APT37 is a North Korean state-sponsored cyber espionage group tracked by the wider community since at least 2012, best known for sustained targeting of South Korean government-adjacent organisations and individuals engaged in DPRK-related affairs. According to the MITRE ATT&CK group entry for APT37 (G0067), the cluster’s footprint extends beyond South Korea and has included targets in parts of Europe, the Middle East and Asia.
Recent public reporting indicates continued investment in tradecraft that blends classic spearphishing and staged malware delivery with more resilient command-and-control patterns, including abuse of legitimate cloud services. Zscaler ThreatLabz’ reporting across 2025–2026 describes APT37 activity using multi-stage loaders and bespoke implants, with an operationally significant emphasis on workflows that can move data and tasking between disconnected network segments.
For defenders, APT37 remains a high-priority monitoring target where personnel, policy, research, journalism, or sensitive operational environments intersect. The group’s repeated use of user-execution chains (shortcuts, scripts, document lures), layered payload staging, and cloud-mediated C2 makes it well-suited to bypass perimeter-only assumptions and to persist through infrastructure churn.
Overview and attribution
Confirmed: MITRE describes APT37 as a North Korean state-sponsored cyber espionage group active since at least 2012, primarily targeting South Korea. MITRE ATT&CK: APT37 (G0067)
Confirmed: Google Cloud’s Mandiant (then FireEye) publicly profiled the actor as APT37 (Reaper) in the context of targeted operations including exploitation of Adobe Flash zero-days. Google Cloud Threat Intelligence: APT37 (Reaper), the overlooked North Korean threat actor
Naming note: “ScarCruft” and “Reaper” are commonly used aliases across vendors. Some reporting also uses additional naming taxonomies. Where naming differs, this profile follows the activity cluster described in the sources above rather than treating every alias as a guaranteed one-to-one match.
Targeting and operational objectives
Public reporting consistently characterises APT37 as an intelligence collection actor aligned to DPRK strategic priorities. Mandiant’s 2018 assessment links APT37’s operations to military, political and economic intelligence requirements. Google Cloud Threat Intelligence: APT37 (Reaper), the overlooked North Korean threat actor
Zscaler ThreatLabz’ 2025 reporting describes APT37 targeting South Korean individuals connected to North Korea-related fields and activism, reinforcing a long-running victimology pattern. Zscaler ThreatLabz: APT37 targets Windows with a Rust backdoor and Python loader
Tradecraft and tooling
APT37’s reporting history shows consistent reliance on staged execution chains, selective deployment of higher-end implants, and use of trusted platforms to blend into normal enterprise traffic.
Initial access patterns
Spearphishing and user execution
APT37 is frequently reported using socially engineered lures to drive user execution and then stage follow-on payloads through scripts and loaders. This is consistent with both MITRE’s technique associations for the group and multiple vendor write-ups describing shortcut, script, and document-driven execution chains. MITRE ATT&CK: APT37 (G0067)
Watering-hole operations
Volexity documented a DPRK-linked cluster it calls InkySquid using a compromised news portal for watering-hole delivery of the BLUELIGHT malware family, noting that the activity broadly corresponds to publicly reported ScarCruft/APT37. Volexity: North Korean APT InkySquid infects victims using browser exploits
Exploitation and vulnerability use
APT37 has historically been associated with targeted exploitation, including use of Adobe Flash zero-days in 2018. Mandiant’s public reporting ties APT37 activity to exploitation of CVE-2018-4878, a Flash use-after-free vulnerability that was exploited in the wild. Mandiant / Google Cloud write-up and NVD entry for CVE-2018-4878
Malware families and capability themes
Surveillance-focused backdoors
ESET’s analysis of the Dolphin backdoor describes a wide-ranging espionage toolset (keylogging, screenshots, credential theft and file theft), deployed selectively after initial compromise, and attributed to ScarCruft. ESET research: ScarCruft’s Dolphin
Evolving loader and implant development
Zscaler ThreatLabz reported APT37 introducing new tooling, including a Rust-based backdoor (“Rustonotto”) alongside other components, reflecting continued development and refresh of its malware ecosystem. Zscaler ThreatLabz: APT37 targets Windows with a Rust backdoor and Python loader
2026 highlight: air-gapped and removable-media operations
A notable recent development is explicit investment in air-gap bridging workflows that pair legitimate cloud services with removable media to relay commands and staged data between Internet-connected systems and segmented or disconnected hosts.
For full detail on this tradecraft, see our related coverage: APT37 “Ruby Jumper” campaign bridges air-gapped networks using USB and a portable Ruby runtime.
ATT&CK mapping
The table below consolidates techniques repeatedly associated with APT37 in the cited reporting, including MITRE’s group entry and vendor campaign analysis.
| Tactic | Technique ID | Technique name | Observed behaviour (from reporting) |
|---|---|---|---|
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment | Social engineering to deliver malicious files and launch staged chains (multi-vendor reporting; MITRE association). |
| Execution | T1204.002 | User Execution: Malicious File | Reliance on user-triggered execution (documents, shortcuts, lures) to start the infection chain. |
| Execution | T1059.001 | PowerShell | Reported use of script-driven staging and execution in modern APT37 chains. |
| Drive-by Compromise | T1189 | Drive-by Compromise | Watering-hole activity reported by Volexity consistent with ScarCruft/APT37 clustering. |
| Command and Control | T1071.001 | Web Protocols | Common C2 over HTTP(S), often blended with legitimate web traffic patterns. |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage | Use of cloud platforms for data movement and C2-like workflows reported in multiple campaigns. |
| Collection | T1056.001 | Keylogging | Reported capability in Dolphin and other surveillance tooling. |
| Collection | T1113 | Screen Capture | Reported capability in Dolphin and related espionage tooling. |
Mitigation recommendations
Reduce user-execution exposure
- Treat LNK, script and macro-adjacent execution chains as high-risk in NK-focused victim sets. Prioritise detections that key off parent-child process lineage (for example, Office or Explorer spawning script hosts and interpreters) rather than only file hashes.
- Use Attachment Sandboxing and Mark-of-the-Web enforcement where possible, and ensure protected view and application control policies are actually enforced for high-risk user groups.
Harden browser and client attack surface
- Maintain aggressive patch SLAs for browsers, scripting engines, and document handlers. APT37’s historical association with targeted exploitation, including CVE-2018-4878, reinforces the need to prioritise exploit-class bug categories.
Constrain cloud service abuse
- Baseline sanctioned cloud storage usage and alert on unusual OAuth token flows, atypical client IDs, and endpoints invoking cloud APIs from non-standard processes. Where cloud services are not required, restrict access at egress and via identity controls.
Tighten removable media controls
- For environments relying on segmentation or air-gaps, implement strict USB device control (allow-lists, managed encrypted media, and logging), and consider transfer-station workflows for any data crossing trust boundaries. The Ruby Jumper reporting is a practical case study in why segmentation alone is not a complete control. Ruby Jumper coverage
Further reading
- MITRE ATT&CK: APT37 (G0067)
- Google Cloud Threat Intelligence: APT37 (Reaper), the overlooked North Korean threat actor
- Volexity: North Korean APT InkySquid infects victims using browser exploits
- ESET research: ScarCruft’s Dolphin
- Zscaler ThreatLabz: APT37 targets Windows with a Rust backdoor and Python loader