aka: APT 37, Group 123, Group123, InkySquid, Operation Daybreak, Operation Erebus, Reaper Group, Reaper, Red Eyes, Ricochet Chollima, ScarCruft, Venus 121, ATK4, G0067, Moldy Pisces
APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities
2023-08-07 ⋅ SentinelOne ⋅ Tom Hegel, Aleksandar Milenkoski @online{hegel:20230807:comrades:d449b68,
author = {Tom Hegel and Aleksandar Milenkoski},
title = {{Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company}},
date = {2023-08-07},
organization = {SentinelOne},
url = {https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/},
language = {English},
urldate = {2023-08-07}
}
Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company OpenCarrot |
2023-06-06 ⋅ Security Intelligence ⋅ Joshua Chung, Melissa Frydrych, Claire Zaboeva, Agnes Ramos-Beauchamp @online{chung:20230606:itg10:83811e5,
author = {Joshua Chung and Melissa Frydrych and Claire Zaboeva and Agnes Ramos-Beauchamp},
title = {{ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)}},
date = {2023-06-06},
organization = {Security Intelligence},
url = {https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/},
language = {English},
urldate = {2023-06-09}
}
ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK) RokRAT |
2023-05-01 ⋅ Check Point Research ⋅ Check Point Research @online{research:20230501:chain:855e7fa,
author = {Check Point Research},
title = {{Chain Reaction: RokRAT's Missing Link}},
date = {2023-05-01},
organization = {Check Point Research},
url = {https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/},
language = {English},
urldate = {2023-05-02}
}
Chain Reaction: RokRAT's Missing Link Amadey RokRAT |
2023-04-26 ⋅ AhnLab ⋅ bghjmun @online{bghjmun:20230426:rokrat:e241546,
author = {bghjmun},
title = {{RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)}},
date = {2023-04-26},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/51751/},
language = {English},
urldate = {2023-04-26}
}
RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft) RokRAT |
2023-03-28 ⋅ ThreatMon ⋅ ThreatMon Malware Research Team, seyitsec @online{team:20230328:chinotto:95afa43,
author = {ThreatMon Malware Research Team and seyitsec},
title = {{Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon}},
date = {2023-03-28},
organization = {ThreatMon},
url = {https://threatmon.io/chinotto-backdoor-technical-analysis-of-the-apt-reapers-powerful/},
language = {English},
urldate = {2023-03-29}
}
Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon Chinotto |
2023-03-23 ⋅ Medium s2wlab ⋅ BLKSMTH, S2W TALON @online{blksmth:20230323:scarcruft:82ba4d6,
author = {BLKSMTH and S2W TALON},
title = {{Scarcruft Bolsters Arsenal for targeting individual Android devices}},
date = {2023-03-23},
organization = {Medium s2wlab},
url = {https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab},
language = {English},
urldate = {2023-03-27}
}
Scarcruft Bolsters Arsenal for targeting individual Android devices RambleOn RokRAT |
2023-03-21 ⋅ Zscaler ⋅ Sudeep Singh, Naveen Selvan @online{singh:20230321:unintentional:9d7f138,
author = {Sudeep Singh and Naveen Selvan},
title = {{The Unintentional Leak: A glimpse into the attack vectors of APT37}},
date = {2023-03-21},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37},
language = {English},
urldate = {2023-09-18}
}
The Unintentional Leak: A glimpse into the attack vectors of APT37 Chinotto |
2023-03-16 ⋅ Sekoia ⋅ Threat & Detection Research Team @online{team:20230316:peeking:347803a,
author = {Threat & Detection Research Team},
title = {{Peeking at Reaper’s surveillance operations}},
date = {2023-03-16},
organization = {Sekoia},
url = {https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/},
language = {English},
urldate = {2023-03-20}
}
Peeking at Reaper’s surveillance operations Chinotto |
2023-01-27 ⋅ ThorCERT ⋅ Taewoo Lee, Dongwook Kim, Seulgi Lee @online{lee:20230127:ttps:7fa02fb,
author = {Taewoo Lee and Dongwook Kim and Seulgi Lee},
title = {{TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives}},
date = {2023-01-27},
organization = {ThorCERT},
url = {https://thorcert.notion.site/TTPs-9-f04ce99784874947978bd2947738ac92},
language = {Korean},
urldate = {2023-02-14}
}
TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives Chinotto |
