SYMBOLCOMMON_NAMEaka. SYNONYMS

APT37  (Back to overview)

aka: APT 37, Group 123, Group123, InkySquid, Operation Daybreak, Operation Erebus, Reaper Group, Reaper, Red Eyes, Ricochet Chollima, ScarCruft, Venus 121, ATK4, G0067, Moldy Pisces

APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities


Associated Families
apk.chinotto apk.kevdroid win.bluelight win.final1stspy win.goldbackdoor win.nokki win.poohmilk win.poorweb win.rokrat win.starcruft win.unidentified_067 win.open_carrot win.freenki win.konni win.chinotto

References
2023-08-07SentinelOneTom Hegel, Aleksandar Milenkoski
@online{hegel:20230807:comrades:d449b68, author = {Tom Hegel and Aleksandar Milenkoski}, title = {{Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company}}, date = {2023-08-07}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/}, language = {English}, urldate = {2023-08-07} } Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company
OpenCarrot
2023-06-06Security IntelligenceJoshua Chung, Melissa Frydrych, Claire Zaboeva, Agnes Ramos-Beauchamp
@online{chung:20230606:itg10:83811e5, author = {Joshua Chung and Melissa Frydrych and Claire Zaboeva and Agnes Ramos-Beauchamp}, title = {{ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)}}, date = {2023-06-06}, organization = {Security Intelligence}, url = {https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/}, language = {English}, urldate = {2023-06-09} } ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)
RokRAT
2023-05-01Check Point ResearchCheck Point Research
@online{research:20230501:chain:855e7fa, author = {Check Point Research}, title = {{Chain Reaction: RokRAT's Missing Link}}, date = {2023-05-01}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/}, language = {English}, urldate = {2023-05-02} } Chain Reaction: RokRAT's Missing Link
Amadey RokRAT
2023-04-26AhnLabbghjmun
@online{bghjmun:20230426:rokrat:e241546, author = {bghjmun}, title = {{RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)}}, date = {2023-04-26}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/51751/}, language = {English}, urldate = {2023-04-26} } RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)
RokRAT
2023-03-28ThreatMonThreatMon Malware Research Team, seyitsec
@online{team:20230328:chinotto:95afa43, author = {ThreatMon Malware Research Team and seyitsec}, title = {{Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon}}, date = {2023-03-28}, organization = {ThreatMon}, url = {https://threatmon.io/chinotto-backdoor-technical-analysis-of-the-apt-reapers-powerful/}, language = {English}, urldate = {2023-03-29} } Chinotto Backdoor Technical Analysis of the APT Reaper’s Powerful Weapon
Chinotto
2023-03-23Medium s2wlabBLKSMTH, S2W TALON
@online{blksmth:20230323:scarcruft:82ba4d6, author = {BLKSMTH and S2W TALON}, title = {{Scarcruft Bolsters Arsenal for targeting individual Android devices}}, date = {2023-03-23}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab}, language = {English}, urldate = {2023-03-27} } Scarcruft Bolsters Arsenal for targeting individual Android devices
RambleOn RokRAT
2023-03-21ZscalerSudeep Singh, Naveen Selvan
@online{singh:20230321:unintentional:9d7f138, author = {Sudeep Singh and Naveen Selvan}, title = {{The Unintentional Leak: A glimpse into the attack vectors of APT37}}, date = {2023-03-21}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37}, language = {English}, urldate = {2023-09-18} } The Unintentional Leak: A glimpse into the attack vectors of APT37
Chinotto
2023-03-16SekoiaThreat & Detection Research Team
@online{team:20230316:peeking:347803a, author = {Threat & Detection Research Team}, title = {{Peeking at Reaper’s surveillance operations}}, date = {2023-03-16}, organization = {Sekoia}, url = {https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/}, language = {English}, urldate = {2023-03-20} } Peeking at Reaper’s surveillance operations
Chinotto
2023-01-27ThorCERTTaewoo Lee, Dongwook Kim, Seulgi Lee
@online{lee:20230127:ttps:7fa02fb, author = {Taewoo Lee and Dongwook Kim and Seulgi Lee}, title = {{TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives}}, date = {2023-01-27}, organization = {ThorCERT}, url = {https://thorcert.notion.site/TTPs-9-f04ce99784874947978bd2947738ac92}, language = {Korean}, urldate = {2023-02-14} } TTPs #9: Analyzing Attack Strategies to Monitor Individuals' Daily Lives
