| SYMBOL | COMMON_NAME | aka. SYNONYMS |
APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities
| 2025-05-12
⋅
Genians
⋅
Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story) RokRAT |
| 2025-03-12
⋅
Lookout
⋅
Lookout Discovers New Spyware by North Korean APT37 KoSpy |
| 2025-03-01
⋅
ZW01f
⋅
An in-depth analysis of APT37’s latest campaign RokRAT |
| 2025-02-20
⋅
Cyber Security News
⋅
APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware RokRAT |
| 2024-10-16
⋅
ASEC
⋅
AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) APT37 |
| 2024-05-07
⋅
AhnLab
⋅
LNK File Disguised as Certificate Distributing RokRAT Malware RokRAT |
| 2024-03-04
⋅
⋅
Weixin
⋅
Shadow Hunting: Analysis of APT37’s attack activities against South Korea using North Korean political topics RokRAT |
| 2024-03-01
⋅
0x0v1
⋅
APT37's ROKRAT HWP Object Linking and Embedding RokRAT |
| 2024-02-21
⋅
DCSO
⋅
To Russia With Love: Assessing a KONNI-Backdoored Suspected Russian Consular Software Installer Konni |
| 2023-12-27
⋅
⋅
Wezard4u
⋅
Malicious code impersonating the National Tax Service created by Konni Konni |
| 2023-11-10
⋅
NSFOCUS
⋅
The New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits Cobalt Strike Konni DarkCasino Opal Sleet |
| 2023-09-25
⋅
0x0v1
⋅
REArchive: Reverse engineering APT37’s GOLDBACKDOOR dropper GOLDBACKDOOR |
| 2023-08-07
⋅
SentinelOne
⋅
Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company OpenCarrot |
| 2023-06-06
⋅
Security Intelligence
⋅
ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK) RokRAT |
| 2023-05-01
⋅
Check Point Research
⋅
Chain Reaction: RokRAT's Missing Link Amadey RokRAT |
| 2023-04-26
⋅
AhnLab
⋅
RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft) RokRAT |
| 2023-03-28
⋅
ThreatMon
⋅
Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon Chinotto |
| 2023-03-23
⋅
Medium s2wlab
⋅
Scarcruft Bolsters Arsenal for targeting individual Android devices RambleOn RokRAT |
| 2023-03-21
⋅
Zscaler
⋅
The Unintentional Leak: A glimpse into the attack vectors of APT37 Chinotto |
| 2023-03-16
⋅
Sekoia
⋅
Peeking at Reaper’s surveillance operations Chinotto |
| 2023-01-27
⋅
⋅
ThorCERT
⋅
TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives Chinotto |
| 2023-01-01
⋅
ThreatMon
⋅
Reverse Engineering RokRAT: A Closer Look at APT37’s Onedrive-Based Attack Vector RokRAT |
| 2023-01-01
⋅
ThreatMon
⋅
The Konni APT Chronicle: Tracing Their Intelligence-Driven Attack Chain Konni |
| 2022-12-05
⋅
⋅
KISA
⋅
TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals Chinotto |
| 2022-09-28
⋅
Twitter (@ESETresearch)
⋅
Twitter Thread linking CloudMensis to RokRAT / ScarCruft CloudMensis RokRAT |
| 2022-09-06
⋅
cocomelonc
⋅
Malware development tricks: parent PID spoofing. Simple C++ example. Cobalt Strike Konni |
| 2022-07-23
⋅
BleepingComputer
⋅
North Korean hackers attack EU targets with Konni RAT malware Konni |
| 2022-07-20
⋅
Securonix Threat Labs
⋅
STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix Konni Opal Sleet |