2022-12-05 ⋅ KISA ⋅ KrCERT @online{krcert:20221205:ttps9:b319cfe,
author = {KrCERT},
title = {{TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals}},
date = {2022-12-05},
organization = {KISA},
url = {https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=67064},
language = {Korean},
urldate = {2023-01-25}
}
TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals Chinotto |
2022-09-28 ⋅ Twitter (@ESETresearch) ⋅ ESET Research @online{research:20220928:twitter:e0277dd,
author = {ESET Research},
title = {{Twitter Thread linking CloudMensis to RokRAT / ScarCruft}},
date = {2022-09-28},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1575103839115804672},
language = {English},
urldate = {2023-03-24}
}
Twitter Thread linking CloudMensis to RokRAT / ScarCruft CloudMensis RokRAT |
2022-09-06 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220906:malware:a09756f,
author = {cocomelonc},
title = {{Malware development tricks: parent PID spoofing. Simple C++ example.}},
date = {2022-09-06},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html},
language = {English},
urldate = {2022-11-17}
}
Malware development tricks: parent PID spoofing. Simple C++ example. Cobalt Strike Konni |
2022-07-23 ⋅ BleepingComputer ⋅ Bill Toulas @online{toulas:20220723:north:79193bd,
author = {Bill Toulas},
title = {{North Korean hackers attack EU targets with Konni RAT malware}},
date = {2022-07-23},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/},
language = {English},
urldate = {2022-07-25}
}
North Korean hackers attack EU targets with Konni RAT malware Konni |
2022-07-20 ⋅ Securonix Threat Labs ⋅ D. Iuzvyk, T. Peck, O. Kolesnikov @online{iuzvyk:20220720:stiffbizon:ae896da,
author = {D. Iuzvyk and T. Peck and O. Kolesnikov},
title = {{STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix}},
date = {2022-07-20},
organization = {Securonix Threat Labs},
url = {https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/},
language = {English},
urldate = {2022-07-25}
}
STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix Konni |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:moldy:593ab77,
author = {Unit 42},
title = {{Moldy Pisces}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/moldypisces/},
language = {English},
urldate = {2022-07-29}
}
Moldy Pisces RokRAT APT37 |
2022-05-02 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220502:malware:4384b01,
author = {cocomelonc},
title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}},
date = {2022-05-02},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html},
language = {English},
urldate = {2022-12-01}
}
Malware development: persistence - part 3. COM DLL hijack. Simple C++ example Agent.BTZ Ave Maria Konni Mosquito TurlaRPC |
2022-04-28 ⋅ PWC ⋅ PWC UK @techreport{uk:20220428:cyber:c43873f,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect (Annex) Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen |
2022-04-21 ⋅ Stairwell ⋅ Silas Cutler @techreport{cutler:20220421:inkstained:cc446df,
author = {Silas Cutler},
title = {{The ink-stained trail of GOLDBACKDOOR}},
date = {2022-04-21},
institution = {Stairwell},
url = {https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf},
language = {English},
urldate = {2022-04-29}
}
The ink-stained trail of GOLDBACKDOOR GOLDBACKDOOR |
2022-01-26 ⋅ Malwarebytes ⋅ Roberto Santos @online{santos:20220126:konni:589b447,
author = {Roberto Santos},
title = {{KONNI evolves into stealthier RAT}},
date = {2022-01-26},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/},
language = {English},
urldate = {2022-01-31}
}
KONNI evolves into stealthier RAT Konni |
2022-01-12 ⋅ BleepingComputer ⋅ Ionut Ilascu @online{ilascu:20220112:hackers:e8e7709,
author = {Ionut Ilascu},
title = {{Hackers take over diplomat's email, target Russian deputy minister}},
date = {2022-01-12},
organization = {BleepingComputer},
url = {https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/},
language = {English},
urldate = {2022-07-25}
}
Hackers take over diplomat's email, target Russian deputy minister Konni |
2022-01-05 ⋅ Lumen ⋅ Danny Adamitis, Steve Rudd @online{adamitis:20220105:new:4342d69,
author = {Danny Adamitis and Steve Rudd},
title = {{New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs}},