Chinotto
2022-12-05KISAKrCERT
@online{krcert:20221205:ttps9:b319cfe, author = {KrCERT}, title = {{TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals}}, date = {2022-12-05}, organization = {KISA}, url = {https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=67064}, language = {Korean}, urldate = {2023-01-25} } TTPs#9: Analyzing the attack strategy monitoring the daily life of individuals
Chinotto
2022-09-28Twitter (@ESETresearch)ESET Research
@online{research:20220928:twitter:e0277dd, author = {ESET Research}, title = {{Twitter Thread linking CloudMensis to RokRAT / ScarCruft}}, date = {2022-09-28}, organization = {Twitter (@ESETresearch)}, url = {https://twitter.com/ESETresearch/status/1575103839115804672}, language = {English}, urldate = {2023-03-24} } Twitter Thread linking CloudMensis to RokRAT / ScarCruft
CloudMensis RokRAT
2022-09-06cocomelonccocomelonc
@online{cocomelonc:20220906:malware:a09756f, author = {cocomelonc}, title = {{Malware development tricks: parent PID spoofing. Simple C++ example.}}, date = {2022-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html}, language = {English}, urldate = {2022-11-17} } Malware development tricks: parent PID spoofing. Simple C++ example.
Cobalt Strike Konni
2022-07-23BleepingComputerBill Toulas
@online{toulas:20220723:north:79193bd, author = {Bill Toulas}, title = {{North Korean hackers attack EU targets with Konni RAT malware}}, date = {2022-07-23}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/}, language = {English}, urldate = {2022-07-25} } North Korean hackers attack EU targets with Konni RAT malware
Konni
2022-07-20Securonix Threat LabsD. Iuzvyk, T. Peck, O. Kolesnikov
@online{iuzvyk:20220720:stiffbizon:ae896da, author = {D. Iuzvyk and T. Peck and O. Kolesnikov}, title = {{STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix}}, date = {2022-07-20}, organization = {Securonix Threat Labs}, url = {https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/}, language = {English}, urldate = {2022-07-25} } STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Securonix
Konni
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:moldy:593ab77, author = {Unit 42}, title = {{Moldy Pisces}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/moldypisces/}, language = {English}, urldate = {2022-07-29} } Moldy Pisces
RokRAT APT37
2022-05-02cocomelonccocomelonc
@online{cocomelonc:20220502:malware:4384b01, author = {cocomelonc}, title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}}, date = {2022-05-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2022-04-28PWCPWC UK
@techreport{uk:20220428:cyber:c43873f, author = {PWC UK}, title = {{Cyber Threats 2021: A Year in Retrospect (Annex)}}, date = {2022-04-28}, institution = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf}, language = {English}, urldate = {2022-04-29} } Cyber Threats 2021: A Year in Retrospect (Annex)
Cobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen
2022-04-21StairwellSilas Cutler
@techreport{cutler:20220421:inkstained:cc446df, author = {Silas Cutler}, title = {{The ink-stained trail of GOLDBACKDOOR}}, date = {2022-04-21}, institution = {Stairwell}, url = {https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf}, language = {English}, urldate = {2022-04-29} } The ink-stained trail of GOLDBACKDOOR
GOLDBACKDOOR
2022-01-26MalwarebytesRoberto Santos
@online{santos:20220126:konni:589b447, author = {Roberto Santos}, title = {{KONNI evolves into stealthier RAT}}, date = {2022-01-26}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/}, language = {English}, urldate = {2022-01-31} } KONNI evolves into stealthier RAT
Konni
2022-01-12BleepingComputerIonut Ilascu
@online{ilascu:20220112:hackers:e8e7709, author = {Ionut Ilascu}, title = {{Hackers take over diplomat's email, target Russian deputy minister}}, date = {2022-01-12}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/}, language = {English}, urldate = {2022-07-25} } Hackers take over diplomat's email, target Russian deputy minister
Konni
2022-01-05LumenDanny Adamitis, Steve Rudd
@online{adamitis:20220105:new:4342d69, author = {Danny Adamitis and Steve Rudd}, title = {{New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs}}, date = {2022-01-05}, organization = {Lumen}, url = {https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/}, language = {English}, urldate = {2022-01-25} } New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs
