APT37
· Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
· Source: The MITRE Corporation
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 16 reports, 131 attack patterns (mitre), 27 malware, 9 sectors, 9 countries, 100 indicators, 5 vulnerabilities (cve)
Aliases
InkySquid Group123 TEMP.Reaper Ricochet Chollima Reaper ScarCruft
Description
[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (16)
-
AlienVault Confidence 100 19 MITREs 2 Malwares 12 IOCs 12 Observables 1 APT
-
1 CVE 1 Malware 6 Observables 1 APT
-
21 MITREs 2 Malwares 9 Observables 1 APT
-
AlienVault Confidence 100 21 MITREs 1 Malware 11 IOCs 11 Observables 1 APT
-
3 Observables 1 APT
-
9 MITREs 1 Malware 1 APT
-
12 MITREs 3 Malwares 1 Observable 1 APT
-
6 MITREs 1 Malware 1 APT
-
1 APT
-
18 MITREs 1 Observable 1 APT
-
2 Malwares 1 APT
-
10 MITREs 1 Malware 1 APT
Attack patterns (MITRE) (131)
-
T1046 usesNetwork Service Discovery MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1204.001 usesMalicious Link MITRE
-
T1547.001 usesRegistry Run Keys / Startup Folder MITRE
-
T1008 usesFallback Channels MITRE
-
T1090 usesProxy MITRE
-
T1059.006 usesPython MITRE
-
T1056.002 usesGUI Input Capture MITRE
-
T1555 usesCredentials from Password Stores MITRE
-
T1125 usesVideo Capture MITRE
-
T1574 usesHijack Execution Flow MITRE
-
T1112 usesModify Registry MITRE
Malware (27)
-
FadeStealer usesFamily
-
Bluelight usesFamily
-
m2rat uses
-
CORALDECK uses
-
OpenCarrot uses
-
Konni RAT usesFamily
-
Chinotto usesFamily
-
Final1stspy uses
-
SLOWDRIFT uses
-
POORAIM uses
-
Dolphin uses
-
RokRAT usesFamily
Sectors (9)
-
Healthcare targets
-
Defense targets
-
Media targets
-
Defense ministries (including the military) targets
-
Government targets
-
Manufacturing targets
-
Technology targets
-
Education targets
-
Finance targets
Countries (9)
-
British Indian Ocean Territory targets
-
Korea, Republic of targets
-
Romania targets
-
Russian Federation targets
-
Kuwait targets
-
Nepal targets
-
Japan targets
-
China targets
-
India targets
Indicators (100)
-
www.roofcolor.comindicates -
4b91650adbd633d7e5e966ada2716372589511d345808f15d57125e842bec100indicates -
f1b4eb84e77e39803a0463b49b66600adb19347512354d0481568a8411b75b24indicates -
a3ce6ebe702b7938867d6685ff23fbf9b34f534bffe2fcf54e96c9ff64979c60indicates -
35ea90ba0d75a758abec880413c3f87d171bf34d93465fa868e6a09e5058daafindicates -
38c77365c8c363f1c407304416dcf3c0943f5edf1d17bf70c3fe96afecf3979eindicates -
mailcorp.centerindicates -
8ba472a4b33e5bbdd18d3be9791d4f75d4aaced3e8a7dd2c8fca61b71fdacce6indicates -
db70f269d62c43bd09580858731853a589e0f32f2d3c915b15cb9f0b4b9f12d2indicates -
http://172.93.193.158/data/*indicates -
272c2d1d12e2292954d16d159c66734bedaec183c1e99a312c58f169ec8fb0c6indicates -
7562ba1e1f29851edb5b16a440b931ba4dd8620b314e0aa37df8546ccfcf7023indicates
Vulnerabilities (CVE) (5)
7.8
High
Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user.
- Attack vector
- LOCAL
- Published
- 03/11/2021
- Modified
- 26/02/2026
7.8
High
Artifex Ghostscript allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 27/04/2017
- Modified
- 22/04/2026
7.5
High
Microsoft Windows Scripting Engine contains a memory corruption vulnerability that allows unauthenticated attacker to initiate remote code execution via a specially crafted …
- Attack vector
- Network
- Published
- 13/08/2024
- Modified
- 21/12/2025
8.8
High
Microsoft Windows contains an unspecified vulnerability in the JScript9 scripting language which allows for remote code execution.
- Attack vector
- Network
- Published
- 08/11/2022
- Modified
- 14/01/2026
Adobe Flash Player com.adobe.tvsdk.mediacore.metadata Use After Free Vulnerability
- Published
- 15/02/2022
- Modified
- 14/05/2026