date = {2022-01-05},
organization = {Lumen},
url = {https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/},
language = {English},
urldate = {2022-01-25}
}
New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs Konni |
2022-01-03 ⋅ Cluster25 ⋅ Cluster25 @techreport{cluster25:20220103:north:b362bcd,
author = {Cluster25},
title = {{North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants}},
date = {2022-01-03},
institution = {Cluster25},
url = {https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf},
language = {English},
urldate = {2022-07-25}
}
North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants Konni |
2021-12-06 ⋅ cyble ⋅ Cyble @online{cyble:20211206:apt37:e9b1bba,
author = {Cyble},
title = {{APT37 Using a New Android Spyware, Chinotto}},
date = {2021-12-06},
organization = {cyble},
url = {https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/},
language = {English},
urldate = {2021-12-07}
}
APT37 Using a New Android Spyware, Chinotto Chinotto |
2021-11-29 ⋅ Kaspersky ⋅ GReAT @online{great:20211129:scarcruft:986e7f4,
author = {GReAT},
title = {{ScarCruft surveilling North Korean defectors and human rights activists}},
date = {2021-11-29},
organization = {Kaspersky},
url = {https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/},
language = {English},
urldate = {2021-12-07}
}
ScarCruft surveilling North Korean defectors and human rights activists Chinotto Chinotto PoorWeb |
2021-09-06 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20210906:av:215e5aa,
author = {cocomelonc},
title = {{AV engines evasion for C++ simple malware: part 2}},
date = {2021-09-06},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html},
language = {English},
urldate = {2023-07-24}
}
AV engines evasion for C++ simple malware: part 2 Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze |
2021-08-24 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Steven Adair, Thomas Lancaster @online{cash:20210824:north:aab532f,
author = {Damien Cash and Josh Grunzweig and Steven Adair and Thomas Lancaster},
title = {{North Korean BLUELIGHT Special: InkySquid Deploys RokRAT}},
date = {2021-08-24},
organization = {Volexity},
url = {https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/},
language = {English},
urldate = {2021-08-31}
}
North Korean BLUELIGHT Special: InkySquid Deploys RokRAT RokRAT |
2021-08-20 ⋅ Malwarebytes ⋅ Hossein Jazi @online{jazi:20210820:new:2efd65e,
author = {Hossein Jazi},
title = {{New variant of Konni malware used in campaign targetting Russia}},
date = {2021-08-20},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/},
language = {English},
urldate = {2021-08-25}
}
New variant of Konni malware used in campaign targetting Russia Konni |
2021-08-17 ⋅ Volatility Labs ⋅ Damien Cash, Josh Grunzweig, Matthew Meltzer, Steven Adair, Thomas Lancaster @online{cash:20210817:north:e84fb02,
author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Steven Adair and Thomas Lancaster},
title = {{North Korean APT37 / InkySquid Infects Victims Using Browser Exploits}},
date = {2021-08-17},
organization = {Volatility Labs},
url = {https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/},
language = {English},
urldate = {2021-08-20}
}
North Korean APT37 / InkySquid Infects Victims Using Browser Exploits BLUELIGHT APT37 |
2021-07-14 ⋅ Medium s2wlab ⋅ Jaeki Kim @online{kim:20210714:matryoshka:6c8d267,
author = {Jaeki Kim},
title = {{Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)}},
date = {2021-07-14},
organization = {Medium s2wlab},
url = {https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48},
language = {English},
urldate = {2021-07-20}
}
Matryoshka : Variant of ROKRAT, APT37 (Scarcruft) RokRAT |
2021-02-18 ⋅ PTSecurity ⋅ PTSecurity @online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f,
author = {PTSecurity},
title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}},
date = {2021-02-18},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/},
language = {English},
urldate = {2021-02-25}
}
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/ Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader |
2021-01-06 ⋅ Malwarebytes ⋅ Hossein Jazi @online{jazi:20210106:retrohunting:65f1492,
author = {Hossein Jazi},