Konni
2022-01-03Cluster25Cluster25
@techreport{cluster25:20220103:north:b362bcd, author = {Cluster25}, title = {{North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants}}, date = {2022-01-03}, institution = {Cluster25}, url = {https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf}, language = {English}, urldate = {2022-07-25} } North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants
Konni
2021-12-06cybleCyble
@online{cyble:20211206:apt37:e9b1bba, author = {Cyble}, title = {{APT37 Using a New Android Spyware, Chinotto}}, date = {2021-12-06}, organization = {cyble}, url = {https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/}, language = {English}, urldate = {2021-12-07} } APT37 Using a New Android Spyware, Chinotto
Chinotto
2021-11-29KasperskyGReAT
@online{great:20211129:scarcruft:986e7f4, author = {GReAT}, title = {{ScarCruft surveilling North Korean defectors and human rights activists}}, date = {2021-11-29}, organization = {Kaspersky}, url = {https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/}, language = {English}, urldate = {2021-12-07} } ScarCruft surveilling North Korean defectors and human rights activists
Chinotto Chinotto PoorWeb
2021-09-06cocomelonccocomelonc
@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2023-07-24} } AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-08-24VolexityDamien Cash, Josh Grunzweig, Steven Adair, Thomas Lancaster
@online{cash:20210824:north:aab532f, author = {Damien Cash and Josh Grunzweig and Steven Adair and Thomas Lancaster}, title = {{North Korean BLUELIGHT Special: InkySquid Deploys RokRAT}}, date = {2021-08-24}, organization = {Volexity}, url = {https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/}, language = {English}, urldate = {2021-08-31} } North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
RokRAT
2021-08-20MalwarebytesHossein Jazi
@online{jazi:20210820:new:2efd65e, author = {Hossein Jazi}, title = {{New variant of Konni malware used in campaign targetting Russia}}, date = {2021-08-20}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/}, language = {English}, urldate = {2021-08-25} } New variant of Konni malware used in campaign targetting Russia
Konni
2021-08-17Volatility LabsDamien Cash, Josh Grunzweig, Matthew Meltzer, Steven Adair, Thomas Lancaster
@online{cash:20210817:north:e84fb02, author = {Damien Cash and Josh Grunzweig and Matthew Meltzer and Steven Adair and Thomas Lancaster}, title = {{North Korean APT37 / InkySquid Infects Victims Using Browser Exploits}}, date = {2021-08-17}, organization = {Volatility Labs}, url = {https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/}, language = {English}, urldate = {2021-08-20} } North Korean APT37 / InkySquid Infects Victims Using Browser Exploits
BLUELIGHT APT37
2021-07-14Medium s2wlabJaeki Kim
@online{kim:20210714:matryoshka:6c8d267, author = {Jaeki Kim}, title = {{Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)}}, date = {2021-07-14}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48}, language = {English}, urldate = {2021-07-20} } Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)
RokRAT
2021-02-18PTSecurityPTSecurity
@online{ptsecurity:20210218:httpswwwptsecuritycomwwenanalyticsantisandboxtechniques:d616c1f, author = {PTSecurity}, title = {{https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}}, date = {2021-02-18}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/}, language = {English}, urldate = {2021-02-25} } https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
Poet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader
2021-01-06MalwarebytesHossein Jazi
@online{jazi:20210106:retrohunting:65f1492, author = {Hossein Jazi}, title = {{Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat}}, date = {2021-01-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/}, language = {English}, urldate = {2021-01-11} } Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
RokRAT
2020-12-15Trend MicroWilliam Gamazo Sanchez
@online{sanchez:20201215:who:c723930, author = {William Gamazo Sanchez}, title = {{Who is the Threat Actor Behind Operation Earth Kitsune?}}, date = {2020-12-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html}, language = {English}, urldate = {2020-12-16} } Who is the Threat Actor Behind Operation Earth Kitsune?
