Home/ Threat Actors/ APT37

🇰🇵APT37

🇰🇵 APT37 is a tracked threat actor in the Clankerusecase corpus. Attributed to KP. Primary motivation: State. We map 26 detection use cases to this actor across 128 MITRE ATT&CK techniques, with 6 threat-intel articles citing them. Active in our corpus from 2025-10-23 to 2026-05-28.

crit 6

View full actor card → All threat actors MITRE ATT&CK group spec (G0067) ↗

26Use cases

6Articles

128Techniques

41IOCs

Known aliases

APT37ScarCruftReaperInkySquidRicochet ChollimaGroup123TEMP.Reaper

Top techniques

T1204.002 · Malicious File T1195.002 · Compromise Software Supply Chain T1071.001 · Web Protocols

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1005 · Data from Local System T1020 · Automated Exfiltration T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1021.007 · Cloud Services T1027 · Obfuscated Files or Information T1027.003 · Steganography T1027.007 · Dynamic API Resolution T1027.009 · Embedded Payloads T1027.013 · Encrypted/Encoded File T1033 · System Owner/User Discovery T1036.001 · Invalid Code Signature T1036.005 · Match Legitimate Resource Name or Location T1041 · Exfiltration Over C2 Channel T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1053.005 · Scheduled Task T1055 · Process Injection T1055.001 · Dynamic-link Library Injection T1056.001 · Keylogging T1057 · Process Discovery T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.006 · Python T1059.007 · JavaScript T1060 · T1060 T1070.004 · File Deletion T1070.006 · Timestomp T1071 · Application Layer Protocol T1071.004 · DNS T1074.001 · Local Data Staging T1074.002 · Remote Data Staging T1078.004 · Cloud Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1090 · Proxy T1090.001 · Internal Proxy T1090.002 · External Proxy T1090.003 · Multi-hop Proxy T1102 · Web Service T1102.002 · Bidirectional Communication T1105 · Ingress Tool Transfer T1106 · Native API T1112 · Modify Registry T1113 · Screen Capture T1115 · Clipboard Data T1119 · Automated Collection T1120 · Peripheral Device Discovery T1123 · Audio Capture T1125 · Video Capture T1129 · Shared Modules T1132.001 · Standard Encoding T1134.002 · Create Process with Token T1140 · Deobfuscate/Decode Files or Information T1189 · Drive-by Compromise T1190 · Exploit Public-Facing Application T1203 · Exploitation for Client Execution T1204.001 · Malicious Link T1204.004 · Malicious Copy and Paste T1218 · System Binary Proxy Execution T1218.011 · Rundll32 T1219 · Remote Access Tools T1406 · T1406 T1407 · T1407 T1420 · T1420 T1422 · T1422 T1426 · T1426 T1429 · T1429 T1430 · T1430 T1437.001 · T1437.001 T1474.003 · T1474.003 T1480.001 · Environmental Keying T1481.002 · T1481.002 T1486 · Data Encrypted for Impact T1497 · Virtualization/Sandbox Evasion T1513 · T1513 T1529 · System Shutdown/Reboot T1532 · T1532 T1533 · T1533 T1541 · T1541 T1546.016 · Installer Packages T1547.001 · Registry Run Keys / Startup Folder T1548.002 · Bypass User Account Control T1550.001 · Application Access Token T1555 · Credentials from Password Stores T1555.003 · Credentials from Web Browsers T1559.002 · Dynamic Data Exchange T1560 · Archive Collected Data T1561.002 · Disk Structure Wipe T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1567.002 · Exfiltration to Cloud Storage T1568.002 · Domain Generation Algorithms T1569.002 · Service Execution T1572 · Protocol Tunneling T1573.001 · Symmetric Cryptography T1573.002 · Asymmetric Cryptography T1574.001 · DLL T1574.002 · T1574.002 T1583 · Acquire Infrastructure T1583.001 · Domains T1583.003 · Virtual Private Server T1583.004 · Server T1584.004 · Server T1584.006 · Web Services T1585.003 · Cloud Accounts T1587.001 · Malware T1588.002 · Tool T1588.006 · Vulnerabilities T1595.002 · Vulnerability Scanning T1595.003 · Wordlist Scanning T1608 · Stage Capabilities T1608.001 · Upload Malware T1608.002 · Upload Tool T1620 · Reflective Code Loading T1636.002 · T1636.002 T1636.003 · T1636.003 T1636.004 · T1636.004 T1643 · T1643 T1646 · T1646

Detection use cases (26)

APT37 (ScarCruft) ROKRAT cloud C2 — non-browser process talking to pCloud/Yandex/Dropbox/Box APIs AI · profile SΣDD APT37 Hancom HWP/HOffice spawning script interpreters — ScarCruft Korean-lure spearphishing chain AI · profile SΣDD Trojanized axios npm package postinstall: node.exe spawned from plain-crypto-js dependency Bespoke axios RAT Windows persistence: %PROGRAMDATA%\wt.exe drop + %TEMP%\6202033.vbs/.ps1 staging Bespoke axios RAT C2 callout to sfrclak.com / 142.11.206.73:8000 Bespoke Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal Trusted vendor binary / installer launching unusual children Internal EchoCreep Discord API beacon from non-browser process (Webworm 2025) Bespoke GraphWorm OneDrive /createUploadSession C2 from non-Office process Bespoke Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match

Threat-intel articles (6)

crit ESET APT Activity Report Q4 2025–Q1 2026 · 2026-05-28

crit Webworm: New burrowing techniques · 2026-05-20

crit FrostyNeighbor: Fresh mischief and digital shenanigans · 2026-05-14

crit Fake call logs, real payments: How CallPhantom tricks Android users · 2026-05-07

crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack · 2026-05-05

crit Gotta fly: Lazarus targets the UAV sector · 2025-10-23

Tracked indicators

Domains (22)

anvil.org.ph bandarpowder.com book-happy.needbinding.i coralsunmarine.com ecudecode.mx galaterrace.com github.com/anjsdgasdf/Wo kazitradebd.com mediostresbarbas.com.ar mnmathleague.org nama-belakang.nebao.icu nebao.icu needbinding.icu oldlinewoodwork.com partnerls.pl pierregems.com scgestor.com.br spaincaramoon.com sqgame.com.cn sqgame.net trainingpharmacist.co.uk xiazai.sqgame.com.cn

IP addresses (19)

104.21.80.1 104.243.23.43 104.247.162.67 108.181.92.71 108.61.200.151 144.168.60.233 152.42.239.211 172.67.193.139 185.148.129.24 193.39.187.165 23.111.133.162 45.148.29.122 45.77.13.67 64.176.85.158 66.29.144.75 70.32.24.131 75.102.23.3 77.55.252.111 95.217.119.214

CVEs (3)

CVE-2017-7692 CVE-2023-38831 CVE-2024-42009