title = {{Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat}},
date = {2021-01-06},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/},
language = {English},
urldate = {2021-01-11}
}
Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat RokRAT |
2020-12-15 ⋅ Trend Micro ⋅ William Gamazo Sanchez @online{sanchez:20201215:who:c723930,
author = {William Gamazo Sanchez},
title = {{Who is the Threat Actor Behind Operation Earth Kitsune?}},
date = {2020-12-15},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html},
language = {English},
urldate = {2020-12-16}
}
Who is the Threat Actor Behind Operation Earth Kitsune? Freenki Loader SLUB |
2020-12-08 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team @online{team:20201208:2021:e29d0dc,
author = {AhnLab ASEC Analysis Team},
title = {{“「2021 평화∙통일 이야기 공모전」 참가 신청서” 제목의 한글문서 유포 (APT 추정)}},
date = {2020-12-08},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/18796/},
language = {Korean},
urldate = {2020-12-14}
}
“「2021 평화∙통일 이야기 공모전」 참가 신청서” 제목의 한글문서 유포 (APT 추정) PoorWeb |
2020-11-16 ⋅ ReversingLabs ⋅ Robert Simmons @online{simmons:20201116:poorweb:ef09841,
author = {Robert Simmons},
title = {{PoorWeb - Hitching a Ride on Hangul}},
date = {2020-11-16},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats},
language = {English},
urldate = {2020-11-18}
}
PoorWeb - Hitching a Ride on Hangul PoorWeb |
2020-08-14 ⋅ Department of Homeland Security ⋅ US-CERT @online{uscert:20200814:alert:d3dbb71,
author = {US-CERT},
title = {{Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware}},
date = {2020-08-14},
organization = {Department of Homeland Security},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-227a},
language = {English},
urldate = {2020-08-14}
}
Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware Konni |
2020-06-16 ⋅ IBM ⋅ IBM Security X-Force® Incident Responseand Intelligence Services (IRIS) @online{iris:20200616:cloud:e15a0d5,
author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)},
title = {{Cloud ThreatLandscape Report 2020}},
date = {2020-06-16},
organization = {IBM},
url = {https://www.ibm.com/downloads/cas/Z81AVOY7},
language = {English},
urldate = {2020-06-17}
}
Cloud ThreatLandscape Report 2020 QNAPCrypt RokRAT |
2020-05-21 ⋅ PICUS Security ⋅ Süleyman Özarslan @online{zarslan:20200521:t1055:4400f98,
author = {Süleyman Özarslan},
title = {{T1055 Process Injection}},
date = {2020-05-21},
organization = {PICUS Security},
url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection},
language = {English},
urldate = {2020-06-03}
}
T1055 Process Injection BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE |
2020-03-30 ⋅ Kaspersky SAS ⋅ Seongsu Park @techreport{park:20200330:behind:7c5548e,
author = {Seongsu Park},
title = {{Behind the Mask of ScarCruft}},
date = {2020-03-30},
institution = {Kaspersky SAS},
url = {https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf},
language = {English},
urldate = {2020-03-31}
}
Behind the Mask of ScarCruft RokRAT |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-03-03 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
2020-02-19 ⋅ Lexfo ⋅ Lexfo @techreport{lexfo:20200219:lazarus:f293c37,
author = {Lexfo},
title = {{The Lazarus Constellation A study on North Korean malware}},
date = {2020-02-19},
institution = {Lexfo},
url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf},
language = {English},
urldate = {2020-03-11}
}
The Lazarus Constellation A study on North Korean malware FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor |
2020-01-27 ⋅ CyberInt ⋅ CyberInt @techreport{cyberint:20200127:konni:5cb8e40,
author = {CyberInt},
title = {{Konni Malware 2019 Campaign}},
date = {2020-01-27},
institution = {CyberInt},
url = {https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf},
language = {English},
urldate = {2022-07-25}
}
Konni Malware 2019 Campaign Konni |
2020-01-04 ⋅ Medium d-hunter ⋅ Doron Karmi @online{karmi:20200104:look:441fa96,
author = {Doron Karmi},
title = {{A Look Into Konni 2019 Campaign}},
date = {2020-01-04},
organization = {Medium d-hunter},
url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b},
language = {English},
urldate = {2020-01-17}
}
A Look Into Konni 2019 Campaign Konni |
2019-10-28 ⋅ Tencent ⋅ Tencent @online{tencent:20191028:analysis:094d588,