Freenki Loader SLUB
2020-12-08AhnLabAhnLab ASEC Analysis Team
@online{team:20201208:2021:e29d0dc, author = {AhnLab ASEC Analysis Team}, title = {{“「2021 평화∙통일 이야기 공모전」 참가 신청서” 제목의 한글문서 유포 (APT 추정)}}, date = {2020-12-08}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/18796/}, language = {Korean}, urldate = {2020-12-14} } “「2021 평화∙통일 이야기 공모전」 참가 신청서” 제목의 한글문서 유포 (APT 추정)
PoorWeb
2020-11-16ReversingLabsRobert Simmons
@online{simmons:20201116:poorweb:ef09841, author = {Robert Simmons}, title = {{PoorWeb - Hitching a Ride on Hangul}}, date = {2020-11-16}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats}, language = {English}, urldate = {2020-11-18} } PoorWeb - Hitching a Ride on Hangul
PoorWeb
2020-08-14Department of Homeland SecurityUS-CERT
@online{uscert:20200814:alert:d3dbb71, author = {US-CERT}, title = {{Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware}}, date = {2020-08-14}, organization = {Department of Homeland Security}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-227a}, language = {English}, urldate = {2020-08-14} } Alert (AA20-227A): Phishing Emails Used to Deploy KONNI Malware
Konni
2020-06-16IBMIBM Security X-Force® Incident Responseand Intelligence Services (IRIS)
@online{iris:20200616:cloud:e15a0d5, author = {IBM Security X-Force® Incident Responseand Intelligence Services (IRIS)}, title = {{Cloud ThreatLandscape Report 2020}}, date = {2020-06-16}, organization = {IBM}, url = {https://www.ibm.com/downloads/cas/Z81AVOY7}, language = {English}, urldate = {2020-06-17} } Cloud ThreatLandscape Report 2020
QNAPCrypt RokRAT
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-30Kaspersky SASSeongsu Park
@techreport{park:20200330:behind:7c5548e, author = {Seongsu Park}, title = {{Behind the Mask of ScarCruft}}, date = {2020-03-30}, institution = {Kaspersky SAS}, url = {https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf}, language = {English}, urldate = {2020-03-31} } Behind the Mask of ScarCruft
RokRAT
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-01-27CyberIntCyberInt
@techreport{cyberint:20200127:konni:5cb8e40, author = {CyberInt}, title = {{Konni Malware 2019 Campaign}}, date = {2020-01-27}, institution = {CyberInt}, url = {https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf}, language = {English}, urldate = {2022-07-25} } Konni Malware 2019 Campaign
Konni
2020-01-04Medium d-hunterDoron Karmi
@online{karmi:20200104:look:441fa96, author = {Doron Karmi}, title = {{A Look Into Konni 2019 Campaign}}, date = {2020-01-04}, organization = {Medium d-hunter}, url = {https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b}, language = {English}, urldate = {2020-01-17} } A Look Into Konni 2019 Campaign
Konni
2019-10-28TencentTencent
@online{tencent:20191028:analysis:094d588, author = {Tencent}, title = {{Analysis of Suspected Group123 (APT37) Attacks on Chinese and Korean Foreign Traders}}, date = {2019-10-28}, organization = {Tencent}, url = {https://s.tencent.com/research/report/831.html}, language = {Chinese}, urldate = {2019-12-18} } Analysis of Suspected Group123 (APT37) Attacks on Chinese and Korean Foreign Traders
Unidentified 067
2019-08-19EST SecurityEast Security Response Center
@online{center:20190819:konni:5af29f8, author = {East Security Response Center}, title = {{Konni APT organization emerges as an attack disguised as Russian document}}, date = {2019-08-19}, organization = {EST Security}, url = {https://blog.alyac.co.kr/2474}, language = {Korean}, urldate = {2020-01-20} } Konni APT organization emerges as an attack disguised as Russian document
Konni
