APT37
· Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
· Source: The MITRE Corporation
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 16 reports, 131 attack patterns (mitre), 27 malware, 9 sectors, 9 countries, 100 indicators, 5 vulnerabilities (cve)
Aliases
InkySquid Group123 TEMP.Reaper Ricochet Chollima Reaper ScarCruft
Description
[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (16)
-
AlienVault Confidence 100 19 MITREs 2 Malwares 12 IOCs 12 Observables 1 APT
-
1 CVE 1 Malware 6 Observables 1 APT
-
21 MITREs 2 Malwares 9 Observables 1 APT
-
AlienVault Confidence 100 21 MITREs 1 Malware 11 IOCs 11 Observables 1 APT
-
3 Observables 1 APT
-
9 MITREs 1 Malware 1 APT
-
12 MITREs 3 Malwares 1 Observable 1 APT
-
6 MITREs 1 Malware 1 APT
-
1 APT
-
18 MITREs 1 Observable 1 APT
-
2 Malwares 1 APT
-
10 MITREs 1 Malware 1 APT
Attack patterns (MITRE) (131)
-
T1059.001 usesPowerShell MITRE
-
T1566.001 usesSpearphishing Attachment MITRE
-
T1082 usesSystem Information Discovery MITRE
-
T1120 usesPeripheral Device Discovery MITRE
-
T1547 usesBoot or Logon Autostart Execution MITRE
-
T1010 usesApplication Window Discovery MITRE
-
T1106 usesNative API MITRE
-
T1036.001 usesInvalid Code Signature MITRE
-
T1087.001 usesLocal Account MITRE
-
T1083 usesFile and Directory Discovery MITRE
-
T1588.001 usesMalware MITRE
-
T1585 usesEstablish Accounts MITRE
Malware (27)
-
FadeStealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Bluelight usesFamily
-
m2rat uses
-
CORALDECK uses
-
OpenCarrot uses
-
Konni RAT usesFamily
-
Chinotto usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Final1stspy uses
-
SLOWDRIFT uses
-
POORAIM uses
-
Dolphin uses
-
RokRAT usesFamily
Sectors (9)
-
Healthcare targets
-
Defense targets
-
Media targets
-
Defense ministries (including the military) targets
-
Government targets
-
Manufacturing targets
-
Technology targets
-
Education targets
-
Finance targets
Countries (9)
-
British Indian Ocean Territory targets
-
Korea, Republic of targets
-
Romania targets
-
Russian Federation targets
-
Kuwait targets
-
Nepal targets
-
Japan targets
-
China targets
-
India targets
Indicators (100)
-
www.roofcolor.comindicates -
stix 100/100 Revoked· Valid until 20/06/2024 · Source: AlienVault
-
f1b4eb84e77e39803a0463b49b66600adb19347512354d0481568a8411b75b24indicates -
a3ce6ebe702b7938867d6685ff23fbf9b34f534bffe2fcf54e96c9ff64979c60indicates -
35ea90ba0d75a758abec880413c3f87d171bf34d93465fa868e6a09e5058daafindicates -
stix 100/100 Revoked· Valid until 20/06/2024 · Source: AlienVault
-
mailcorp.centerindicates -
8ba472a4b33e5bbdd18d3be9791d4f75d4aaced3e8a7dd2c8fca61b71fdacce6indicates -
db70f269d62c43bd09580858731853a589e0f32f2d3c915b15cb9f0b4b9f12d2indicates -
http://172.93.193.158/data/*indicatesstix 100/100 Revoked· Valid until 04/05/2023 · Source: AlienVault -
stix 100/100 Revoked· Valid until 20/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 20/06/2024 · Source: AlienVault
Vulnerabilities (CVE) (5)
7.8
High
Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user.
- Attack vector
- LOCAL
- Published
- 03/11/2021
- Modified
- 26/02/2026
7.8
High
Artifex Ghostscript allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 27/04/2017
- Modified
- 22/04/2026
7.5
High
Microsoft Windows Scripting Engine contains a memory corruption vulnerability that allows unauthenticated attacker to initiate remote code execution via a specially crafted …
- Attack vector
- Network
- Published
- 13/08/2024
- Modified
- 21/12/2025
8.8
High
Microsoft Windows contains an unspecified vulnerability in the JScript9 scripting language which allows for remote code execution.
- Attack vector
- Network
- Published
- 08/11/2022
- Modified
- 14/01/2026
Adobe Flash Player com.adobe.tvsdk.mediacore.metadata Use After Free Vulnerability
- Published
- 15/02/2022
- Modified
- 14/05/2026