Security is Everyone's Job

APT 37

APT 37 is a cyber espionage group that is believed to be sponsored by the North Korean government.

The group has been active since at least 2012, and has targeted various countries and industries, mainly in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

The group’s main objectives are to gather intelligence and conduct sabotage operations on behalf of North Korea’s interests

The group’s location is not publicly known, but it is likely that they operate from within North Korea or from neighboring countries that have diplomatic ties with North Korea, such as China or Russia.


Operation Daybreak: A series of attacks in 2016 that exploited a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean victims, including government, media, and military organizations

Operation Erebus: A ransomware attack in 2017 that targeted South Korean web hosting company Nayana, encrypting the data of over 3,400 websites and demanding a ransom of $1.62 million

Golden Time: A campaign in 2017 that used spear phishing emails and malicious attachments to target South Korean cryptocurrency exchanges and users, stealing millions of dollars worth of digital currencies

Evil New Year: A campaign in 2018 that used a new variant of the ROKRAT malware to target South Korean government and military personnel, as well as defectors and human rights activists. The malware was capable of stealing files, taking screenshots, recording audio, and executing commands

Attack methods

Social engineering: The group uses tailored phishing emails and strategic web compromises to lure victims into clicking on malicious links or opening malicious attachments. The group also uses torrent file-sharing sites to distribute malware more indiscriminately

Exploitation: The group exploits vulnerabilities in popular software, such as Adobe Flash Player, Hangul Word Processor, and Microsoft Office, to deliver malware to victims. The group has access to zero-day vulnerabilities, which are unknown to the public and the vendors, and can incorporate them into their operations quickly

Malware: The group uses a variety of custom and off-the-shelf malware for initial infection and exfiltration. Some of their malware families include RICECURRY, DOGCALL, ZUMKONG, SOUNDWAVE, and RUHAPPY. The group also has access to destructive malware, such as HARDRAIN and SHUTTERSPEED, which can overwrite the Master Boot Record (MBR) of a machine and render it unusable

Command and control: The group uses compromised servers, messaging platforms, and cloud service providers to communicate with their malware and avoid detection. The group has shown increasing sophistication by improving their operational security over time, such as using encryption, proxies, and domain generation algorithms