| 2022-07-18
⋅
Palo Alto Networks Unit 42
⋅
Moldy Pisces RokRAT APT37 |
| 2022-05-02
⋅
cocomelonc
⋅
Malware development: persistence - part 3. COM DLL hijack. Simple C++ example Agent.BTZ Ave Maria Konni Mosquito TurlaRPC |
| 2022-04-28
⋅
PWC
⋅
Cyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen |
| 2022-04-21
⋅
Stairwell
⋅
The ink-stained trail of GOLDBACKDOOR GOLDBACKDOOR |
| 2022-01-26
⋅
Malwarebytes
⋅
KONNI evolves into stealthier RAT Konni |
| 2022-01-12
⋅
BleepingComputer
⋅
Hackers take over diplomat's email, target Russian deputy minister Konni |
| 2022-01-05
⋅
Lumen
⋅
New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs Konni |
| 2022-01-03
⋅
Cluster25
⋅
North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants Konni |
| 2021-12-06
⋅
cyble
⋅
APT37 Using a New Android Spyware, Chinotto Chinotto |
| 2021-11-29
⋅
Kaspersky
⋅
ScarCruft surveilling North Korean defectors and human rights activists Chinotto Chinotto PoorWeb |
| 2021-09-06
⋅
cocomelonc
⋅
AV engines evasion for C++ simple malware: part 2 Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze |
| 2021-08-24
⋅
Volexity
⋅
North Korean BLUELIGHT Special: InkySquid Deploys RokRAT RokRAT |
| 2021-08-20
⋅
Malwarebytes
⋅
New variant of Konni malware used in campaign targetting Russia Konni |
| 2021-08-17
⋅
Volatility Labs
⋅
North Korean APT37 / InkySquid Infects Victims Using Browser Exploits BLUELIGHT APT37 |
| 2021-07-14
⋅
Medium s2wlab
⋅
Matryoshka : Variant of ROKRAT, APT37 (Scarcruft) RokRAT |
| 2021-02-18
⋅
PTSecurity
⋅
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/ Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader |
| 2021-01-06
⋅
Malwarebytes
⋅
Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat RokRAT |
| 2020-12-15
⋅
Trend Micro
⋅
Who is the Threat Actor Behind Operation Earth Kitsune? Freenki Loader SLUB Earth Kitsune |
| 2020-12-08
⋅
⋅
AhnLab
⋅
“「2021 평화∙통일 이야기 공모전」 참가 신청서” 제목의 한글문서 유포 (APT 추정) PoorWeb |
| 2020-11-16
⋅
ReversingLabs
⋅
PoorWeb - Hitching a Ride on Hangul PoorWeb |
| 2020-08-14
⋅
Department of Homeland Security
⋅
Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware Konni |
| 2020-06-16
⋅
IBM
⋅
Cloud ThreatLandscape Report 2020 QNAPCrypt RokRAT |
| 2020-05-21
⋅
PICUS Security
⋅
T1055 Process Injection BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE |
| 2020-03-30
⋅
Kaspersky SAS
⋅
Behind the Mask of ScarCruft RokRAT |
| 2020-03-04
⋅
CrowdStrike
⋅
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
| 2020-03-03
⋅
PWC UK
⋅
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
| 2020-02-19
⋅
Lexfo
⋅
The Lazarus Constellation A study on North Korean malware FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor |
| 2020-01-27
⋅
CyberInt
⋅
Konni Malware 2019 Campaign Konni |
| 2020-01-04
⋅
Medium d-hunter
⋅
A Look Into Konni 2019 Campaign Konni |
| 2019-10-28
⋅
⋅
Tencent
⋅
Analysis of Suspected Group123 (APT37) Attacks on Chinese and Korean Foreign Traders Unidentified 067 |