author = {Tencent},
title = {{Analysis of Suspected Group123 (APT37) Attacks on Chinese and Korean Foreign Traders}},
date = {2019-10-28},
organization = {Tencent},
url = {https://s.tencent.com/research/report/831.html},
language = {Chinese},
urldate = {2019-12-18}
}
Analysis of Suspected Group123 (APT37) Attacks on Chinese and Korean Foreign Traders Unidentified 067 |
2019-08-19 ⋅ EST Security ⋅ East Security Response Center @online{center:20190819:konni:5af29f8,
author = {East Security Response Center},
title = {{Konni APT organization emerges as an attack disguised as Russian document}},
date = {2019-08-19},
organization = {EST Security},
url = {https://blog.alyac.co.kr/2474},
language = {Korean},
urldate = {2020-01-20}
}
Konni APT organization emerges as an attack disguised as Russian document Konni |
2019-08-12 ⋅ Kindred Security ⋅ Kindred Security @online{security:20190812:overview:0726c0a,
author = {Kindred Security},
title = {{An Overview of Public Platform C2’s}},
date = {2019-08-12},
organization = {Kindred Security},
url = {https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/},
language = {English},
urldate = {2021-07-20}
}
An Overview of Public Platform C2’s HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT |
2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20190801:trends:5e25d5b,
author = {GReAT},
title = {{APT trends report Q2 2019}},
date = {2019-08-01},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2019/91897/},
language = {English},
urldate = {2020-08-13}
}
APT trends report Q2 2019 ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy |
2019-05-13 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20190513:scarcruft:eb8bb1c,
author = {GReAT},
title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}},
date = {2019-05-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/},
language = {English},
urldate = {2019-12-20}
}
ScarCruft continues to evolve, introduces Bluetooth harvester Konni RokRAT UACMe APT37 |
2019-05-10 ⋅ Fortiguard ⋅ FortiGuard @online{fortiguard:20190510:activity:4b58c05,
author = {FortiGuard},
title = {{Activity Summary - Week Ending May 10, 2019}},
date = {2019-05-10},
organization = {Fortiguard},
url = {https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019},
language = {English},
urldate = {2019-11-28}
}
Activity Summary - Week Ending May 10, 2019 PoorWeb |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:apt37:b488fef,
author = {MITRE ATT&CK},
title = {{Group description: APT37}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0067/},
language = {English},
urldate = {2019-12-20}
}
Group description: APT37 APT37 |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:37:fade066,
author = {Cyber Operations Tracker},
title = {{APT 37}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/apt-37},
language = {English},
urldate = {2019-12-20}
}
APT 37 APT37 |
2018-11-16 ⋅ Kim Yejun @online{yejun:20181116:return:31caa6a,
author = {Kim Yejun},
title = {{Return to ROKRAT!! (feat. FAAAA...Sad...)}},
date = {2018-11-16},
url = {http://v3lo.tistory.com/24},
language = {Japanese},
urldate = {2019-11-26}
}
Return to ROKRAT!! (feat. FAAAA...Sad...) RokRAT |
2018-10-03 ⋅ Intezer ⋅ Jay Rosenberg @online{rosenberg:20181003:apt37:93a9100,
author = {Jay Rosenberg},
title = {{APT37: Final1stspy Reaping the FreeMilk}},
date = {2018-10-03},
organization = {Intezer},
url = {https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/},
language = {English},
urldate = {2020-01-09}
}
APT37: Final1stspy Reaping the FreeMilk Final1stSpy RokRAT |
2018-10-01 ⋅ Palo Alto Networks Unit 42 ⋅ Josh Grunzweig @online{grunzweig:20181001:nokki:b458c95,
author = {Josh Grunzweig},
title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}},
date = {2018-10-01},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/},
language = {English},
urldate = {2019-12-20}
}
NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT Nokki |
2018-10-01 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20181001:report:67e6316,
author = {Ionut Ilascu},
title = {{Report Ties North Korean Attacks to New Malware, Linked by Word Macros}},
date = {2018-10-01},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/},
language = {English},
urldate = {2019-12-20}
}
