Threat Actor Profile

APT37 Threat Actor Profile

APT37, also known as Reaper or ScarCruft, is a North Korean advanced persistent threat (APT) group that has been active since at least 2012. This state-sponsored group focuses heavily on cyber espionage, leveraging spear phishing and advanced zero-day exploits to infiltrate targets. APT37 supports North Korea’s strategic goals, specifically in defense, security, and surveillance within both regional and global contexts.

Threat Actor Profile

APT37 Threat Actor Profile

Country of Origin

APT37 originates from North Korea and is widely believed to operate under the Reconnaissance General Bureau (RGB), the nation’s intelligence agency responsible for cyber warfare. Their operations align with North Korea’s geopolitical and military strategies.

Members

The exact size and composition of APT37 are unknown. Reports suggest that its members include highly skilled operatives specializing in malware development, exploit crafting, and intelligence gathering. The group operates using several aliases, including Reaper, Ricochet Chollima, and ScarCruft.

Leadership

Specific leaders of APT37 remain unidentified. However, it is presumed that the group operates with direct oversight from the North Korean government under the RGB, emphasizing its role as a state-sponsored unit.

APT37 TTPs

Tactics

APT37’s primary objectives involve cyber espionage aimed at stealing sensitive data and surveilling dissidents. Secondary goals include occasional disruption through destructive attacks and supporting North Korean geopolitical interests.

Techniques

APT37 employs highly sophisticated techniques, such as spear phishing with malicious attachments, leveraging vulnerabilities in popular software like Microsoft Office and Hangul Word Processor, and watering hole attacks targeting websites of interest to victims.

Procedures

The group’s procedures include utilizing custom malware families like ROKRAT, BLUELIGHT, and DOLPHIN for remote access and data exfiltration. They also exploit zero-day vulnerabilities in software like Internet Explorer and Adobe Flash, frequently implementing obfuscation techniques to evade detection.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

Key attacks include the 2017 “Zero-Day Reaper” campaign, which revealed the group’s advanced use of zero-day exploits. Notable operations also include the 2018 Adobe Flash vulnerability attack (CVE-2018-4878) and a 2023 campaign targeting security researchers and think tanks using BLUELIGHT and DOLPHIN malware.

Law Enforcement & Arrests

To date, there are no publicly reported arrests or enforcement actions specifically targeting APT37 operatives. Its close ties to the North Korean government provide the group with operational protections.

How to Defend Against

Keep systems and software up to date frequently to address vulnerabilities exploited by APT37, especially in browsers and document tools.

Disable macros and other risky file executions in email attachments.

Implement network monitoring to detect unusual traffic to cloud storage services.

Segmentation Standards: Limit access between critical systems to contain any lateral movement

Deploy advanced endpoint protection tools to identify and mitigate DLL side-loading, registry persistence, and malicious processes.

Enhance user awareness training to recognize spear phishing attempts targeting sensitive industries.

Huntress provides enterprise-grade ITDR protection and Microsoft monitoring services to monitor and mitigate threats like APT37, helping organizations secure their environments with real-time detection and remediation capabilities.

Try Huntress for Free

References

APT37 Threat Actor Profile | FireEye

Microsoft Threat Intelligence | APT37

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free