| 2019-08-19
⋅
⋅
EST Security
⋅
Konni APT organization emerges as an attack disguised as Russian document Konni |
| 2019-08-12
⋅
Kindred Security
⋅
An Overview of Public Platform C2’s HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT |
| 2019-08-01
⋅
Kaspersky Labs
⋅
APT trends report Q2 2019 ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy |
| 2019-05-13
⋅
Kaspersky Labs
⋅
ScarCruft continues to evolve, introduces Bluetooth harvester Konni RokRAT UACMe APT37 |
| 2019-05-10
⋅
Fortiguard
⋅
Activity Summary - Week Ending May 10, 2019 PoorWeb |
| 2019-01-01
⋅
Council on Foreign Relations
⋅
APT 37 APT37 |
| 2019-01-01
⋅
MITRE
⋅
Group description: APT37 APT37 |
| 2018-11-16
⋅
⋅
Return to ROKRAT!! (feat. FAAAA...Sad...) RokRAT |
| 2018-10-03
⋅
Intezer
⋅
APT37: Final1stspy Reaping the FreeMilk Final1stSpy RokRAT |
| 2018-10-01
⋅
Palo Alto Networks Unit 42
⋅
NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT Nokki |
| 2018-10-01
⋅
Bleeping Computer
⋅
Report Ties North Korean Attacks to New Malware, Linked by Word Macros APT37 |
| 2018-09-27
⋅
Palo Alto Networks Unit 42
⋅
New KONNI Malware attacking Eurasia and Southeast Asia Nokki |
| 2018-07-10
⋅
Kaspersky Labs
⋅
APT Trends Report Q2 2018 LightNeuron PoorWeb |
| 2018-04-05
⋅
Palo Alto Networks Unit 42
⋅
Reaper Group’s Updated Mobile Arsenal KevDroid |
| 2018-04-02
⋅
Cisco Talos
⋅
Fake AV Investigation Unearths KevDroid, New Android Malware KevDroid PubNubRAT |
| 2018-02-27
⋅
VMWare Carbon Black
⋅
Threat Analysis: ROKRAT Malware RokRAT |
| 2018-02-21
⋅
Twitter (@mstoned7)
⋅
Tweet on DPRK APT groups APT37 |
| 2018-02-20
⋅
FireEye
⋅
APT37 (REAPER) The Overlooked North Korean Actor PoorWeb RokRAT APT37 |
| 2018-02-20
⋅
FireEye
⋅
APT37 (Reaper): The Overlooked North Korean Actor APT37 |
| 2018-01-16
⋅
Cisco Talos
⋅
Korea In The Crosshairs Freenki Loader RokRAT APT37 |
| 2018-01-16
⋅
Cisco Talos
⋅
Korea In The Crosshairs Freenki Loader PoohMilk Loader RokRAT APT37 |
| 2017-11-28
⋅
Cisco
⋅
ROKRAT Reloaded RokRAT |
| 2017-10-05
⋅
Palo Alto Networks Unit 42
⋅
FreeMilk: A Highly Targeted Spear Phishing Campaign Freenki Loader PoohMilk Loader |
| 2017-10-05
⋅
Palo Alto Networks Unit 42
⋅
FreeMilk: A Highly Targeted Spear Phishing Campaign APT37 |
| 2017-08-15
⋅
Fortinet
⋅
A Quick Look at a New KONNI RAT Variant Konni |
| 2017-07-06
⋅
Cisco Talos
⋅
New KONNI Campaign References North Korean Missile Capabilities Konni |
| 2017-07-01
⋅
vallejo.cc
⋅
Analysis of new variant of Konni RAT Konni |
| 2017-05-03
⋅
Cisco Talos
⋅
KONNI: A Malware Under The Radar For Years Konni |
| 2017-04-03
⋅
Cisco Talos
⋅
Introducing ROKRAT RokRAT |
| 2017-01-01
⋅
Cisco Talos
⋅
Introducing ROKRAT RokRAT |
| 2016-06-17
⋅
Threatpost
⋅
ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks APT37 |
| 2016-06-17
⋅
Kaspersky Labs
⋅
Operation Daybreak StarCruft APT37 |
| 2016-06-14
⋅
Kaspersky Labs
⋅
CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks APT37 |