Report Ties North Korean Attacks to New Malware, Linked by Word Macros APT37 |
2018-09-27 ⋅ Palo Alto Networks Unit 42 ⋅ Josh Grunzweig, Bryan Lee @online{grunzweig:20180927:new:d33c053,
author = {Josh Grunzweig and Bryan Lee},
title = {{New KONNI Malware attacking Eurasia and Southeast Asia}},
date = {2018-09-27},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/},
language = {English},
urldate = {2019-12-20}
}
New KONNI Malware attacking Eurasia and Southeast Asia Nokki |
2018-07-10 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20180710:trends:4651c7b,
author = {GReAT},
title = {{APT Trends Report Q2 2018}},
date = {2018-07-10},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2018/86487/},
language = {English},
urldate = {2019-12-20}
}
APT Trends Report Q2 2018 LightNeuron PoorWeb |
2018-04-05 ⋅ Palo Alto Networks Unit 42 ⋅ Ruchna Nigam @online{nigam:20180405:reaper:d4da0f8,
author = {Ruchna Nigam},
title = {{Reaper Group’s Updated Mobile Arsenal}},
date = {2018-04-05},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/},
language = {English},
urldate = {2019-12-20}
}
Reaper Group’s Updated Mobile Arsenal KevDroid |
2018-04-02 ⋅ Cisco Talos ⋅ Warren Mercer, Paul Rascagnères, Vitor Ventura, Jungsoo An @online{mercer:20180402:fake:f803f5b,
author = {Warren Mercer and Paul Rascagnères and Vitor Ventura and Jungsoo An},
title = {{Fake AV Investigation Unearths KevDroid, New Android Malware}},
date = {2018-04-02},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html},
language = {English},
urldate = {2020-01-06}
}
Fake AV Investigation Unearths KevDroid, New Android Malware KevDroid PubNubRAT |
2018-02-27 ⋅ VMWare Carbon Black ⋅ Jared Myers @online{myers:20180227:threat:11a58a0,
author = {Jared Myers},
title = {{Threat Analysis: ROKRAT Malware}},
date = {2018-02-27},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/},
language = {English},
urldate = {2019-10-23}
}
Threat Analysis: ROKRAT Malware RokRAT |
2018-02-21 ⋅ Twitter (@mstoned7) ⋅ CHA Minseok @online{minseok:20180221:dprk:5de56c6,
author = {CHA Minseok},
title = {{Tweet on DPRK APT groups}},
date = {2018-02-21},
organization = {Twitter (@mstoned7)},
url = {https://twitter.com/mstoned7/status/966126706107953152},
language = {English},
urldate = {2020-01-09}
}
Tweet on DPRK APT groups APT37 |
2018-02-20 ⋅ FireEye ⋅ FireEye @techreport{fireeye:20180220:apt37:bc54ada,
author = {FireEye},
title = {{APT37 (REAPER) The Overlooked North Korean Actor}},
date = {2018-02-20},
institution = {FireEye},
url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf},
language = {English},
urldate = {2021-11-03}
}
APT37 (REAPER) The Overlooked North Korean Actor PoorWeb RokRAT APT37 |
2018-02-20 ⋅ FireEye ⋅ FireEye @online{fireeye:20180220:apt37:2ca8466,
author = {FireEye},
title = {{APT37 (Reaper): The Overlooked North Korean Actor}},
date = {2018-02-20},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html},
language = {English},
urldate = {2019-12-20}
}
APT37 (Reaper): The Overlooked North Korean Actor APT37 |
2018-01-16 ⋅ Cisco Talos ⋅ Warren Mercer, Paul Rascagnères, Jungsoo An @online{mercer:20180116:korea:f462331,
author = {Warren Mercer and Paul Rascagnères and Jungsoo An},
title = {{Korea In The Crosshairs}},
date = {2018-01-16},
organization = {Cisco Talos},
url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html},
language = {English},
urldate = {2020-01-06}
}
Korea In The Crosshairs Freenki Loader PoohMilk Loader RokRAT APT37 |
2018-01-16 ⋅ Cisco Talos ⋅ Warren Mercer, Paul Rascagnères @online{mercer:20180116:korea:02f4c3c,
author = {Warren Mercer and Paul Rascagnères},
title = {{Korea In The Crosshairs}},
date = {2018-01-16},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html},
language = {English},
urldate = {2020-04-06}
}
Korea In The Crosshairs Freenki Loader RokRAT APT37 |
2017-11-28 ⋅ Cisco ⋅ Warren Mercer, Paul Rascagnères, Jungsoo An @online{mercer:20171128:rokrat:dec34fb,
author = {Warren Mercer and Paul Rascagnères and Jungsoo An},
title = {{ROKRAT Reloaded}},
date = {2017-11-28},
organization = {Cisco},
url = {http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html},
language = {English},
urldate = {2019-11-22}
}
ROKRAT Reloaded RokRAT |
2017-10-05 ⋅ Palo Alto Networks Unit 42 ⋅ Juan Cortes, Esmid Idrizovic @online{cortes:20171005:freemilk:1c7eb5d,