2019-08-12Kindred SecurityKindred Security
@online{security:20190812:overview:0726c0a, author = {Kindred Security}, title = {{An Overview of Public Platform C2’s}}, date = {2019-08-12}, organization = {Kindred Security}, url = {https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/}, language = {English}, urldate = {2021-07-20} } An Overview of Public Platform C2’s
HTML5 Encoding LOWBALL Makadocs MiniDuke RogueRobinNET RokRAT
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-05-13Kaspersky LabsGReAT
@online{great:20190513:scarcruft:eb8bb1c, author = {GReAT}, title = {{ScarCruft continues to evolve, introduces Bluetooth harvester}}, date = {2019-05-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/}, language = {English}, urldate = {2019-12-20} } ScarCruft continues to evolve, introduces Bluetooth harvester
Konni RokRAT UACMe APT37
2019-05-10FortiguardFortiGuard
@online{fortiguard:20190510:activity:4b58c05, author = {FortiGuard}, title = {{Activity Summary - Week Ending May 10, 2019}}, date = {2019-05-10}, organization = {Fortiguard}, url = {https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019}, language = {English}, urldate = {2019-11-28} } Activity Summary - Week Ending May 10, 2019
PoorWeb
2019MITREMITRE ATT&CK
@online{attck:2019:apt37:b488fef, author = {MITRE ATT&CK}, title = {{Group description: APT37}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0067/}, language = {English}, urldate = {2019-12-20} } Group description: APT37
APT37
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:37:fade066, author = {Cyber Operations Tracker}, title = {{APT 37}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/apt-37}, language = {English}, urldate = {2019-12-20} } APT 37
APT37
2018-11-16Kim Yejun
@online{yejun:20181116:return:31caa6a, author = {Kim Yejun}, title = {{Return to ROKRAT!! (feat. FAAAA...Sad...)}}, date = {2018-11-16}, url = {http://v3lo.tistory.com/24}, language = {Japanese}, urldate = {2019-11-26} } Return to ROKRAT!! (feat. FAAAA...Sad...)
RokRAT
2018-10-03IntezerJay Rosenberg
@online{rosenberg:20181003:apt37:93a9100, author = {Jay Rosenberg}, title = {{APT37: Final1stspy Reaping the FreeMilk}}, date = {2018-10-03}, organization = {Intezer}, url = {https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/}, language = {English}, urldate = {2020-01-09} } APT37: Final1stspy Reaping the FreeMilk
Final1stSpy RokRAT
2018-10-01Palo Alto Networks Unit 42Josh Grunzweig
@online{grunzweig:20181001:nokki:b458c95, author = {Josh Grunzweig}, title = {{NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT}}, date = {2018-10-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/}, language = {English}, urldate = {2019-12-20} } NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT
Nokki
2018-10-01Bleeping ComputerIonut Ilascu
@online{ilascu:20181001:report:67e6316, author = {Ionut Ilascu}, title = {{Report Ties North Korean Attacks to New Malware, Linked by Word Macros}}, date = {2018-10-01}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/}, language = {English}, urldate = {2019-12-20} } Report Ties North Korean Attacks to New Malware, Linked by Word Macros
APT37
2018-09-27Palo Alto Networks Unit 42Josh Grunzweig, Bryan Lee
@online{grunzweig:20180927:new:d33c053, author = {Josh Grunzweig and Bryan Lee}, title = {{New KONNI Malware attacking Eurasia and Southeast Asia}}, date = {2018-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/}, language = {English}, urldate = {2019-12-20} } New KONNI Malware attacking Eurasia and Southeast Asia
Nokki
2018-07-10Kaspersky LabsGReAT
