security alerts to deliver NarwhalRAT via ZIP archives containing malicious LNK files, using multi-stage Python-based loaders, scheduled-task persistence, in-memory execution, and multi-channel C2 including Korean relay sites and pCloud.

+195 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping47

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal34

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs14

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables165

Domains, IPs, and hashes tied to this actor, refreshed continuously.