author = {Juan Cortes and Esmid Idrizovic},
title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}},
date = {2017-10-05},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/},
language = {English},
urldate = {2020-01-08}
}
FreeMilk: A Highly Targeted Spear Phishing Campaign APT37 |
2017-10-05 ⋅ Palo Alto Networks Unit 42 ⋅ Juan Cortes, Esmid Idrizovic @online{cortes:20171005:freemilk:a929f1b,
author = {Juan Cortes and Esmid Idrizovic},
title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}},
date = {2017-10-05},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/},
language = {English},
urldate = {2019-12-20}
}
FreeMilk: A Highly Targeted Spear Phishing Campaign Freenki Loader PoohMilk Loader |
2017-08-15 ⋅ Fortinet ⋅ Jasper Manuel @online{manuel:20170815:quick:ab09ae8,
author = {Jasper Manuel},
title = {{A Quick Look at a New KONNI RAT Variant}},
date = {2017-08-15},
organization = {Fortinet},
url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant},
language = {English},
urldate = {2020-01-09}
}
A Quick Look at a New KONNI RAT Variant Konni |
2017-07-06 ⋅ Cisco Talos ⋅ Paul Rascagnères @online{rascagnres:20170706:new:b0410c3,
author = {Paul Rascagnères},
title = {{New KONNI Campaign References North Korean Missile Capabilities}},
date = {2017-07-06},
organization = {Cisco Talos},
url = {http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html},
language = {English},
urldate = {2020-01-10}
}
New KONNI Campaign References North Korean Missile Capabilities Konni |
2017-07 ⋅ vallejo.cc ⋅ vallejocc @online{vallejocc:201707:analysis:b16e1c3,
author = {vallejocc},
title = {{Analysis of new variant of Konni RAT}},
date = {2017-07},
organization = {vallejo.cc},
url = {https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/},
language = {English},
urldate = {2019-07-31}
}
Analysis of new variant of Konni RAT Konni |
2017-05-03 ⋅ Cisco Talos ⋅ Paul Rascagnères @online{rascagnres:20170503:konni:8b039a6,
author = {Paul Rascagnères},
title = {{KONNI: A Malware Under The Radar For Years}},
date = {2017-05-03},
organization = {Cisco Talos},
url = {http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html},
language = {English},
urldate = {2020-01-13}
}
KONNI: A Malware Under The Radar For Years Konni |
2017-04-03 ⋅ Cisco Talos ⋅ Warren Mercer, Paul Rascagnères, Matthew Molyett @online{mercer:20170403:introducing:d17f359,
author = {Warren Mercer and Paul Rascagnères and Matthew Molyett},
title = {{Introducing ROKRAT}},
date = {2017-04-03},
organization = {Cisco Talos},
url = {http://blog.talosintelligence.com/2017/04/introducing-rokrat.html},
language = {English},
urldate = {2020-01-09}
}
Introducing ROKRAT RokRAT |
2017 ⋅ Cisco Talos ⋅ Warren Mercer, Paul Rascagnères @techreport{mercer:2017:introducing:04e2ff1,
author = {Warren Mercer and Paul Rascagnères},
title = {{Introducing ROKRAT}},
date = {2017},
institution = {Cisco Talos},
url = {http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf},
language = {English},
urldate = {2019-12-20}
}
Introducing ROKRAT RokRAT |
2016-06-17 ⋅ Threatpost ⋅ Michael Mimoso @online{mimoso:20160617:scarcruft:4b357f7,
author = {Michael Mimoso},
title = {{ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks}},
date = {2016-06-17},
organization = {Threatpost},
url = {https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/},
language = {English},
urldate = {2019-10-28}
}
ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks APT37 |
2016-06-17 ⋅ Kaspersky Labs ⋅ Costin Raiu, Anton Ivanov @online{raiu:20160617:operation:2dfcedd,
author = {Costin Raiu and Anton Ivanov},
title = {{Operation Daybreak}},
date = {2016-06-17},
organization = {Kaspersky Labs},
url = {https://securelist.com/operation-daybreak/75100/},
language = {English},
urldate = {2019-12-20}
}
Operation Daybreak StarCruft APT37 |
2016-06-14 ⋅ Kaspersky Labs ⋅ Costin Raiu @online{raiu:20160614:cve20164171:6d0a7c9,
author = {Costin Raiu},
title = {{CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks}},
date = {2016-06-14},
organization = {Kaspersky Labs},
url = {https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/},
language = {English},
urldate = {2019-12-20}
}
CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks APT37 |