@online{great:20180710:trends:4651c7b, author = {GReAT}, title = {{APT Trends Report Q2 2018}}, date = {2018-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2018/86487/}, language = {English}, urldate = {2019-12-20} } APT Trends Report Q2 2018
LightNeuron PoorWeb
2018-04-05Palo Alto Networks Unit 42Ruchna Nigam
@online{nigam:20180405:reaper:d4da0f8, author = {Ruchna Nigam}, title = {{Reaper Group’s Updated Mobile Arsenal}}, date = {2018-04-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/}, language = {English}, urldate = {2019-12-20} } Reaper Group’s Updated Mobile Arsenal
KevDroid
2018-04-02Cisco TalosWarren Mercer, Paul Rascagnères, Vitor Ventura, Jungsoo An
@online{mercer:20180402:fake:f803f5b, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura and Jungsoo An}, title = {{Fake AV Investigation Unearths KevDroid, New Android Malware}}, date = {2018-04-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html}, language = {English}, urldate = {2020-01-06} } Fake AV Investigation Unearths KevDroid, New Android Malware
KevDroid PubNubRAT
2018-02-27VMWare Carbon BlackJared Myers
@online{myers:20180227:threat:11a58a0, author = {Jared Myers}, title = {{Threat Analysis: ROKRAT Malware}}, date = {2018-02-27}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/}, language = {English}, urldate = {2019-10-23} } Threat Analysis: ROKRAT Malware
RokRAT
2018-02-21Twitter (@mstoned7)CHA Minseok
@online{minseok:20180221:dprk:5de56c6, author = {CHA Minseok}, title = {{Tweet on DPRK APT groups}}, date = {2018-02-21}, organization = {Twitter (@mstoned7)}, url = {https://twitter.com/mstoned7/status/966126706107953152}, language = {English}, urldate = {2020-01-09} } Tweet on DPRK APT groups
APT37
2018-02-20FireEyeFireEye
@techreport{fireeye:20180220:apt37:bc54ada, author = {FireEye}, title = {{APT37 (REAPER) The Overlooked North Korean Actor}}, date = {2018-02-20}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf}, language = {English}, urldate = {2021-11-03} } APT37 (REAPER) The Overlooked North Korean Actor
PoorWeb RokRAT APT37
2018-02-20FireEyeFireEye
@online{fireeye:20180220:apt37:2ca8466, author = {FireEye}, title = {{APT37 (Reaper): The Overlooked North Korean Actor}}, date = {2018-02-20}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html}, language = {English}, urldate = {2019-12-20} } APT37 (Reaper): The Overlooked North Korean Actor
APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20180116:korea:f462331, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-01-06} } Korea In The Crosshairs
Freenki Loader PoohMilk Loader RokRAT APT37
2018-01-16Cisco TalosWarren Mercer, Paul Rascagnères
@online{mercer:20180116:korea:02f4c3c, author = {Warren Mercer and Paul Rascagnères}, title = {{Korea In The Crosshairs}}, date = {2018-01-16}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html}, language = {English}, urldate = {2020-04-06} } Korea In The Crosshairs
Freenki Loader RokRAT APT37
2017-11-28CiscoWarren Mercer, Paul Rascagnères, Jungsoo An
@online{mercer:20171128:rokrat:dec34fb, author = {Warren Mercer and Paul Rascagnères and Jungsoo An}, title = {{ROKRAT Reloaded}}, date = {2017-11-28}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html}, language = {English}, urldate = {2019-11-22} } ROKRAT Reloaded
RokRAT
2017-10-05Palo Alto Networks Unit 42Juan Cortes, Esmid Idrizovic
@online{cortes:20171005:freemilk:1c7eb5d, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2020-01-08} } FreeMilk: A Highly Targeted Spear Phishing Campaign
APT37
2017-10-05Palo Alto Networks Unit 42Juan Cortes, Esmid Idrizovic
