Threat Actor Profile
APT37 Threat Actor Profile
APT37, also known as Reaper or ScarCruft, is a North Korean advanced persistent threat (APT) group that has been active since at least 2012. This state-sponsored group focuses heavily on cyber espionage, leveraging spear phishing and advanced zero-day exploits to infiltrate targets. APT37 supports North Korea’s strategic goals, specifically in defense, security, and surveillance within both regional and global contexts.
Threat Actor Profile
APT37 Threat Actor Profile
Country of Origin
APT37 originates from North Korea and is widely believed to operate under the Reconnaissance General Bureau (RGB), the nation’s intelligence agency responsible for cyber warfare. Their operations align with North Korea’s geopolitical and military strategies.
Members
The exact size and composition of APT37 are unknown. Reports suggest that its members include highly skilled operatives specializing in malware development, exploit crafting, and intelligence gathering. The group operates using several aliases, including Reaper, Ricochet Chollima, and ScarCruft.
Leadership
Specific leaders of APT37 remain unidentified. However, it is presumed that the group operates with direct oversight from the North Korean government under the RGB, emphasizing its role as a state-sponsored unit.
APT37 TTPs
Tactics
APT37’s primary objectives involve cyber espionage aimed at stealing sensitive data and surveilling dissidents. Secondary goals include occasional disruption through destructive attacks and supporting North Korean geopolitical interests.
Techniques
APT37 employs highly sophisticated techniques, such as spear phishing with malicious attachments, leveraging vulnerabilities in popular software like Microsoft Office and Hangul Word Processor, and watering hole attacks targeting websites of interest to victims.
Procedures
The group’s procedures include utilizing custom malware families like ROKRAT, BLUELIGHT, and DOLPHIN for remote access and data exfiltration. They also exploit zero-day vulnerabilities in software like Internet Explorer and Adobe Flash, frequently implementing obfuscation techniques to evade detection.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
Key attacks include the 2017 “Zero-Day Reaper” campaign, which revealed the group’s advanced use of zero-day exploits. Notable operations also include the 2018 Adobe Flash vulnerability attack (CVE-2018-4878) and a 2023 campaign targeting security researchers and think tanks using BLUELIGHT and DOLPHIN malware.
Law Enforcement & Arrests
To date, there are no publicly reported arrests or enforcement actions specifically targeting APT37 operatives. Its close ties to the North Korean government provide the group with operational protections.
How to Defend Against
Keep systems and software up to date frequently to address vulnerabilities exploited by APT37, especially in browsers and document tools.
Disable macros and other risky file executions in email attachments.
Implement network monitoring to detect unusual traffic to cloud storage services.
Segmentation Standards: Limit access between critical systems to contain any lateral movement
Deploy advanced endpoint protection tools to identify and mitigate DLL side-loading, registry persistence, and malicious processes.
Enhance user awareness training to recognize spear phishing attempts targeting sensitive industries.
Huntress provides enterprise-grade ITDR protection and Microsoft monitoring services to monitor and mitigate threats like APT37, helping organizations secure their environments with real-time detection and remediation capabilities.
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