@online{cortes:20171005:freemilk:a929f1b, author = {Juan Cortes and Esmid Idrizovic}, title = {{FreeMilk: A Highly Targeted Spear Phishing Campaign}}, date = {2017-10-05}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/}, language = {English}, urldate = {2019-12-20} } FreeMilk: A Highly Targeted Spear Phishing Campaign
Freenki Loader PoohMilk Loader
2017-08-15FortinetJasper Manuel
@online{manuel:20170815:quick:ab09ae8, author = {Jasper Manuel}, title = {{A Quick Look at a New KONNI RAT Variant}}, date = {2017-08-15}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant}, language = {English}, urldate = {2020-01-09} } A Quick Look at a New KONNI RAT Variant
Konni
2017-07-06Cisco TalosPaul Rascagnères
@online{rascagnres:20170706:new:b0410c3, author = {Paul Rascagnères}, title = {{New KONNI Campaign References North Korean Missile Capabilities}}, date = {2017-07-06}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html}, language = {English}, urldate = {2020-01-10} } New KONNI Campaign References North Korean Missile Capabilities
Konni
2017-07vallejo.ccvallejocc
@online{vallejocc:201707:analysis:b16e1c3, author = {vallejocc}, title = {{Analysis of new variant of Konni RAT}}, date = {2017-07}, organization = {vallejo.cc}, url = {https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/}, language = {English}, urldate = {2019-07-31} } Analysis of new variant of Konni RAT
Konni
2017-05-03Cisco TalosPaul Rascagnères
@online{rascagnres:20170503:konni:8b039a6, author = {Paul Rascagnères}, title = {{KONNI: A Malware Under The Radar For Years}}, date = {2017-05-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html}, language = {English}, urldate = {2020-01-13} } KONNI: A Malware Under The Radar For Years
Konni
2017-04-03Cisco TalosWarren Mercer, Paul Rascagnères, Matthew Molyett
@online{mercer:20170403:introducing:d17f359, author = {Warren Mercer and Paul Rascagnères and Matthew Molyett}, title = {{Introducing ROKRAT}}, date = {2017-04-03}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/04/introducing-rokrat.html}, language = {English}, urldate = {2020-01-09} } Introducing ROKRAT
RokRAT
2017Cisco TalosWarren Mercer, Paul Rascagnères
@techreport{mercer:2017:introducing:04e2ff1, author = {Warren Mercer and Paul Rascagnères}, title = {{Introducing ROKRAT}}, date = {2017}, institution = {Cisco Talos}, url = {http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf}, language = {English}, urldate = {2019-12-20} } Introducing ROKRAT
RokRAT
2016-06-17ThreatpostMichael Mimoso
@online{mimoso:20160617:scarcruft:4b357f7, author = {Michael Mimoso}, title = {{ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks}}, date = {2016-06-17}, organization = {Threatpost}, url = {https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/}, language = {English}, urldate = {2019-10-28} } ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks
APT37
2016-06-17Kaspersky LabsCostin Raiu, Anton Ivanov
@online{raiu:20160617:operation:2dfcedd, author = {Costin Raiu and Anton Ivanov}, title = {{Operation Daybreak}}, date = {2016-06-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-daybreak/75100/}, language = {English}, urldate = {2019-12-20} } Operation Daybreak
StarCruft APT37
2016-06-14Kaspersky LabsCostin Raiu
@online{raiu:20160614:cve20164171:6d0a7c9, author = {Costin Raiu}, title = {{CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks}}, date = {2016-06-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/}, language = {English}, urldate = {2019-12-20} } CVE-2016-4171 – Adobe Flash Zero-day used in targeted attacks
APT37

Credits: MISP Project